Skip to Content
Top

The HIPAA Security Rule: How Your Healthcare Business Can Comply

|

If you own or operate a business in healthcare, you have many important obligations to your patients. Whether you own a private practice or are a hospital administrator, you must be certain that your patients’ information is securely stored at all times.

Unfortunately, healthcare provider data breaches aren’t as uncommon as you’d think. Three of the largest that took place in 2020 alone compromised the private health information of nearly 2 million patients collectively from Magellan Health in Oregon, the Florida Orthopaedic Institute, and Elite Emergency Physicians.

Even under the best circumstances, a breach is possible. Protecting your business against liability, however, can begin by ensuring that you’re following HIPAA’s security rule, which has three levels of compliance: administrative, physical, and technical.

Administrative Requirements

Only authorized parties may access a patient’s data, and HIPAA’s administrative requirements can not only ensure that, but also ensure that information is accurate.

Here are some key requirements:

  • Select an executive to oversee HIPAA compliance and data security
  • Identify which employees can access patient data
  • Ensure employees are trained on your company’s privacy policy and how it applies to their roles
  • Require outside parties requesting protected information about patients to sign agreements stating they will comply with HIPAA data security rules
  • Securely back up data and have a plan to preserve information in spite of potential disasters
  • Draft a plan for a data breach response that addresses how affected patients are notified and how IT systems will be diagnosed and fixed

Physical Requirements

Data breaches can occur when thumb drives, hard drives, and whole computers are stolen. Information can also be stolen by someone who has access to your organization’s computers and moves information onto their own devices.

Physical security requirements include the following:

  • Secure computers by keeping them behind counters, secured to surfaces, and as far away from the public as possible
  • Secure restricted areas, such as a server room or where administrative computers are stored, ensure you have adequate building security, and require all visitors to sign in
  • Thoroughly and completely ensure information is securely wiped from hardware before disposal
  • Train employees and contractors on safety practices that can secure their cell phones, tablets, and other devices that could have important data or login credentials

Technical Security Requirements

Finally, you should address how your organization’s network is protected against the kinds of cyber breaches you’ve heard most about.

Technical security requirements include the following:

  • Use encryption whenever possible to secure sensitive information transmitted via email or to and from a storage cloud
  • Make use of firewalls and other basic tech safety methods that guard against intrusion from hackers and cyberthieves
  • Train employees on how to identify Internet phishing scams and what to do when they encounter one
  • Have a data backup plan to guard against accidental deletion
  • Have an authentication protocol in place to verify data transfers to third parties
  • Require that employees change their passwords on a regular interval and meet several secure requirements

Consider Purchasing a Cyber Liability Insurance Policy

As mentioned before, sometimes following all of HIPAA’s guidelines isn’t enough to stop a determined hacker from getting into your system and stealing information about your patients. A cyber liability insurance policy can help you mitigate the circumstances of a breach should one occur at your place of business.

Learn more about this type of insurance and options that may be available to you by reach out to Insurance Specialists, Inc. today! Get in touch with us online or by calling (888) 451-0883.