How to become HIPAA Compliant?

There are several aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but as it pertains to health care IT and the focus of this article, HIPAA compliance comes from your company’s ability to adhere to the strict national standards regarding electronic health care transactions and identifying information for health care providers, employers, and health insurance plans.

As one might imagine with such a large piece of national legislation, there is a myriad of minimums that your company’s systems and operations must meet. And as one might also imagine, understanding and implementing exactly how said systems and operations must operate to be HIPAA compliant can quickly become quite a daunting task. Having a quick, clear, and easy 10-step HIPAA compliance checklist to run through can be a major help, which is what we are doing in this article. We will also take a look at a series of hosting questions asked by an Atlantic.Net healthcare client interested in learning more about the specifics of compliance.

Why is HIPAA Compliance required?

One of the problems with our increasingly technological world is that the speed at which our devices and services upgrade and make older versions obsolete can be dizzying. It feels like only an instant before the latest smartphone or flatscreen TV is being replaced with the bigger, better, faster model.

The same holds true in the world of HIPAA web hosting, data information, and server management. And while it can be tough to keep up for any type of business, it’s crucially important if your company is involved with health care IT and has to maintain HIPAA Compliance.

10-Step HIPAA Compliance Checklist

If you want to know how to become HIPAA compliant, there are specific standardized technologies that you should have in place to properly protect Personal Health Information or PHI, and avoid violations. We’ll dive more into the technological side in the spotlight section detailing a conversation with a client below.

In addition to those technical specifications, here are 10 additional actions you want to take as general HIPAA administrative safeguards. Although these tactics should not be considered exhaustive, each one will effectively reduce your liability and make it less likely that you will become a target of the Department of Health and Human Services (HHS):

  • Create a Security and Privacy Policy
  • Name a Privacy and Security Officer
  • Perform Periodic Vulnerability Reviews
  • Create a Specific Policy for Email
  • Create a Specific Mobile Policy
  • Train Your Staff
  • Develop a Privacy Notice
  • Solidify Business Associate Relationships
  • Establish a Protocol for Possible Breaches
  • Make Sure the Privacy and Security Policies are Followed

Step #1 – Create a Security and Privacy Policy

“Healthcare organizations must develop, adopt and implement privacy and security policies and procedures,” said Becker’s Hospital Review. “They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.”

This is particularly important in today’s world, where cybercrime, in the form of brute force attacks, Distributed Denial of Service (DDoS) attacks, and other forms of hacking have resulted in some of the biggest data breaches in history. And with the recent gigantic Anthem data breach, having air-tight security safeguards in place is paramount, as are having the proper protocols in place in the unfortunate event of a hack or breach.

Step #2 – Name a Privacy and Security Officer

Name one or two people who are knowledgeable on HIPAA compliance requirements for these roles. One of the most crucial aspects of being HIPAA compliant is ensuring that your data remains safe, secure, and most importantly, confidential. It makes sense that the person, or people, in charge of that data is an expert in the field – a HIPAA privacy officer & security officer. They can also help you set up air-tight policies (as mentioned in step #1 above) and implement the best possible procedures in case of an attack or system error.

Step #3 – Perform Periodic Vulnerability Reviews

You want to check and test your exposure to risk on a regular basis. If you find anything amiss, of course, you need to correct it. Policies should be adjusted based on information from these assessments as well. After all, a chain is only as strong as its weakest link, so while even if the vast majority of your systems and are air-tight, it would only take one small mistake or oversight to cause massive problems. Hackers, cybercriminals, and even inadvertent employee mistakes could all spell major problems and possible violations if not shored up immediately.

Step #4 – Create a Specific Policy for Email

The HHS Office for Civil Rights, or OCR, has stated it wants to see user guidelines that are crafted to the particular situation, as exhibited by specific mobile and email policies. Interestingly enough, it does not state anywhere in the OCR regulations that PHI must only be sent and/or received via encrypted email, but it’s worth pointing out that your email system is HIPAA compliant and with the encryption of all messages. In addition, you can protect yourself from investigations with encrypted email. In today’s world, email encryption is a relatively fast, easy, and painless process to implement, and many providers will offer it free of charge. It’s very much the time to look into, but if you decide that email encryption is not right for you at this point in time, you must at the very least inform your patients that asking for records through email puts them at risk.

Step #5 – Create a Specific Mobile Policy

Mobile devices are everywhere, and they get more omnipresent each and every year. Every side of the health care world, between providers and patients, uses mobile devices to check email and log into profiles. As such, it will greatly benefit you to create a strong policy to safeguard health data on mobile devices, such as smartphones and laptops, which are particularly susceptible to physical theft. The policy should address also what happens when a new device is added to or removed from the network.

Step #6 – Train Your Staff

While not everyone on your team must be an industry-leading expert in the finer technicalities of HIPAA (save those hires for your Security and Privacy Officer positions, as mentioned in Step #2), it will behoove you if your staff is comfortably familiar with the basic parameters of HIPAA. It has been shown numerous times by numerous studies that employees are consistently one of the biggest risks to a company’s cybersecurity – usually through a lack of knowledge of the proper protocols. Nobody wants to be the cause of a HIPAA violation, so it’s in your best interest to provide training to any new people who join your staff and occasional reviews (some say every six months) for continuing employees.

Step #7 – Develop a Privacy Notice

Communication is key, and that goes double for privacy. Having a clear, concise privacy policy is important, as is getting that policy out there for all to see. Make sure that your privacy policy is posted on your website and is easy to find. The same policy should be handed out to patients, and they should sign that they’ve received it. Also, don’t be afraid to view your privacy policy as a living, breathing document – if certain events, either in your company or in the healthcare industry at large, necessitate the need for changes, update the policy. And when you do, get new signatures from your patients to ensure they understand what’s been updated.

Step #8 – Solidify Business Associate Relationships

Odds are your business isn’t an island – you have a team of business associates that you work with on a regular basis. Even though they aren’t full-time employees, you still need to make sure they adhere to any policies you’ve set forth. Harking back to the chain analogy used in Step #3, if your associates aren’t a strong link, it’s a problem. You need to make sure that a strong business associate agreement is signed with all relevant parties – including those that handle PHI, such as shredding companies.

Step #9 – Establish a Protocol for Possible Breaches

It’s critical to have a step-by-step system whenever you think a breach might have occurred. Even the most safeguarded and up-to-date systems are susceptible to breaches, so always view cybersecurity as two sides to the same coin – it’s important to invest and spend time on infrastructure and policies that will help prevent breaches and other forms of attacks, but the flip side is to always know that a breach is always a distinct possibility.
“The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred,” noted Becker’s. “If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.”

Step #10 – Make Sure the Privacy and Security Policies are Followed

Preparation is only half the battle – and important half to be sure, but what good is the best-laid plans if they aren’t followed? Ensuring that they are actively followed is critical. It needs to be a part of your company’s DNA and breathed into each and every operation your company undertakes. In addition to making sure the policies are well-known and followed by all your team members and all business associates, it should also be known that failure to adhere to said policies come with penalties. Make sure the consequences of failing to comply with your HIPAA compliance policies are both well-known and strict enough to ensure your staff does everything possible to follow them.

Spotlight: HIPAA Technology Provider Questions

This section spotlights a recent and actual question-and-answer exchange we had with a prospective healthcare client – we’ve of course anonymized and edited it for privacy. For brevity, we’ll skip the introductions and jump right into the Q&A. We hope this gives you some insight into some of the more technical aspects of HIPAA compliance, and how any company worth your time will have strong answers to each of these types of questions.

Healthcare Client:
Have you been independently audited against the OCR HIPAA Audit Protocol?

Hosting Consultant:

Yes, I have attached our HIPAA audit for your review.

Healthcare Client: What particular IT services meet HIPAA-compliant security standards for
protecting PHI?

Hosting Consultant: The following services fully meet HIPAA-compliant security standards with regards to Personal Health Information or PHI: Fully Managed Hardware Firewall; Encrypted VPN’s; Intrusion Detection System; Fully Managed Daily Encrypted Backup; Private Dedicated Server Environment with Self-Encrypted Storage (Virtualized or Non-Virtualized); and Anti-Virus Software.

Healthcare Client: Do you have documented policies and procedures?

Hosting Consultant: Yes, but the Policies and Procedures are Proprietary Information. We only release the HIPAA Audit, BAA, DR Document, and SSAE 16 (SOC 2, Type 1 & 2) audit. (All are attached.)

Healthcare Client: Are your employees trained?

Hosting Consultant: Of course.

Healthcare Client: Do you have a thorough BAA (Business Associate Agreement) with documented and communicated policies?

Hosting Consultant: Yes, and it is attached for your review.

Healthcare Client: What is the difference between regular server hosting and HIPAA-compliant server hosting  (structure-wise)?

Hosting Consultant: The only fundamental difference is that HIPAA Compliant Hosting requires an Intrusion Detection System. It also requires all of the services listed above in the question regarding services meeting PHI protection protocols. HIPAA-compliant hosting can include a Virtualized Private Dedicated Server environment but it cannot include Public Cloud / Private Cloud hosting services.

Healthcare Client: Why is HIPAA-compliant server hosting more expensive than regular server hosting?

Hosting Consultant:
Because of the technologies listed above and because you cannot remove any of these items from the hosting platform as you can with a non-HIPAA compliant server hosting environment.

Conclusion

Every healthcare company must ask for advice when they work with IT providers since any issues with the provider would pose a risk to their patient’s health information. After all, even going through a minor HIPAA violation can be disastrous to a healthcare IT organization.

Atlantic.Net is a trusted HIT provider. Our clients trust us because we are experts on the subject and are fully transparent in all communications, as evidenced by this customer testimonial below: “Atlantic.Net’s reputation for 100% up-time, their secure infrastructure, and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions Vice President Joseph Nompleggi.

Feel free to contact us today to see if we can help you meet your HIPAA compliance needs with any of our award-winning HIPAA-Compliant Hosting or Dedicated Hosting.


Read More About HIPAA Compliance


This article updated with the latest information on July 30, 2024.