Share this
My Father’s Guide to HIPAA Compliance
by Mike Andrews on Jan 4, 2018 3:48:03 PM
This article is about compliancy and the regulations surrounding the protection of Protected Health Information (PHI).
Nearing my 50’s I feel that my generation was perfectly set at the crossroads of yesterday and today, allowing me to witness firsthand how quickly the world changes. Growing up in the 1970’s provided for some interesting perspectives compared to how we understand the laws of today. Smoking was considered cool - at any age. Drinking and driving was basically invented during this time. This was even more special for me as my father owned a plane. Seatbelts? Not in the back compartment of that wood paneled station wagon, facing backwards out the window as we tried to distract the car behind us. I remember being 8 years old and leaving in a boat to go fishing in the morning only to return late at night without a question as to where I was. School was something that you just needed to pass so that your mother wouldn’t have to bother your father with the news of your bad grades after his long day of work. I won’t even get into the discipline side of things...oh the memories.
Don’t get me wrong, laws were in place back then, but my father taught me from a young age that “perception is 9/10th's of the law… and you’re only guilty if you get caught”.
HIPAA compliancy is kind of like a Rubik’s cube (another reference to my generation). It makes sense if you understand all the rules, but unfortunately, only a few nerds had this level of time, resources, and training invested. Most healthcare professionals understand the importance PHI and their intentions would never be to purposely place this information at risk. The challenge is that these professionals earn their living by providing the services that they spent eight years in school for. Their level of success is directly tied to billable hours, or how much time is spent offering healthcare services. School did not prepare them to be IT or legal experts, yet HIPAA regulations pertaining to PHI treat them that way. The fines associated with a data breach carry the power to cripple their business.
The risk doesn’t stop at the practice, HIPAA Compliancy is a requirement for all Covered Entities – including Business Associates. If you are an IT service provider, it doesn’t really matter if you are healthcare specific or not. Having at least one healthcare customer with PHI, and hosting/managing that data, as a Business Associate, it makes you just as “at risk” for non-compliance penalties.
In the ‘70’s, Nerds wrote instruction books to help the average person conquer the Rubik’s cube and lucky for you, my network of PHI protection nerds are providing the following instructions* to help you solve the HIPAA PHI compliancy puzzle:
PHI Protection under the laws of HIPAA covers 3 main areas.
- Confidentiality – PHI under your care needs to be saved in a non-readable format and there must not be any visible association to a specific individual (or patient).
- Integrity – The data must remain in the same format that it was originally saved – it has to be tamperproof. Also, access to this data must be limited to only those qualified to view.
- Availability – PHI can’t be lost and it needs to be recoverable and usable within a reasonable period of time.
Basic guidelines for data protection under HIPAA
- PHI protection is NOT optional - All Covered Entities, including medical practices and BAs, must securely maintain retrievable exact copies of electronic protected health information.
- PHI must be recoverable – The key here is that you must be able to fully "restore” any loss of data. Without the ability to restore, data protection is rather useless.
- PHI must have a copy stored offsite - There is some flexibility here with regards to what “offsite” is, but you need to have a copy of your critical data in a separate location than your practice.
- PHI must be protected frequently - In these days even losing a day’s worth of data would be considered significant.
- PHI must be encrypted - PHI needs to be encrypted while at rest and also during transmission to prevent outside access. Make certain that the data is encrypted with an industry accepted encryption algorithm. AES is the industry standard.
- PHI recovery must be documented - HIPAA requires written procedures related to your PHI backup and recovery plan. Showing your intent and taking the time to document the protection of your PHI could protect you from penalties.
- PHI recovery must be tested – You must be able to demonstrate that you tested your ability to restore lost PHI.
* These steps alone put you on the correct path for HIPAA compliance, but of course do not guarantee that you are compliant in all areas regarding PHI. These recommendations are not legal advice, and qualified counsel should always be consulted regarding legal issues specific to your practice.
There are several ways that your data can become compromised as disaster presents itself in many forms. It is best to identify these risks before they happen, speculate on what could happen, and build a plan for dealing with them. Being HIPAA compliant is necessary, and while it’s great to avoid audits and penalties, protecting your PHI serves the greatest interest of keeping the doors open. With or without regulations, every business (that wants to stay in business) should invest in putting together a quality data protection plan. Even the loss of every-day business data like accounting information can be devastating. Nobody can afford down time or a bad reputation in the age of instant information.
As much of a puzzle HIPAA compliancy can be, working with experts in this field, I’ve learned that HIPAA regulations can actually be more forgiving than AquanNet was to mullets and big hair. If you can prove intent, you can avoid penalty.
Therefore take the time to document your procedures, then build a PHI/data recovery plan and maintain proof that you frequently test against this plan. Nobody wants to lose or risk the integrity of their PHI and you definitely do not want to be fined up to hundreds of thousands of dollars in penalties.
Flash forward to today. The world is in a different kind of chaos. This is the age of helicopter parents where the kids rule and would simply dispose of us if it weren’t for the fact that they needed us to supply them with food, do their homework assignments, pay their bills and drive them places. Laws are certainly stricter, and society as a whole is much more litigious, but one piece of my dad’s advice strangely, still stands…
"you’re only guilty if you get caught"... without a plan.
A NovaStor webinar on HIPAA Compliance and Backup can be viewed here.
Share this
- Pre-Sales Questions (109)
- Tips and Tricks (96)
- Industry News (57)
- Reseller / MSP (37)
- Best Practices (31)
- Security Threats / Ransomware (29)
- Applications (26)
- Disaster Recovery (26)
- Cloud Backup (24)
- Compliance / HIPAA (24)
- Backup Videos (23)
- Storage Technology (23)
- Virtual Environments (17)
- Infographics (8)
- Technology Updates / Releases (8)
- Backup preparation (5)
- Products (US) (3)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (2)
- May 2024 (1)
- April 2024 (1)
- March 2024 (2)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (2)
- January 2023 (3)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (2)
- August 2022 (2)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- November 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (2)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (2)
- September 2020 (4)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (3)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (1)
- December 2018 (1)
- November 2018 (2)
- August 2018 (3)
- July 2018 (4)
- June 2018 (2)
- April 2018 (2)
- March 2018 (2)
- February 2018 (2)
- January 2018 (3)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (5)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (2)
- September 2016 (1)
- August 2016 (3)
- July 2016 (2)
- June 2016 (2)
- May 2016 (7)
- April 2016 (8)
- March 2016 (1)
- February 2016 (3)
- January 2016 (12)
- December 2015 (7)
- November 2015 (5)
- October 2015 (6)
- September 2015 (2)
- August 2015 (3)
- July 2015 (2)
- June 2015 (2)
- May 2015 (1)
- April 2015 (4)
- March 2015 (3)
- February 2015 (4)
- January 2015 (2)
- October 2014 (4)
- September 2014 (8)
- August 2014 (5)
- July 2014 (7)
- June 2014 (3)
- May 2014 (3)
- April 2014 (9)
- March 2014 (7)
- February 2014 (7)
- January 2014 (5)
- December 2013 (4)
- October 2013 (7)
- September 2013 (2)