The 4 Necessities:
____ Data Backup Solution
The big concern here is whether your backup system effectively stores PHI in compliance with HIPAA. Your healthcare organization needs to be following at least the 3:2:1 backup rule: 3 copies of data, 2 of which are stored locally and 1 which is stored offsite. HIPAA requires your data to be kept in multiple locations, as well as for your backup processes to have a notification system for reporting purposes. Many backup solutions take advantage of the cloud to enable businesses to reach this 3:2:1 rule. However, using the cloud is not the only path to HIPAA compliance or the 3:2:1 rule.
____ Business Email (Including Proper Communication Security Services)
This one may seem easy to check off without thought, but the key here is determining whether your email system works in accordance with HIPAA guidelines. The two main concerns surrounding email are encryption and archiving. HIPAA allows for the transfer of electronic PHI, given that adequate protection is in place. The most effective form of 'adequate protection' is encryption, though it is not explicitly required by HIPAA. In terms of email archiving, records containing PHI are required to be kept for at least 6 years, though again, archiving is not explicitly stated as a requirement. There exist various services, some cloud-based and some not, capable of providing healthcare organizations with HIPAA compliant email, as well as encryption and archiving.
____ Network Firewall
To a medical practice or healthcare organization, a firewall appliance or service is absolutely critical. A firewall dictates who can or can not access items on your network. In this regard, a firewall is the ultimate gatekeeper when protecting PHI stored internally. The use of cloud-based technology for other business functions does not eliminate the need to secure your own internal network. A firewall plays a critical role in ensuring the protection and privacy of patient health information and data.
____ Business Antivirus
A healthcare organization's computer devices should all have antivirus software. HIPAA defines the ability to guard against, protect, and report malicious software. Antivirus products do just that, at the level of the device. Since antivirus does not directly interact with PHI, HIPAA does not directly state it as a requirement. With this being said, antivirus protects computers from intruders and outside threats, and these computers often contain PHI. For this reason, the most effective practice to effectively protect and secure PHI includes antivirus software. There are multiple formats for antivirus solutions, cloud-based or on premises.
After going through this checklist, you should have a good understanding of whether your business's technology resources are HIPAA compliant, and if not, what is needed to get there. The DII Computers team is available to help your practice further this process. We provide a no-cost, IT Site Survey to help you determine which services can be checked-off, and which need attention. We will present you with a plan of action to support IT needs in compliance with industry regulations. Call 215-657-5055 to speak with a DII representative who can help or click the corresponding button below for further information.
*Given HIPAA includes guidelines for subject matter outside of IT, the completion of this document does not guarantee HIPAA compliance and should not be interpreted as legal advice*