Your Boston IT services company should understand your HIPAA requirements, but, does it? The future of your business could depend on it, so make sure you know. The government is serious when it comes to businesses following HIPAA guidelines.
Things Your Boston IT Services Company Should Be Doing Regarding HIPAA Compliance
When it comes to HIPAA compliance and making sure your company is within its guidelines, your Boston IT services company should be doing the following important things:
- They need to assess themselves of your company’s HIPAA security and privacy policies and procedures.
- They should devise a comprehensive HIPAA risk security assessment for your company’s IT.
- They should provide online training on security and privacy, as well as on HIPAA compliance to all employees.
You need to be confident your IT services company is knowledgeable about and compliant with your HIPAA requirements. When they do these three things, you can be sure that they are.
HIPAA Rules Your Boston IT Services Company Needs to Know
New HIPAA rules took effect on September 23, 2013. While your own employees should certainly be expected to know them, your vendors should, as well. This includes your Boston IT services company.
New rules include:
- Strengthening the limits on how protected health information is used and disclosed to third parties for marketing purposes.
- Prohibits the sale of this protected health information without the expressed consent of each individual client.
- Gives clients more rights regarding how and when they receive electronic copies of their health information.
- Restricts disclosures to health plans regarding a client’s treatment if the client pays for that treatment in full and out of pocket.
- Requires modifications and redistribution to the notice of privacy practices of covered entities and people.
- Makes disclosure of child immunization proof to schools easier.
- Makes access to health information of a deceased person easier to family members.
- Modifies individual authorization requirements to make such disclosures easier, including disclosure to assist with research.
What You Need to Know About the Implementation of HIPAA Security Rules
It is no question that the HIPAA security rule is inconvenient to most offices, but following it is still required to stay out of trouble and stay in business. That means your IT company has to comply with it, as well.
The first requirement of the HIPAA security rule is a HIPAA risk analysis. Practices may do this themselves using free online tools, but it is easy to make a mistake. It is far better to leave the risk analysis to IT professionals who know what they are doing. Considering the government’s handbook on doing the risk analysis is 95 pages long, it makes sense to outsource this requirement to the pros. Your risk analysis is more likely to pass a compliance review if it is done by IT pros who are knowledgeable about it. Remember, most HIPAA fines are handed out because a practice has a missing, out of date, or incomplete risk assessment they tried to do themselves. Hiring an IT firm who knows about HIPAA to do this for your practice is the smart thing to do.
HIPAA risk management is another security rule requirement. A lot of practices skip over this, and just keep their risk analysis on hand in case they get audited. However, the risk management requirement is important. It requires you to document everything your practice does to reduce or deal with its information security risks. Having a pro IT firm do this for you allows you to remain fully HIPAA compliant without creating extra work for your employees.
Next, your practice must make a healthcare data disaster plan. This plan must include provisions for restoring any loss of data. While it is a good idea for any business to have a plan to back up their data, HIPAA rules only apply to patient data. You must document to the government how you will recover data, or access to that data, if you lose it, while still complying with the HIPAA security rule. You must also have a data backup plan both on and off-site from your office. Your IT professionals can create and implement this plan for you.
You must also have business associate agreements, and this applies to your IT provider, as it is a business associate of yours. The original HIPAA security rule in 2005 did not have a provision to penalize a practice’s business associates for data breaches. This changed in 2013. Now, your practice is liable for the HIPAA compliance of your business associates, including your IT professionals and their subcontractors. This is why it is so important to make sure they know your practice’s HIPAA requirements. Because your practice is liable for what your IT professionals and their subcontractors do, you must make sure they are familiar with your practice’s HIPAA requirements so you don’t get fined if they violate them.
Audit controls are also required. Remember, your patient data is not just kept in your EHR program. It is also in folders on your server, on desktops, on laptops, on portable drives, and even on smartphones. Because the HIPAA security rule states that you must have access logs for all of this information wherever it exists, and that those logs be kept for six years, you must make sure your network is a domain and not a workgroup.
This is something that IT professionals like Radius Executive IT solutions is perfect at designing for you. Most practices do not have people on staff who can do something like this with any degree of skill, at least not the type of skill that will ensure HIPAA compliance. Your IT professionals can make sure it is all put together with compliance as the key, and that it works smoothly for you.