Are Your IT Operations HIPAA Compliant?
by Stephanie Faris on Monday, December 04, 2017 11:30
Patient healthcare data is a sensitive issue.
For organizations that collect this type of information in any way, it's important to have safeguards in place that protect their customers' private health data from falling into the wrong hands.
This includes information like prescription medications, medical histories, clinical diagnoses, and time off work for illnesses or injuries.
To protect consumers, the government created the Health Insurance Portability and Accountability Act (HIPAA), which sets guidelines for businesses as they collect and store data on employees and customers.
Some make the mistake of assuming that HIPAA applies only to healthcare-related companies, but that is far from the truth.
In fact, almost every business has health information stored somewhere, even if it's only the data human resources maintains on employees.
So what does this mean for your IT department?
Here are a few things your team should know to avoid being held responsible for a costly data leak.
Penalties for Violations
Whether intentional or accidental, a security breach will cost your business.
The amount of the penalty to be applied relates specifically to the category of violation.
A minimal breach where your team was completely unaware would fall into a lesser category, with fines as low as $100, but maxing out at $50,000.
A severe violation with willful neglect and no attempt to repair the damage could be labeled as high as a category four, coming with minimum fines of $50,000 per violation.
Network Security
Although employees have their own set of rules when it comes to safeguarding health data, the IT team must ensure things are secure at the network level.
As described in the regulations that fall under the HIPAA Security Rule, IT professionals are responsible for having controls in place to keep data safe as it is being stored and transmitted.
This includes network security, proper user access management, and risk management.
Device Best Practices
For extra security, IT teams should make sure employees are trained on responsible device use and given access to a VPN to use when not in the office.
These policies should be well documented to cover your IT department in the event of an audit.
While you can't control everything your end users do, you can show that you have documentation in place that put that responsibility on their shoulders, rather than yours.
Your policies should also include a fully-defined procedure for offloading old equipment.
A professional hard drive destruction service can give you paperwork certifying that your devices were safely disposed of, as well as handling taking your equipment to an approved recycling service.
If your business handles personal health information on employees or customers, this small measure can make a big difference in avoiding costly fines and damage to your business's reputation should a security breach take place.
National CWS provides a full suite of recycling services, including mobile hard drive shredding.
We will bring our shredding equipment to your location and handle everything on site.
We also provide all the paperwork you need to prove regulatory compliance, including with HIPAA laws.
When you work with a trusted provider, you'll know you're getting the protection you need to keep your business, as well as its employees and customers, safe.