HIPAA Compliance Overview
What is HIPAA?
Introduced in 1996, the Health Insurance Portability and Accountability Act specifies certain rules and parameters any company that deals with PHI must adhere to. Penalties for not achieving and maintaining compliance range from the bad to
|Violation||Amount per violation||Violations of an identical provision in a calendar year|
|Did Not Know||$100 – $50,000||$1,500,000|
|Reasonable Cause||$1,000 – $50,000||$1,500,000|
|Willful Neglect — Corrected||$10,000 – $50,000||$1,500,000|
|Willful Neglect — Not Corrected||$50,000||$1,500,000|
What is PHI?
PHI, or Patient Health Information, is any item that meets the guidelines specified by Health and Human Services. Some of the guidelines include, but are not limited to (the full list can be seen on our website at https://www.dansnetworks.com/services/hipaa-compliance):
Who Does HIPAA Apply To?
Anyone who deals with any information that deals with the above items. That obviously includes any health care provider, but it also encompasses businesses that are not as obvious, such as law firms (medical malpractice, personal injury, etc.).
How Do We Achieve HIPAA Compliance?
First off, you need to have IT providers that are HIPAA compliant, meaning that they have internal policies to prevent any leakage of PHI that they may encounter. To protect yourself, you need to have the provider sign a BAA (business associate agreement). This basically is a contract that says the provider is HIPAA compliant – it essentially “passes the buck” downstream, so that if there were a breach due to your provider, some of the penalties pass downstream. In turn, your provider will procure BAAs from their providers, such as hosted email services like Microsoft Office 365, cloud backup solutions, etc.
Second, you need to observe practices and guidelines that your provider goes over with you. These are things such as restricting access to PHI on a “need to know” basis, avoiding storing PHI in any non-personnel accessible locations, and even making sure physical access is restricted to PHI.
Some of the practices that can help achieve this include:
- Storing PHI on an encrypted device – data must be encrypted at rest and in transit, meaning that any storage device that holds PHI must have HIPAA-compliant encryption. This includes servers, workstations, and network storage devices.
- Avoiding any PHI on the desktop – employees must not store PHI in locations such as desktop, my documents, or anywhere else on a personal computer. If there is a physical breach such as theft, or even a virus, that constitutes a breach.
- Making sure that any printers are safe-guarded from physical access and that any storage media is wiped prior to the printer leaving (in case of a lease or sale). Most printers store copies of documents scanned on internal storage, making these devices a very big security risk.
How are Managed Services HIPAA Compliant?
To provide HIPAA compliant managed services, we observe all of the appropriate practices. We will advise you of any potential issues, help your company address those issues, and then also monitor at all times to make sure those solutions are in effect. This includes keeping operating systems, 3rd party software, and any line of business applications up to date. They also include verify physical and electronic access to any PHI is guarded, and monitoring to make certain practices such as storing PHI on workstations is not violated. These practices are above and beyond typical managed services, which is why they tend to cost more.