The HITECH Act of 2009 expanded a business's responsibilities related to protecting individuals' privacy, as initially outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While technology provides businesses with a lot of excellent benefits relating to ease of access, it also means that there are a number of security risks that must be considered and mitigated as much as possible.
This blog will give you a basic outline of what you'll need to maintain HIPAA and HITECH compliance. However, the full depth of this topic is much more complicated than can be outlined here, so make sure you consult with a professional to ensure that your business is in compliance.
Even though the vast majority of information these days is digital, you still need to provide some physical protections if you keep any health information regarding your employees, clients, or patients. Examples of necessary physical protections include the following:
- Data backup and storage - The information you maintain should have automatic backup to a remote location, such as in a "cloud" system.
- Facility security - Wherever you choose to back-up your data to, that facility should have in-depth security such as video surveillance and limited access to the server rooms.
- Disaster mitigation and recovery - The server location should also have fire suppressants and recovery plans to ensure that the backed-up data is protected in the event of a disaster.
Since you probably won't be backing up your data to your own servers, ensure that the provider you choose has all of these security measures and more if you want to be compliant with HITECH and HIPAA.
Limiting access to the data you have is a central part of maintaining compliance. Ensure that whatever data storage system you use requires unique logins and has an automatic logoff feature. It should also offer both encryption and decryption of all data, both while the data is in transit (such as being shared with the individual) or at rest (simply being stored on your drives).
Your system also needs to have administrative abilities that allow you to closely monitor and protect the data you are storing. This includes the following:
- Login monitoring - Administrators need to be able to see who is accessing what data, as well as keep track of any changes that are made to the data being stored.
- Limiting access - You should also be able to assign different users of your system different levels of access. For example, someone in your call center may be able to access only patient names and contact information, while members of upper management can access full records.
These types of safeguards are only the beginning when it comes to HIPAA and HITECH compliance. The true depth and breadth of these 2 compliance acts can be overwhelming, especially as it pertains to your IT systems. Make sure that you work with a professional in designing and maintaining compliant systems so that you don't face penalties and fines for being in violation of these acts.
Related Articles -