In today’s world, regardless of what industry your business is in, the management of your technology is vital to your success. Whether you are outsourcing to a Managed IT Services Provider (MSP) or handling it in-house, your data must be secure, protected and backed-up for business resilience purposes. If you are in the field of healthcare, the inability to keep your data safe can prove highly detrimental to your organization.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. 

The primary sources of healthcare breaches come from cyber-attacks from outside of your company and human error on the inside.  For example, hackers in the 2015 Anthem breach, used a sophisticated phishing scheme that targeted a group of employees.  This compromised upwards of 80 million people’s personal identification information and is still considered the biggest health data breach in history.  According to the Ponemon Institute’s most recent study on the privacy and security of healthcare data, nearly 90 percent of healthcare organizations represented in this study had a data breach in the prior two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.

So why is HIPAA compliant Information Technology (IT) support important?  HIPAA violations are expensive.  The penalties for noncompliance are broken into 2 major categories:  Reasonable Cause and Willful Neglect.  According to the American Medical Association, under willful negligence, penalties can range from $10,000 to $50,000 with an annual maximum of $1.5 million.  A Managed IT Services company that specializes in HIPAA, can perform an internal HIPAA assessment, recommend remediation, continuously monitor the environment and collaborate with your company on best practices and procedures.

Not a healthcare company so no worries about HIPAA, right? Have you heard about the recent breach that affected thousands of National Football League (NFL) players?  Are you wondering how this relates to HIPAA compliance? According to the NFL, thousands of players’ health care records were breached after a laptop was stolen from the car of a Washington Redskins trainer.  These records go back 13 years and include current and former players’ protected health information (PHI).  The breach was so severe that the NFL contacted the Department of Health and Human Services (HHS) whose mission is to enhance and protect the health and well-being of all Americans. HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules for HIPAA covered entities.

With the impact of breaches such as those listed above, it is imperative to have HIPAA compliant solutions in place.  If you are working with a Managed IT Services company, or actively seeking that partnership, it is important to gauge their level of proficiency as it relates to compliance.  These organizations should have the ability to perform a HIPAA Assessment, provide solutions that are HIPAA compliant, and help formulate internal best practices.

What is a HIPAA Assessment?

A HIPAA Assessment is a comprehensive discovery into your business environment to determine areas where your company might be out of compliance.  It includes multiple reports that outline the risk to your business environment, onsite interviews to understand internal workflows and processes, and an evaluation of your physical technology environment. Your IT Services company will be able to make remediation recommendations based on the documentation. These recommendations should be prioritized based on level of risk so an agreed to action plan can be put into place.  This proactive approach ensures that your organization is compliant or actively working towards it, should you be audited by an external agency.  A full HIPAA Assessment, or at least a HIPAA Risk Analysis should be completed on an annual basis.

A HIPAA Assessment can be quite lengthy in nature and challenging to decipher if you were simply to receive the reports.  Your IT Services company or internal IT staff will be able to take all of this information and deliver it in a succinct, understandable manner.

IT HIPAA Compliant Solutions

Backup and Disaster Recovery

The 2013 passage of the HIPAA Omnibus rule for healthcare providers imposed that Business Associates,  including solution vendors, must comply with security and breach notification rules. Under HIPAA, all Business Associates who have access to unencrypted electronic protected health information (ePHI) for technical support or administrative reasons are required to comply with HIPAA regulations. It is in your company’s best interest that a Backup and Disaster Recovery (BDR) solution is in place that delivers encryption, image-based backups, instant virtualization for backup testing and offsite replication to the cloud.

A HIPAA compliant BDR solution must have Service Organization Controls (SOC) 1 and 2 standards in place and the reports need to be available for proof of compliance to these controls, for all data centers. These reports will focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy of the data center.   In addition, establishing a business continuity and disaster plan internally will safeguard your organization from a HIPAA-related issue.

Encryption

Encryption is the safest way to protect your data as it converts that information electronically into another form (ciphertext), which can only be read by approved groups.  HIPAA regulations require that data be encrypted at the local backup level, when it is in transit to and from the cloud and when it is replicated to a second data center location for redundancy purposes. This is to ensure that if a breach of PHI occurs, any data that is retrieved will not be readable.

In addition, it is important that any email that contains PHI be encrypted when in transit.  There are solutions available that will encrypt messages in a number of ways with a minimal impact on end users.  They include, but are not limited to:

  • The user providing a predetermined encryption phrase to the subject line such as, “secure.”
  • Administrators configuring encryption policies to detect and automatically encrypt messages containing personally identifiable information, i.e., social security numbers.
  • Outlook users marking a message as confidential.

Organizations that do not encrypt emails containing sensitive information are at risk of regulatory fines.

If you want to learn more about HIPAA compliant solutions and their impact on your organization, contact The TNS Group today.  We take our role very seriously and we can deliver a positive solution focused on compliance that will not compromise employee productivity and efficiency.

Categories: Managed Service Provider, MSP Blogs