Recent Posts
Posts Are Coming Soon
Stay tuned...
Featured Posts

7 Common Issues Relating to HIPAA Compliance

The privacy rules of HIPAA, establish the standards of using and handling patients information, which is called Protected Health Information (PHI). HIPAA has ensured the integrity and provenance of sharing of PHI amongst organizations. Security and privacy regulations strive to ensure organizations are adhering to necessary standards. Here are some common IT challenges in regards to HIPAA compliance:

1. Transmission Encryption

  • PHI must be encrypted during transmission

  • Website must have a SSL Certificate

  • Any page or web form that collects or displays PHI must have SSL

  • Any page used for logging in which transmits authorization cookies, etc., must be protected by a SSL

  • There should not be an alternate version of PHI for visitors, if applicable

  • SSL requires a digital signature by a trusted Certificate Authority

  • Browsers include a pre-installed list of trusted CAs, known as the Trusted Root CA store

  • Companies must comply with, and be audited against, security and authentication standards for browsing

  • If the end user submits PHI that is collected on your website, the transmission of data must be secure (Hardest to do)

2. Backup

PHI cannot be lost - Data needs to be backed up and it must be recoverable.

  • All data must be securely backed up able to restore

  • All Emails should be backup and able to restore

  • PHI stored in backups must also be protected in a HIPAA-compliant way — with security, authorization controls, data encryption etc.

  • A restoration policy should be in effect

3. Authorization

PHI must only be accessible by authorized personnel using unique, audited

access controls.

  • No everyone who has access to your site?

  • Must have Business Associate Agreement for all people with access to your site

  • Example of people who might have access: Web hosting, marketing agency. Etc.

  • If issued to a HIPAA third party company make sure they have gotten a revised agreement since the introduction of the Omnibus Rule

  • Make sure the staff and people with access to scheduling on your site are Hipaa Compliant with Hipaa security and privacy rules

  • Audit your logins

  • Alerting for multiple failed logins

  • Need to be maintained and monitored

4. Integrity

PHI cannot be tampered with or altered.

  • ONLY information collected and store via your website that is encrypted and/or digitally signed is safe

  • It is up to your organization to determine if tamper-proofing your data

  • Generally, using PGP, SSL or AES encryption for stored data can accomplish this very nicely and also address the next point

5. Storage Encryption

PHI must be encrypted if it is stored or archived.

  • Data encryption is not required by HIPAA, but it is necessary due to huge fines

  • Ensure ALL collected and stored PHI is encrypted and can only be accessed/decrypted by individuals with the appropriate security keys

  • For back-ups use Storage encryption

6. Disposal

All PHI must be permanently erased when it is no longer required.

  • Consider all of the places where the data could be backed up and archived

  • Have protocols for deletion

  • Inventory of devices and software

7. Business Associates

You must have a signed HIPAA Business Associate Agreement with every vendor that touches your PHI.

  • If your website or data is located on the servers of a vendor, then HIPAA (first in HITECH and subsequently in the Omnibus Final Rule) requires you have a signed and up to date Business Associate Agreement

  • It is up to you to ensure that your site is designed and managed in a way that is compliant with HIPAA.

  • Choosing a HIPAA-compliant provider will not make your website HIPAA compliant unless you and your designers ALSO take all of the steps to ensure that it is.

Follow Us
Search By Tags
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
  • Facebook Social Icon
  • Twitter Social Icon
  • LinkedIn Social Icon