Compliance is critical to your business. While it’s often viewed as a hassle, its true goal is to keep your business and customers better protected. By ensuring that you follow best practices for receiving, storing, and transmitting data, you enhance your consumer trust, maintain stronger network security, and avoid hefty fines.
One of the most common sets of compliance standards is HIPAA for health records. If you do business in California or Europe (or with their residents), you know CCPA and GDPR. And if you accept credit card payments, you’re probably familiar with PCI-DSS. There are also local, state, and federal laws that apply to various industries.
It would be way too much to dive into all of those, so I’ll address HIPAA compliance here. Many of the steps I recommend below would apply to any kind of compliance.
* Please keep in mind, however, that the following advice is general guidance only. Refer specifically to any laws or regulations governing your business for official procedures and rules. *
What is HIPAA?
HIPAA has been a hot topic over the last year, but there is often confusion over what it is, what it does, and who it covers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that mandates a federal standard for the protection of sensitive patient health information. It states that this information cannot be disclosed without the patient’s consent or knowledge.
This standard is implemented by what is known as the HIPAA Privacy Rule. This is what people are usually referring to when they mention HIPAA. The Privacy Rule covers healthcare providers, health plans, healthcare clearinghouses, and business associates. Private citizens are not covered by the Privacy Rule.
Information Technology (IT) is addressed in HIPAA under the HIPAA Security Rule. This applies to all individually identifiable health information that a covered entity may create, receive, maintain, or transmit in electronic form. E-PHI (electronic protected health information) does not include PHI transmitted orally or in writing.
To maintain compliance with the HIPAA Security Rule, covered entities must:
- Ensure the integrity, availability, and confidentiality of all e-PHI
- Safeguard against threats to the security of e-PHI
- Have policies in place that protect against impermissible uses or disclosures
- Certify compliance by their workforce
This means you need all 4 elements to be compliant: the right tool, strong protection, documented procedures, and people who have been trained. Without any one of them, you run the risk of incurring fines.
Compliance violations can be reported to the HHS Office for Civil Rights and are often addressed by a compliance officer at the covered entity. HIPAA violations can result in both criminal and civil monetary penalties, or fines. These fines can range from $100 to $50,000 per violation, and up to $1.5 million annually. The amount of the fine depends on numerous factors, such as whether the covered agency had knowledge of it, took reasonable care to fix it, the length of time the violation persisted, and the number of people affected, for example.
So to minimize your liability, you should always start with reasonable efforts. Breaches will happen. Employees will make mistakes. But if you address the 4 elements above, you can lessen the fines you’ll face on top of dealing with a disaster. Your IT partner can help with a lot of it.
How IT Can Make Compliance Easier
Compliance requirements can be overwhelming. So tell your IT partner what you need and let them bear the brunt of it.
Technical security requirements protect the networks and devices of covered entities from data breaches. This includes, but is not limited to:
- Encryption of sensitive files sent via email
- Firewalls and intrusion detection and prevention systems
- Employees trained to identify and avoid phishing scams
- Data backups and disaster recovery plans
- Data transfer authentication that requires passwords, a 2 or 3-way handshake, a token, or a callback
- Password complexity and expiration policies
- Redundancy techniques like double-keying and checksum to prevent data entry mistakes
A covered entity will generally develop in-house policies to help protect e-PHI. Many of these policies are aided or performed by the entity’s IT department or MSP. Some of these actions can be very simple, like enforcing an idle timeout on computers to prevent information being seen by others passing by. Audits can be performed within EHR and EMR programs to detect inappropriate access to patient records. Strong firewall rules can prevent intrusion from outside intrusion.
~ ~ ~
So where would you say you stand right now? Fully compliant, minimally compliant, or not at all compliant?
If you even suspect your business is anything less than fully compliant, talk to your IT partner today:
- Ask them to review your policies with you, especially any that mention communication tools or devices that may be outdated.
- Ask them to run an audit for you.
- Ask them to conduct penetration testing on your network.
- Ask them to compare machine inventory and active employee lists with you.
- Ask them to set up a simulated phishing program and dark web monitoring.
Your IT partner should already be taking care of your software and hardware updates and basic protection. They should also be handling your backups, making sure they’re running properly and testing that they are usable. But don’t be afraid to ask them and make sure. And if you’re interested in any of the following more advanced options, fill out the form below.
For related information about data security and compliance, click here. You can also use the tags below to explore.