HIPAA (The Health Insurance Portability and Accountability Act) was set in place in 1996 to ensure the safety of personal information given by clients to their healthcare providers. HIPAA regulations are strict and firm, but not impossible to follow. They set a standard that all healthcare providers must adhere to in order for their patients’ personal information to stay secure, even in our increasingly online world.

There are three “safeguards” in the HIPAA Security Rule: administrative, physical, and technical. The administrative safeguards dictate rules which apply to the people who will be working with e-PHI (electronic protected health information). The physical safeguards refer to the facilities in which e-PHI is processed. Lastly, the technical safeguards cover the technical security measures that must be put into place.

As an IT company, the technical safeguards are what we deal with most often when it comes to our healthcare clients. According to HIPAA, a healthcare provider must “implement policies and procedures to ensure that: only authorized persons have access to e-PHI, e-PHI is not improperly altered or destroyed, and unauthorized access to e-PHI” is prohibited. HIPAA is vague on what constitutes “policies and procedures”, but by implementing all of the following measures, you are well on your way to ensuring HIPAA compliance to the technical safeguards.

  • Antivirus software.  This is an absolute must with any computer, but particularly important when dealing with sensitive information like patient records. Without antivirus software, hackers could potentially gather information from your computer through malware or spyware.
  • Firewall. Like antivirus software, a firewall protects your computer network from hackers and viruses. Both a firewall and antivirus software help keep your computer safe. Don’t assume your computer network is secure by only using one or the other.
  • Unique Passwords/Usernames. Every person who has access to patient records via a computer should have a separate username and password to gain access. This is of vital importance. It will help hold your employees accountable, and ensure that you know exactly who is accessing the patient data at any given time. Strong passwords are also important, as this is one of the easiest ways for hackers to break into your computer.
  • Encryption. Whether it’s for email, backups, or instant messaging, encryption is important. Encryption will make it harder for hackers to read any sensitive information in your emails, backups, or messaging systems. It will require a password to access the information sent or stored, and unless that password is correct, all of the information will appear as gibberish.
  • Spam Filter. A spam filter will keep out the garbage from your email accounts. Spam often contains viruses that can infect your computer and potentially release information to a hacker. By implementing a spam filter, you are protecting yourself from accidentally opening an email with an attached virus. Remember, not all spam emails need to be fully opened to release a virus. It’s better to be safe than sorry.
  • Two-Factor Authentication. Two-factor authentication (also known as 2FA) is a way to prove your identity through two separate forms of identification. When you use an ATM, you provide both your bank card and your PIN number. In the same way, 2FA requires the use of a physical form of identification (like a USB with a special chip inside) and a password. Sometimes, other methods are used like fingerprint scanners or typing speed/pattern recognizers.

By utilizing the above methods, you can be sure your business has what you need to be HIPAA compliant. Of course, to be sure, you need to have a risk assessment done. Fines for breaking HIPAA are expensive, and a risk assessment will help you to make decisions about what other policies you should implement.