Ignorance of the HIPAA regulations is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR). Failure to comply with HIPAA regulations can result in substantial fines being issued, criminal charges and civil action lawsuits being filed should a breach of ePHI occur.
ePHI - whether it is in a database or within files on a server - must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. Although not required by HIPAA, it is strongly suggested and considered the best practice to do so while stored in the database, and especially during transmission. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.
Is your company using the best practices that comply with your audit? Here are just a few methods you can use to make sure everything goes smoothly.
- Document data management, security, training and notification plans.
- Use a password policy for access.
- Always use SSL for web-based access to any sensitive data.
- Encryption techniques and mechanisms of sensitive information should be known to only a select few.
- Content such as images or scans should be encrypted and contain no personally-identifying information.
- Don’t use public FTP – use a secure method to move files.
- Only use VPN access for remote access.
- Use login retry protection in your application.
- Document a disaster recovery plan.
- Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.
Speak to RCC about performing a HIPAA assessment to understand how your business falls short in compliance and build a remediation plan. Here we can deliver an executive summary with findings and recommendations to create a roadmap for HIPAA compliance.