Achieving HIPAA Compliance for your Healthcare Practice
This site serves as a comprehensive guide for entities operating within the healthcare industry, whose computer network ranges from five to thirty computers and includes both server and serverless systems. The primary objective of this guide is to outline the essential security measures necessary for maintaining a robust compliance security posture within your infrastructure.
As the healthcare industry remains vulnerable to cyber-attacks, it is imperative to implement a multi-layered security approach that safeguards against potential security breaches, data theft, and other cybercrimes. The five security measures highlighted on this page are critical components of a comprehensive security strategy, and adherence to these guidelines is essential for mitigating the risk of cyber threats.
In each of the five sections provided, you will find detailed information on the fundamental principles and practices required to complete these essential tasks successfully. By following the outlined procedures, you can ensure that your infrastructure is equipped with the necessary security protocols to safeguard against cyber-attacks and potential data breaches, thereby maintaining a reliable and compliant security posture.
Industries of Healthcare this Page Applies to
Sections of this Page
What is HIPAA Compliance and Why do I Need it
According to the Department of Health & Human Services, The Health Insurance Portability and Accountability Act (HIPAA), a legislative milestone enacted in 1996, mandates that all entities operating in the healthcare sector must comply with rigorous standards that encompass integrity, confidentiality, and accessibility to a patient's digital health records. HIPAA's primary objective is to curb healthcare fraud by safeguarding the confidentiality of patients' sensitive information and ensuring that they retain the ability to dictate who accesses and utilizes their health information. Consequently, HIPAA compliance is crucial to enable patients to retain control over their personal health data. Furthermore, HIPAA regulates the disclosure of medical information for treatment purposes and public interest. As such, whether you transfer confidential information inside or outside of your medical practice in any format (e.g., verbally, electronically, or with documentation), becoming HIPAA-compliant is essential.
When a medical practice adheres to HIPAA regulations, it not only safeguards patient information and preserves their privacy but also protects the practice from lawsuits and expenses associated with data breaches. Moreover, since HIPAA compliance is mandatory, the medical practice is no longer susceptible to receiving penalties for violations linked to non-compliance.
HIPAA's Privacy Rule mandates that all patients receive a Notice of Privacy Practices that outlines the circumstances under which a patient's Protected Health Information (PHI) can be disclosed. It also informs patients of their rights and how they may choose to exercise them. Additionally, the notice should educate patients on how they can request an accounting of their medical records' disclosure and access their medical records.
HIPAA's Data Breach Notification Rule specifies the requirements for notifying patients following a data breach. Meanwhile, the Security Rule outlines how sensitive data should be protected instead of dictating how it should be used.
Small medical practices are considered covered entities under HIPAA and are thus obligated to obtain HIPAA compliance!
Why use a Microsoft Office 365 Security Posture for you Practice
When it comes to ensuring HIPAA compliance for your organization, the answer to achieving this depends greatly on the version of Microsoft 365 you purchase. However, regardless of the version, Microsoft 365 provides a range of security tools and measures that can be implemented to enhance data protection. In fact, Microsoft 365 is widely recognized as one of the most convenient and widely used packages of applications and services with some of the most advanced security features available in the market today.
To achieve HIPAA compliance with Microsoft 365, it is crucial to implement end-to-end encryption, create archives and audit logs, add multi-factor authentication to user accounts, set up process and access control mechanisms, and enable remote data wipes. While some of these capabilities are available with the standard version of Microsoft 365, organizations require more advanced features to fully comply with HIPAA standards. Meeting these compliance challenges is as much about configuring the available services correctly as it is about purchasing the appropriate package.
A Quick Review of the Five Areas of HIPAA to Focus on
Antivirus protection is a vital component of any HIPAA compliant system. Antivirus software can detect and remove malware, viruses, and other harmful software that can compromise ePHI. HIPAA requires that antivirus software is installed and regularly updated to ensure maximum protection.
A firewall is a security system that acts as a barrier between an organization's internal network and the internet. Firewalls help to prevent unauthorized access to sensitive data and can protect against malicious activity. HIPAA requires that firewalls be installed and configured to ensure ePHI is properly safeguarded.
Encryption is the process of converting data into a code to prevent unauthorized access to the data. HIPAA requires that all ePHI transmitted over a network should be encrypted, and that data at rest should also be encrypted. This ensures that even if a data breach occurs, the information is not readable without the encryption key.
Regular backups are essential for HIPAA compliance. In the event of a disaster, data loss, or a breach, backups provide a way to restore lost or damaged data. HIPAA requires that healthcare organizations have a contingency plan that includes regular backups to ensure ePHI is not lost or damaged beyond repair.
HIPAA requires that healthcare organizations have a way to monitor and alert IT staff of any unauthorized access or attempted access to ePHI. This is typically achieved through an intrusion detection system (IDS) or security information and event management (SIEM) solution. These solutions can identify and alert IT staff of any activity.
Antivirus and Device Monitoring for HIPAA Compliance
We are going to focus on two security products to purchase directly from Microsoft. Below is a brief summary of both:
Product #1: Microsoft Intune (Endpoint Manager)
Microsoft Intune is a cloud-based device management solution that helps organizations manage and secure their mobile devices, apps, and data. It allows IT teams to manage devices and apps from a single console, and helps ensure that all devices are compliant with company policies and regulations.
• You will require one license per computer in order to join every entity into the Microsoft Azure Ecosystem
• You will first need to brand your Intune instance to your company information.
• A basic HIPAA computer policy is to have a computer lock after it has been not used for 10 minutes. Below is an example of that configuration profile: (45 CFR 164.312(a)(2)(iii))
Note: This is a single configuration profile of many that need to be applied. Consult a professional for a full list of configuration profiles to achieve compliance.
• You will finally create a compliance policy to be sure all devices remain compliant. You can even setup alerts when a devices falls out of compliance. Below is a list of compliant devices:
Product #2: Microsoft Defender for Endpoint Plan 2
Microsoft Defender for Endpoint P2 is an advanced security platform designed to protect enterprise-level networks from a wide range of cyber threats. It offers enhanced protection against malware, phishing attacks, and other advanced cyber threats by leveraging the power of machine learning and behavioral analytics.
• You will require one license per computer in order to join every entity into the Microsoft Azure Ecosystem
• Microsoft Intune can automatically deploy Defender P2 via configuration settings. Or you can run a script.
• Many pre-set Defender settings can be considered HIPAA Compliant and good enough for protection.
• Below is an example of Defender for Endpoint Alert regarding a detected hacktool:
Keeping your Healthcare WiFi and Firewall Secure §164.308(a)(4)
Outbound Rules for HIPAA-Compliant Firewall
In healthcare organizations, outbound firewalls regulate the access to the internet and outbound traffic to safeguard against unauthorized data access. In particular, medical practices use a whitelist configuration to grant the required internet access for the receptionist, for example, but prevent the use of insecure websites. Conversely, doctors and nurses may require more flexible access and may utilize blacklist configuration to prevent access to known malware-infected sites. Additionally, for electronic medical records servers or other computers that do not require internet access, your IT team can configure a firewall rule to block them from connecting to the internet.
Inbound Rules for HIPAA-Compliant Firewall
While remote access to a medical practice's network is generally discouraged, there may be instances where it is necessary. In such cases, a virtual private network (VPN) provides a secure and encrypted method for remote access, and thus the firewall must be correctly configured to enable safe remote access. When configuring a VPN, it is essential to use a unique username and password and a secret code that enables access to the VPN, thus providing the appropriate level of data security and privacy to satisfy HIPAA compliance standards.
IMPORTANT: If you currently are remoting into your office from home without a VPN or you are using port 3389 to login, you currently have the worst IT security posture imaginable.
Firewall Logging for HIPAA Compliance
HIPAA compliance requires healthcare organizations to ensure that all data and interactions with patient information are correctly logged, monitored, and tracked. In this regard, the HIPAA Security Rule 164.312(b) specifies that healthcare organizations must maintain audit logs of PHI, allowing for the necessary analysis of all user activities that could potentially impact the firewall. An effective log management process should also include the designation of an employee to review logs daily, safeguarding of logs against malicious use, and having a process for reviewing suspicious alerts. To ensure compliance, a dedicated server can be used to store logs and monitor for possible unauthorized activity and potential security breaches.
WiFi Experience for HIPAA Compliance
HIPAA compliance requires a complete lockdown of your WiFi network. Your WiFi devices should be able to deliver a 90% or more experience report. Your IT support should be sending you those reports to your inbox. Below is an example:
Email and Patient Data Encryption Examples
NOTICE: Using a free consumer-grade email address, such as: Gmail, Comcast, AOL, and more is a complete violation of HIPAA compliance. In addition to being unsecure, when you email other healthcare professionals with a free email, you are proving to them that you choose to be unsecure with your email.
The HIPAA email rules require that email messages containing ePHI and transmitted outside a secured internal email network must be secured in transit, beyond the firewall. While email encryption is a critical component of HIPAA compliance, it is not the only requirement. However, it is an effective safeguard to prevent unauthorized access to the ePHI, should the message be intercepted. Although the HIPAA Security Rule identifies encryption as an addressable standard for data at rest, covered entities and business associates are required to consider and implement encryption or an equivalent safeguard if encryption is not used.
To determine if encryption is appropriate, security officers must conduct a risk analysis to assess the potential threat to the confidentiality, integrity, and availability of ePHI sent via email. Based on the results of the analysis, an appropriate risk management plan must be developed, and encryption or an alternative measure should be implemented to mitigate any potential risks. The decision to use encryption or an equivalent safeguard must be documented to ensure compliance.
It is important to note that the method of encryption is not specified in HIPAA to account for advances in technology. However, it is crucial to select a form of encryption that offers the highest level of security to protect ePHI from unauthorized access. For instance, while the Data Encryption Standard (DES) encryption algorithm was a valid option at the time the HIPAA Security Rule was published, it is now known to be highly insecure. In the event of a HIPAA audit or compliance review, HHS' Office for Civil Rights OCR may request documentation showing that encryption has been considered, and an alternative safeguard was implemented to provide an equivalent level of protection.
Safeguarding electronic Protected Health Information (ePHI) is an essential component of healthcare providers' adherence to HIPAA regulations. HIPAA requires that all ePHI stored electronically be encrypted when at rest to ensure confidentiality, integrity, and availability. Encryption uses advanced algorithms to transform data into an unintelligible format, rendering it unreadable to unauthorized individuals, which reduces the risk of data breaches and data loss. Although ePHI encryption at rest is an addressable standard, the HIPAA Security Rule mandates that providers assess the risks and implement adequate security measures. The Advanced Encryption Standard (AES) is the recommended encryption algorithm by the National Institute of Standards and Technology (NIST) due to its high level of security and effectiveness. Healthcare providers must also have strong key management procedures in place to maintain control over the cryptographic keys and ensure that they are adequately secured and protected. They should also have contingency plans in place to ensure the continuity of the encryption process in case of key loss or compromise. In summary, at-rest data encryption is a critical component of HIPAA compliance that protects ePHI from unauthorized access and ensures the privacy and security of sensitive patient information.
How to Achieve Proper Backups for HIPAA Compliance
HIPAA-compliant online data backup and retention requirements are not only important for healthcare providers but also for business associates who handle PHI on behalf of healthcare providers. According to the HIPAA Security Rule, covered entities must implement a data backup plan as part of their contingency planning process, which should include the following:
Data Backup Frequency: Regular data backups must be performed to ensure that PHI is not lost or corrupted. The frequency of data backups will depend on the volume and frequency of data changes.
Data Retention Period: The retention period for PHI will depend on state and federal laws and the covered entity's own policies. However, the retention period for PHI must be consistent with the HIPAA Privacy Rule.
Data Backup Testing: Regular testing of data backups must be performed to ensure that data can be restored in the event of a disaster or data breach.
Data Backup Security: PHI stored in online data backup systems must be encrypted and stored in secure data centers that meet HIPAA and HITECH requirements.
Reporting, Alerting, and Monitoring of your Entire Practice
Reporting involves the process of collecting and analyzing security-related data from various sources such as logs, network traffic, and system activity. By analyzing this data, security teams can identify potential threats and vulnerabilities in the system. Reporting also provides valuable insights into the effectiveness of existing security measures and helps identify areas that require improvement.
Monitoring involves the continuous surveillance of system activity to detect potential security threats. This includes monitoring network traffic, system logs, and user activity. Effective monitoring enables security teams to identify potential threats in real-time and take prompt action to prevent or mitigate the impact of an attack.
Alerting involves the process of notifying security teams of potential security threats or breaches. Alerts can be triggered by specific events such as unauthorized access attempts or abnormal system activity. By receiving timely alerts, security teams can quickly respond to potential threats and take appropriate action to protect the system.
Below are example of security reports your IT support should be sending you:
• Microsoft 365 Multi-Factor Authentication Status:
• Microsoft 365 Mailbox Backup Status:
• Microsoft 365 Tenant Health Status:
• Server Cloud Backup Report:
A Brief Review of Six Industries of Healthcare
• Dental HIPAA Compliance:
The HIPAA privacy rule is specifically targeted towards "covered entities" such as healthcare providers, health insurance companies, and healthcare clearinghouses. Although dentists are not explicitly listed as a covered entity, they are encompassed within the definition of "healthcare providers." This implies that when divulging patients' protected health information (PHI), dentists must adhere to the HIPAA privacy rule.
Dentists are obliged to take all necessary precautions to safeguard PHI from being accessed, utilized, or revealed without authorization. Additionally, they must have a well-conceived plan for reacting to data breaches or an established Incident Response Plan.
The HIPAA regulations for dentists are fundamentally identical to those for all other healthcare providers. Dentists must follow both the Privacy Rule, which mandates the protection of patients' confidential health information, and the Security Rule, which necessitates guarding against unapproved access to patient data.
• Optometry HIPAA Compliance:
While comprehending HIPAA compliance for optometrists is relatively straightforward, actual implementation can present challenges. Optometrists encounter difficulties with compliance due to their frequent operation in public-facing environments, which raises the potential of inadvertently disclosing individually identifiable health information, and because patient notes are frequently recorded on paper prior to being transferred to an electronic health record (EHR).
Additionally, optometry practices are now frequently targeted by cybercriminals who aim to steal patient data. The Department of Health and Human Services' Breach Report currently lists multiple optometry and ophthalmic practices under investigation for successful hacking attacks and IT incidents that have compromised the unprotected Protected Health Information of millions of patients.
The Administrative Simplification provisions outline the HIPAA Rules optometrists must comply with, including the General Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, in some states, local regulations pre-empt HIPAA by granting patients more rights, necessitating more rigorous security measures, or mandating shorter notification periods. Optometrists are advised to verify which rules apply in their location through their state's Board of Optometry.
• Home Care HIPAA Compliance:
Home Health Agencies face a distinct challenge of maintaining the confidentiality, integrity, and availability of patient PHI since they employ a vast number of workers who are not necessarily confined to a single location throughout the day. Instead, employees traverse from house to house, providing assistance to those in need. As such, it is vital to ensure that all representatives of the organization sign a Confidentiality Agreement that explicitly prohibits them from utilizing PHI inappropriately throughout the course of their workday.
Apart from a mobile workforce, modern technology presents further unique challenges for these agencies. Ensuring the integrity of data and preventing unauthorized disclosure of PHI poses significant obstacles. Therefore, Home Health Agencies need to exercise extreme caution in the technology they use to assist patients while simultaneously safeguarding PHI from unauthorized access.
To maintain the integrity of PHI utilized, technological safeguards are essential. It is necessary to ensure that the device accessing PHI is fully encrypted, password-protected, and equipped with mechanisms to ensure encryption of data in transit.
• Physical Therapy HIPAA Compliance:
The Health Insurance Portability and Accountability Act (HIPAA) has established national standards for disseminating protected health information (PHI) of patients, including those receiving physical therapy treatment. Physical therapists and their business associates are governed by HIPAA in terms of disclosing patient PHI. The relationship between HIPAA and physical therapy practice is underpinned by the notion that physical therapy patients have the same rights as patients of other healthcare facilities regulated by HIPAA, be it a family physician or a neurologist. As an increasing number of physical therapy practices conduct standard transactions electronically, such as telehealth appointments, HIPAA's Security Rule and Privacy Rule additionally mandate administrative and technical safeguards for electronically protected health information.
Notably, HIPAA guidelines for healthcare practitioners extend to physical therapists, as well as any medical professionals employed or operating from a physical therapy clinic, and any of the covered entities' business associates and subcontractors. Physical therapists handle patients' private health information, not public health information, thereby requiring strict adherence to HIPAA's requirements for protecting PHI.
• Chiropractic HIPAA Compliance:
The profession of a chiropractic doctor is both a privilege and a weighty responsibility that carries a certain degree of risk. However, these risks can be effectively managed and, in some cases, even eliminated if a chiropractor devotes sufficient time to working on their practice, rather than solely in their practice. Achieving compliance is not a mere matter of following protocols; it requires swift action and adaptability in response to the continually evolving regulatory landscape.
Given the proliferation of rules and regulations in the healthcare industry, it can be challenging for chiropractors to discern where their areas of vulnerability may lie. Yet, by learning from the missteps of others and prioritizing a step-by-step approach, it is possible to minimize risk exposure. Importantly, seeking support and guidance is crucial, particularly in the context of maintaining HIPAA compliance.
• Orthopedic HIPAA Compliance:
Orthopedic practitioners across the United States are increasingly adopting technology-driven, HIPAA-compliant orthopedic billing methods to counteract the impact of various regulatory constraints imposed on medical billing practices.
HIPAA compliance is significant not only in endorsing orthopedic practitioners' commitment to patient privacy and security but also in granting them incentives for serving as responsible partners in delivering efficient and effective healthcare services. Additionally, payors consider HIPAA compliance a crucial indicator of orthopedic practitioners' integrity in medical billing practices.
The Office for Civil Rights (OCR) has undertaken more than 29,966 investigations, which culminated in the identification of noncompliant practices and the imposition of corrective measures and technical assistance for HIPAA-covered entities and their business associates.
The corrective actions required by OCR have instituted systemic changes, which benefit all individuals served by these entities. Through the enforcement of the HIPAA Rules, OCR has effectively utilized corrective measures in all cases where an investigation has revealed noncompliance by a covered entity or their business associate. To date, OCR has settled or levied a civil money penalty in 130 cases, amounting to a total of $134,828,772.00.
OCR has investigated complaints against an array of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. Such investigations indicate that the scope of OCR's enforcement extends beyond just large and complex healthcare providers, and emphasizes the need for all HIPAA-covered entities and their business associates to prioritize compliance.
About Errol Janusz
Errol Janusz is a Microsoft Certified Professional with over 23 years of experience in supporting Microsoft products. From Windows networks and servers to Microsoft Modern Management, Errol has worked extensively with with each environment.
Below is a link to our YouTube video library that has more information about Errol and HIPAA Compliance. Our LinkedIn link below also has additional blog posts about IT management.