If you’ve started a new private medical practice, one of the first major hurdles you’ll need to jump is becoming compliant with the federal Health Insurance Portability and Accountability Act, known as HIPAA.
This set of federal regulations must be met by any company that handles protected health information. HIPAA’s checklist sets the standard for how patient data is dealt with and guarded. It requires a number of physical, network, and process security measures.
This means that in addition to providing network and security measures for your small business’s day-to-day operations, you also have to ensure your IT meets every requirement on the HIPAA checklist to stay in compliance. To help you get started, we’ve outlined moves you can make in 2019 to get the biggest return on your investment and work toward fulfilling your HIPAA obligations.
The Cost of a Breach
Beyond the personal exposure and risk that comes with a data breach of patient records, there are steep financial costs associated with an IT lapse. For medical practices that experience a cyber liability breach, the average cost for every stolen record is $148—and that’s on the low end for a HIPAA-compliant firm. If your company claims HIPAA compliance, and patients sign confidentiality forms, but you’re not, in fact, keeping their information secure, there could be additional legal fees and penalties on top of the cost per record. Not only are you legally required to meet certain standards to protect patient data, but it’s also in your company’s best interest to do so for fiscal reasons.
If your company communicates with patients and vendors via email, you need to ensure that your email environment is secure and HIPAA compliant. Google Suite and Office 365 offer all-in-one solutions that provide this security. An adequately secured email system will involve a monthly subscription for each user, as well as a corporate email account with the company domain. These hosts will provide backup and secure communication. If you’re not sure where your email system stands, you can ask a managed service provider (MSP) to do an email assessment for you.
Your internet service provider isn’t responsible for protecting the security on your network. When you have a corporate internet connection, and you have employees on it all day long with a server that contains your company’s practice database, and all of the patient records associated with it, you must have a traffic cop protecting everyone.
An enterprise-grade firewall with real-time security is the bare minimum you need for protection in 2019. A $50 Linksys router from Staples won’t cut it, and it’s not HIPAA compliant. Though an enterprise firewall might run you $2000 up front, that’s only $33 a month over 60 months. It’s an investment that protects you from further costs associated with a security breach down the road.
Your network server itself must also be protected to be HIPAA compliant. It cannot be sitting next to your receptionist, where every employee and the cleaning crew can reach out and touch it. Your server must be physically secured to be HIPAA compliant in 2019. If it’s in a shared space that’s accessible by staff, you need to make an effort to have it located in a locked cabinet or closet, or create a secure, dedicated IT room.
Don’t want to build a special room for your server? Then consider cloud storage for protecting your patient records. Cloud-based HIPAA security solutions often make more sense than building a bunker for your server. A cloud-based server works similarly to secure email, which also uses the cloud for storage.
Cloud-based solutions in 2019 will provide your medical practice with:
- HIPAA compliant technology
- Secure certificates
- Virtual private networking
- Enterprise firewall
- Multifactor authentication
A bonus of using cloud-based solutions for network security is it’s more dynamic and more scalable. You can build disaster recovery plans easily because the data is backed up and accessible from anywhere.
If you aren’t ready to use cloud storage, you should still backup your data securely, and use a control log to track who moves the backup from place to place to ensure that your data backup meets HIPAA’s auditing and logging standards for compliance. A ticket system can help with this tracking.
One of the biggest concerns for business IT security in 2019 is employee passwords. It’s very likely that your employees’ passwords aren’t strong enough, aren’t being changed often enough, and aren’t stored properly. To be HIPAA compliant, all staff members with any kind of web or email access that touches patient data should be following these guidelines for password creation and maintenance:
- Change passwords every 90 days.
- Use complex passwords.
- Do not write the password down or store it in an easily accessible place.
To level up your password protection game, as well as your overall data security and HIPAA compliance, you should institute a business-wide security policy that details standards for password management, maintaining user accounts, licenses, backups, updates, and onboarding and off-boarding. Employees should be trained, educated, and updated (as needed) on their role in data protection.
HIPAA compliance for a medical private practice is critical, and it can be overwhelming alongside the demands of running a small business. Starting with securing your email, company server data, and passwords will set you on a path to compliance in 2019. A managed service provider can assess your compliance and help you build a secure data environment that will not only protect your patients but will also protect you financially.