HIPAA TECHNOLOGY COMPLIANCE REQUIREMENTS AND RECOMMENDATIONS
by Eric Soto
A Note to Doctors:
It is important to consider this for your practices. Please contact ICT if you have any questions.
The CDA and ADA require / recommend:
1. Server Encryption.
A server handles the sharing and storage of all data on the network. This includes your patient information, imaging, and documents. A security breach or theft of server can lead to severe fines, loss of reputation, and even result in practice closure due to breach notification requirements. Having an encrypted server would protect you from data breach notification requirements since the data on the server is not accessible.
ICT recommends: Ensuring your server is professionally encrypted. (You should also consider physically securing your server.)
2. Local Back-Up Encryption.
Back-up drives are frequently brought offsite for safe keeping, they can be misplaced, broken, or even stolen! In the event a back-up drive falls into the wrong hands, patients’ data can become compromised. Having encrypted local backup drives would protect you from data breach notification requirements since the data on the drives is not accessible.
ICT recommends: Purchasing an encrypted local backup drive. (All old media must be disposed of properly.)
3. Encrypted Online Back-Up.
Online backup is an essential part of data protection. Often offices are confident that they are backing up when in reality no one is not checking the local backup. Online backups are generally automated and occur in the evening.
ICT recommends: A compliant, encrypted, online back-up service.
4. Email Encryption.
Because of emails prevalence, it is easy to unwittingly send patient information to the incorrect recipient, violating HIPAA policy. A compliant email service requires that all recipients fill out a basic form and “check” a box, confirming they are the intended recipient. This releases your practice from liability and further protects your patient’s privacy. Free email services may be encrypted but are not compliant since they offer no verification of the intended recipient.
ICT recommends: Implementing email encryption.
5. Upgrading to Windows 7.
Microsoft has discontinued updating and supporting Windows XP (end of life April 2014). This means that Windows XP machines will no longer receive security updates. Over time, computers still running on Windows XP will become more susceptible to attacks, increasing vulnerability and PC problems.
ICT recommends: Upgrading to Windows 7 Professional, today. It is often more cost effective to purchase a new computer.
6. HIPAA Compliant Router.
99% of dental practices today do not have a HIPAA compliant router. A compliant router requires a professional firewall to manage internet access ports. Also It requires the ability to maintain a log file of internet activity. Finally if you are offering your patients WIFI a separate guest network feature will be required to protect your patient’s data.
ICT recommends: Using a SonicWALL network security appliance.
7. Password protected systems.
When seeking to ensure patient privacy, every step taken towards safeguarding sensitive data is an additional line of defense in your practice. Password protecting all computers on your network is the front line of protection for user accounts. It is also required to activate “screen saver password protection” so a computer left idle, for a specified time, will automatically lock. Privacy screens are further suggested in areas where patient data is visible to anyone not intended to view it.
ICT recommends: • Change default passwords. • Use complex passwords. • Change your passwords frequently. • Use different passwords. • Set session time-outs with passwords. • Don’t sign on as an administrator to your computer.
8. Domain Implementation.
A domain contains a group of computers that are registered with the server to control their actions.
Setting up a custom domain also allows the administrator to track individual files that users have accessed or deleted.
ICT recommends: Having a domain set up within your practice. Only with an actual server and workstations configured in a domain environment can users actions be tracked and logged.
9. Network Maintenance.
• Update the operating system (windows) with latest patches.
• Update your software with latest patches.
• Always use a current professional Antivirus program.
• Run security reports (windows MS© Baseline Security Analyzer).
ICT recommends: Working with an IT provider that has verified all windows updates are compatible with your practice management software before deploying them.
10. Data Breach Insurance.
Purchasing a data breach protection policy to protect you in the event of a HIPAA (data-related) violation. TDIC offers this policy that can pay for notifying patients, providing credit monitoring and more.
ICT recommends: Contact your practice’s liability insurance provider to add data breach insurance to your policy.
11. Certified HIPAA Consultant.
All practices should contact a certified HIPAA consultant to go over all of the requirements to make your practice HIPAA compliant. ICT takes no legal responsibility for any fines that may be incurred due to HIPAA violations.
ICT recommends: Contact a HIPAA Compliance consultant.