HIPAA Compliance and Your Business: What Your IT Department Needs to Know
by Stephanie Faris on Monday, November 28 6:00
In a digital era, it s more important than ever that patient data remains secure. For businesses that specialize in healthcare, extremely sensitive information resides on their servers and electronic devices. This can include standard data that affects every organization, including social security numbers, credit card information, and contact addresses and phone numbers. But it also can include details of a patient s medical history that many consumers would prefer remain private.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is designed to protect those consumers by placing requirements on the collection and storage of patient health data. For employees that deal with patient information, this has prompted a serious shift in the way they handle paperwork and electronic records, but the I.T. support staff who help these businesses have been forced to put policy changes in place, as well. Whether you contract part or all of your tech to a third party or you handle it in house, here are a few things you should do to ensure you re in compliance.
Encryption
Healthcare organizations regularly transmit information to insurance providers and other entities. HIPAA mandates that these transmissions be encrypted as they travel. While many IT departments have already put at least the minimum encryption in place, they may not realize that their failure to encrypt personal health information while it resides on their servers could lead to a costly data breach.
Access to Information
One easy area to implement change is in adjusting accesses to end users to specific databases and files. HIPAA requires organizations to grant the minimum rights necessary to each employee in order for them to do their jobs. Ensure your users are set up with role-based access to files, folders, and applications and define those roles to grant the minimum necessary access. You can always make exceptions to the rules you put in place on a case-by-case basis, but it s best to start at the minimum.
Server Room Access
Even if you ve taken every precaution possible to keep your data safe, a physical breach can occur. Limit access to the area where your servers are stored to only a select group of authorized personnel. If a vendor comes on site who needs access to the area, take as many security precautions as possible, including remaining with the visitor while in the server room. You should also take measures to ensure information can t be accessed on employees screens, either by other employees or non-employees who are passing through. Consider investing in privacy screens that make it difficult to view the information being displayed on the monitor.
HIPAA can seem complicated but IT departments can easily safeguard their patient data with a few precautions. Conduct a thorough audit of your business s security practices and employee behaviors and highlight any weaknesses or vulnerabilities that might put your organization at risk. In doing so, you may be able to avoid costly penalties as well as damage to your business s hard-earned reputation.