If your computer system stores individually identifiable medical information on people, you may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It places strong requirements to protect this information, and the fines for violations can be big. Facilities may be subject to auditing by the Office of Civil Rights (OCR). In fiscal year 2014, OCR resolved over 15,000 HIPAA-related complaints, and the number is on the rise. Phase 2 of the audit program began in 2016.

The Security Rule is verbose and complex, but what’s important is that it requires protection of personal health information (PHI) against unauthorized access. It covers technical, physical, and administrative safeguards. Breaches have been disturbingly common, and the government is responding by greatly expanding its auditing program.

The HIPAA Journal offers a compliance checklist to help prepare for audits and security incidents. You should study the full list, but here are some requirements that may apply. Please note that this is not legal advice; consult a qualified lawyer to make sure you’re in compliance.

    • Encryption of PHI. It isn’t sufficient to hide it behind password access.
    • Logging of all electronic access to PHI.
    • Physical security and a visitor log at facilities storing PHI.
    • Employee training.
    • A tested contingency plan.
    • Policies restricting use of workstations and mobile devices that can access PHI.

If you use third-party services, such as a data center, you have to make sure they’re HIPAA-compliant. If business partners have access to your servers, you need to make sure they either can’t touch PHI at all or can access it only in HIPAA-compliant ways.

Proper preparation protects a business not just against audits, but against the bad publicity and lawsuits which data breaches can cause. Please contact us for help in setting up you HIPAA-compliant