Computer “stuff” incites yawns and involves a barrage of new acronyms but you have to compare that with the excitement of not getting paid because your bank account was hacked. Identity theft is moving from the mail box, to the inbox, and is targeting small businesses more because most of us lack full-time IT departments. To reduce your risk of a shutdown, data loss, your bank account being emptied, HIPAA penalties we need to put on our thick Zyl frames, pocket protectors and get our “geek on” a bit. Let’s batten down the electronic hatches!
New 2014 HIPAA requirements bring both tighter electronic security standards…and greater penalties. HIPAA enforcement has quadrupled since 2010 after many lackluster years, and yes Virginia, there are real HIPAA police. For more fun the worst computer virus in many years is circulating called Crypto-Locker. It ground one optical practice to halt for 3 days this month while their server was literally held hostage. There simply has never been a better time to review and upgrade your practice’s internet, computer and network security, not only for HIPAA requirements but your own financial security. Computer “stuff” incites yawns and involves a barrage of new acronyms but you have to compare that with the excitement of not getting paid because your bank account was hacked. Identity theft is moving from the mail box, to the inbox, and is targeting small businesses more because most of us lack full-time IT departments. So to reduce your risk of a shutdown, data loss, your bank account being emptied, and increasing HIPAA penalties we need to put on our thick Zyl frames, pocket protectors and get our “geek on” a bit. Let’s batten down the electronic hatches!
HiPPAA And Portable Devices: The theft of portable devices is by far the largest single cause of HIPAA violations, over 40%! The problem arises because if a tablet or laptop is stolen, you must PROVE that that tablet or laptop contains ZERO Protected Health Information, otherwise you are in violation. That becomes impossible if you no longer have possession of that device. The requirements are really that strict. If your device goes missing you must inform HIPAA, then your ENTIRE patient base that their information may have been compromised which is embarrassing, time consuming and very expensive. All laptops in patient areas should have locking cables to attach them to tables or desks. I don’t recommend using any Optical Apps at this time unless they offer signed HIPAA certification, and I could find zero that did. Apps in general share information with everything else on that device and security is terrible. Just because you can’t see that patient data doesn’t mean that it’s not there in a cache file accessible to someone. It doesn’t matter that someone didn’t actually accesses that data, the fact they could meets the standards of a violation. It’s up to you to prove they can’t, and how can you if you don’t even know where the device is? Tablet Apps represent your largest potential HIPAA violation and fines. Of course the government appreciates your financial contributions so it’s up to you.
HIPPA And Email: HIPAA Email standards require that both the client program and the data transfer be encrypted. Many existing secure email solutions require that both the sender and receiver use the same special program or web portal, which is burdensome. Recently, Microsoft just updated their “Office 365 Suite” and now offers BAA signed HIPAA Security with a familiar web interface and client that is easily accessible and user friendly. It works in the foreground just like it always has and is by far the easiest to implement and cost effective HIPAA compliant email solution for most practices. Sadly current Gmail security does not offer HIPAA Certification and could expose you to enforcement if you use it with patients or share information with other providers.
As an added bonus you can configure your Office 365 email to use your practices own domain name. For example, you can receive email at firstname.lastname@example.org through Office 365 which is vastly more professional looking than email@example.com. Few things are hokier than using a home type personal email for business. Office 365 right now offers you a fantastic way to use secure email and improve the professionalism of your practice at the same time, all in a familiar web or Outlook interface. Click here for more details: http://www.microsoft.com/health/en-us/products/Pages/Microsoft-Office-365.aspx
HiPPA And Workstations: Many practices buy home computers from Dell or Costco, which mostly use home version of operating systems. Although they appear similar on the surface the “Professional” Versions of Windows 7 and 8 offer much higher protection against unauthorized computer, user and file access. Windows XP Pro is very insecure and will no longer support by Microsoft in April 2014 so you can’t use it for anything involving patient information, even accessing cloud services (in many respects it already violates HIPAA). If you are still using DOS, Windows 9x, Windows XP or Home Versions of Windows you not only be in violation of HIPAA you are vastly increasing your risk of a disaster or intrusion. You may be eligible for some tax benefits for upgrading your computers and networks before April. Please upgrade to Windows 7 or 8 Professional (compatibility may affect your choice) as soon as possible. Apple is a more of a moving target but you should only be using the two most recent releases which are OS X 10.8 or 10.9 to remain secure and compliant.
Van Y Rue, is currently a VP at Single Vision Express, an Optical Lab near Seattle WA, but was in a former life thrust into the role of IT rat. He also consults and teaches on Medical Practice Management and Progressive Lens Technology. You can reach him at firstname.lastname@example.org or 425-739-6501.