Security and privacy in IT is a complicated beast. Recently in the news we’ve seen plenty of large (and small) organizations become victims of fraudulent activities by the way of technology. Each one of these security breaches happened at some layer of the proverbial “Security Onion” and began digging itself deeper to find useful information. Much of the focus on recent news has been based around credit card numbers, Social Security numbers, and personal health information. Why? Because there is money to be made in it.
Any business who stores or processes information such as credit card numbers, Social Security numbers, or personal health (e-PHI) related data should be fully aware of these breaches and stay vigilant by keeping up to date on technology and processes to help prevent their organization from being in the news.
This short blog post will focus on the aspect of HIPAA and HITECH. If you haven’t noticed, it is extremely hard to find a good resource that tells businesses what to do on the technology side of HIPAA. Wouldn’t it be nice if there was a single document that stated everything that needed to be done to be HIPAA compliant? Even I, as an IT professional, would find that very useful. Unfortunately, there is no magic document with all the answers.
Since we don’t have a single document that tells us what to do, we have to start scrounging for resources that hopefully give us ideas on where to start. The U.S. Department of Health & Human Services (HHS) has been nice enough to provide us a ton of information regarding Health Information Privacy. The whole idea behind compliancy is that you must reduce your liability – with fines starting at $50,000/incident it can be a worthwhile investment to begin working on a plan and strategy.
HIPAA compliance boils down to a few different platforms. Each of these documents provides a high level of standards that must be followed. Notice that most of them aren’t even IT related – HIPAA is an organization-wide regulation:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational, Policies, and Procedures and Documentation Requirements
- Risk Analysis and Risk Management
Each of these areas has “requirements” and “rules” which state how something should be done. Let’s be clear that there is no certification for HIPAA. The HHS just requires that covered entities take proper care and “perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements.” As IT professionals, getting a set of vague guidelines that incorporate a lot of best practices can be time-consuming to digest and figure out. Below you’ll find a list of resources to help get a good idea on what HIPAA IT compliance is and how it fits into your current infrastructure:
- National Institute of Standards and Technology (NIST) Guides
- Training Materials
- Communication with Patients
If you are part of a healthcare organization who feels they may be behind or not even started on HIPAA compliance, please contact us for help. Our primary clients are small-middle market businesses who often lack the proper policies and procedures in place to support regulatory requirements such as HIPAA or PCI-DSS compliance. We can take you from an initial assessment all the way to assisting in implementing a secure IT infrastructure and helping maintain it if necessary.
RSM’s security services include:
- HIPAA Compliance Assessment
- IT Security Testing
- IT Security Compliance and Governance
- PCI Compliance
- Digital Forensics and Incident Response
We would love to assist you in developing a strategy and roadmap towards HIPAA compliance and helping you avoid being in the news and a hefty fine due to a data breach. You can contact RSM’s technology consulting professionals at 800.274.3978 or email us directly!