Imagine a world where the U.S. Department of Health and Human Services’ Office of Civil Rights came knocking on every medical practice’s door saying, “Show me your HIPAA!” Would you be able to show them your technology is compliant? While there’s no certainty that you’ll be audited, there’s always a chance.
Remaining compliant with Oregon and federal laws and regulations is fundamental to being a successful medical provider. We’ve often found that medical practices are forgetting one of the key pillars of remaining compliant: their technology.
Many medical providers avoid making their technology compliant because of one of the following reasons:
- They know they aren’t IT experts and worry that they don’t have a grasp on what compliance even looks like.
- They don’t take insurance, so they don’t need to be compliant.
- Their EMR and scheduling is cloud-based, so they don’t need to be compliant.
- They are too small and believe they can’t afford to implement the solutions that would make them compliant.
- They’re putting it off for later.
The first thing you need to realize is that you can’t do it yourself. Regulations mixed with technology is a combination just too complex for you to do alone and serve your patients. While moving your technology toward HIPAA compliance may seem like an insurmountable obstacle, an experienced IT provider can cover all the facets of technology compliance in stages that won’t disrupt you or your patients.
Moreover, it is likely cost-prohibitive for your practice to implement all these solutions alone. You’ll get better service and support at a more affordable price by bringing in an outside IT provider.
You need to bring in third-party IT specialists to assess your systems. Many medical providers receive solicitations from national brands for risk assessments that run nearly $2,000 – not including any remediation work needed to bring your practice into compliance. It’s important to remember that some things can’t be done remotely. Identifying a local IT provider who will supply on-site support and remediation is a much more efficient route to achieving compliance.
Updating your IT infrastructure to be compliant includes lots of little tasks we help you take care of on-site if needed. A few of the matters we often find holding providers back from compliance are:
- Policies and procedures for electronic data: Many practices don’t have adequate policies and procedures around their technology. We help ensure your practice has an acceptable use policy for its technology and an effective, tested disaster response plan, all of which will be different for every practice but are required under HIPAA.
- Security odds and ends. Small but VERY important tasks like setting workstations to lock their screensavers after being idle, making sure password change policies are enforced, blocking the surfing to malicious websites, anti-virus updates, separate data paths for public and private Wi-Fi, and a river of similar matters often get overlooked by practices.
- Documentation. Many medical providers often don’t have chapters in their Policies and Procedures manual that guide their employees on the use of patient data and establish rules to securing it. Under HIPAA, it is required that medical providers have a policies and procedures manual that addresses each of the key points of technology compliance in the Omnibus.
- Movement and security of data. You have to take steps to make sure your patient’s data isn’t readable by unauthorized eyes. This gets a bit techie, but data that is portable such as laptops, backup drives, thumb drives, etc., and data moving across a network such as email, chats, uploads, and website submissions need to be kept private. Each type of data and scenario needs to be addressed both in practice and in your Policies and Procedures manual to meet HIPAA guidelines.
- Hardware. HIPAA requires that your hardware is supported by the manufacturer and kept up-to-date with the latest fixes. If you have old unsupported or end-of-life devices, or devices that need regular updates – networking gear, PC’s, laptops, firewall, server software, etc. – in your office, you’re not compliant. We identify those pieces of your infrastructure that need to be patched or replaced and ensure your hardware is up-to-date, highly performing and compliant into the future.
- Backups and archive. You might have checked ‘data backup’ off your list, but do you know if it works? Have you tested it? How many times a day is it running? What is it capturing? Is the archive policy for each data type set correctly? How long does a system restore take, and how long will your practice be closed while it restores? What about backing up your email correspondence? It’s easy to say that you’re doing a data backup, but if it isn’t set up correctly, maintained and checked, it may not be there when you need it.
- Continuing education. As you might imagine, technology is ever-changing, therefore HIPAA requires your practice to stay up to date on keeping patient data safe. This requirement is an easy one but often overlooked.
- Risk Assessment. Imagine going to an IRS audit without any tax returns. A risk assessment is like your returns – it’s required, and the audit won’t go well without it.
Many medical providers know they’re out of compliance. Some are planning to become compliant but just haven’t gotten around to it yet. There is truly no time to waste in moving your practice toward compliancy. Every day you wait is another day your practice is at risk of successful cyber attacks, a failed audit, or the loss of all your data in a disaster.
TekManagement has worked with Oregon medical providers for over 35 years to ensure their practices’ technology is efficient, secure, and user-friendly. Let’s discuss how we can take the burden of IT compliance off your shoulders.
For more information on how TekManagement supports healthcare practices in remaining compliant, contact us online or by phone at 541-779-4777. You can also read testimonials from our valued clients on our Google page.