Healthcare IT Consulting & HIPAA Security
Healthcare IT Security Experts
ANS Networking can work with you to structure a compliance process from initial audits through implementation. We have partnered with industry leaders to provide cybersecurity compliance for medical and government facilities. We can work with on-site IT or independently manage the project to completion.
Summary of the HIPAA Security Rule
“Electronic protected health information”, or e-PHI, is the overall term that defines any information about a patient that is produced, saved, transferred or received electronically. Because of its electronic nature, this data could be vulnerable to loss or be viewed by parties not entitled to view the information. “Covered entities” include any business or organization that accepts this electronic protected health information, such as hospitals, physical therapists, dentists, health insurance providers, and any other health provider or doctors office. These entities must abide by the “Security Rule” which requires covered entities to maintain “reasonable and appropriate” administrative, technical, and physical safeguards for protecting e-PHI.
ANS Networking’s team of cyber security and network data security experts can make sure your health organization complies with these HIPAA Security Rule standards. Call us today to get started 603-605-8099
Reasonable and Appropriate Safeguards Expanded
- Make sure that any e-PHI they create, receive or transmit remains confidential, secure, and available
- Protect against potential threats to the integrity or security of the information, and identify threats that may be posed
- Protect against any anticipated impermissible uses or disclosures of the information
- Ensure the workforce with access to the information remains compliant
Security Rule Definitions
Confidentiality: e-PHI is not available or disclosed to unauthorized persons. The confidentiality requirements protect against improper uses and disclosures of protected health information.
Integrity: e-PHI is not altered or destroyed in an unauthorized manner.
Availability: e-PHI is available and able to be used on demand by an authorized person.
Which aspects of the Security Rule are right for your business?
HHS does recognize that covered entities could range from the largest multi-state health plan to the smallest local physical therapy office. The Security Rule is flexible and scalable to allow covered entities to assess their own specific situation and needs, and implement solutions that are best for them. When a covered entity is analyzing which security measures to implement, the Security Rule requires the covered entity to consider:
- Its physical size as well as organizational complexity and capabilities
- Its technical infrastructure including hardware and software
- The costs to implement security measures
- The likelihood of e-PHI data loss and impact of risks to e-PHI
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.
The IT Security experts at ANS Networking can help your organization navigate this environment. Contact us today 603-605-8099.
Contact ANS Networking Today
Looking for IT Consulting Regarding HIPAA Security?
ANS experts will work with your company to provide a customized healthcare IT Consulting plan today.
Risk Analysis and Management of Medical Data
Covered entities are required to perform risk analysis as part of the Administrative Safeguards provisions in the Security Rule. This should be performed as part of their regular security management processes. Risk analysis provisions of this Security Rule are addressed separately here.
ANS Networking can help to determine which security measures are appropriate for your type of covered entity.
Risk analysis process may include:
- Implementation of security measures to address the risks which were identified in a risk analysis
- Evaluate the likelihood of occurrence and potential impact of any risk to e-PHI
- Document security measures and the reasons for adopting those measures
- Maintain appropriate security protections continuously and reasonably.
Risk analysis is an ongoing process where a covered entity reviews its records to track access to e-PHI and detect security incidents. They should periodically evaluate the effectiveness of security measures put in place and regularly reevaluates potential risks to e-PHI.
Security Management Process
A covered entity must identify potential risks to e-PHI and implement security measures to reduce risks and vulnerabilities.
Covered entities need to designate a person who is responsible for creating and implementing the security procedures. ANS Networking can be a valuable partner at this stage.
Information Access Management
The Security Rule requires a covered entity to enact policies for authorizing access to e-PHI only when appropriate based on the user or recipient’s role. This is consistent with the Privacy Rule standard which limits uses and disclosures of PHI to the minimum amount necessary.
Workforce Training and Management
Covered entities need to provide for appropriate authorization of workforce members who work with e-PHI. A covered entity must train all workforce members about its security policies and must have appropriate actions defined for workforce members who violate its policies and procedures.
A covered entity must perform regular assessments of how well its security procedures meet the requirements of the Security Rule.
A covered entity must limit physical access to its facilities to protect data while ensuring that authorized access is allowed to individuals who need it.
Workstation and Device Security
Proper use of and access to workstations and electronic media is a must. A covered entity should have procedures that define the transfer, removal, disposal, and re-use of electronic media.
Covered entities are required to implement technical procedures so that only authorized persons are allowed to access electronic protected health information.
Covered entities need to implement software, hardware, and procedural processes to record and examine access and activity within the information systems that contain or use any e-PHI.
Policies, procedures and electronic measures need to be implemented to ensure that e-PHI is not altered or destroyed improperly, as well as confirm that this has not occurred.
Covered entities must guard against any unauthorized access to e-PHI that is being transmitted over an electronic network by implementing various technical security measures.
IT Consulting Results in NH, MA, and ME
Which specifications are “Required” and which are “Addressable”
Compliance is required for every Security Rule “Standard.” However, certain implementation specifications of those standards are “addressable,” while others are “required.”
The “required” specifications must be implemented to comply with the rule. The “addressable” designation does not make it optional, but allows the covered entity to determine whether the addressable specification is “reasonable and appropriate” for their specific situation. If the specification is not deemed reasonable and appropriate, the Security Rule allows the adoption of alternate measures which would still achieve the purpose of the standard.
ANS Networking’s Healthcare Data Security specialists are experts at helping your organization determine these standards.
Call today for an expert HIPAA Security Rule analysis 603-605-8099
Other organizational, procedural, and documentation requirements
Business Associate Contracts
HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009. These outline rules for any business associates of a covered entity which may also have access to the protected health information.
Covered Entity Responsibilities
If an activity or practice of a business associate constitutes a violation or breach of the business associate’s obligation, the covered entity needs to take action in order to cure the breach or end the violation. Violations may include the failure to implement safeguards that protect e-PHI.
Retention of Documentation
It is standard that covered entities need to adopt appropriate policies and procedures to comply with the Security Rule. However, a covered entity must maintain written security policies and written records of required actions, activities or assessments for six years after the date of their creation.
Periodic review and updates to documentation in response to changes that affect the security of electronic protected health information must be performed by all covered entities.
Contact us about our HIPAA and Healthcare IT Consulting Services in NH, MA and ME today.