“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true,” stated by Tod Ferran, a security analyst at SecurityMetrics, Inc. in an article he wrote for Healthcare IT News.
A lot of healthcare entities mistakenly think that if they are covered for EHR HIPAA compliance, then that coverage extends to all of HIPAA’s regulations as well. But, as experts have shown in recent years, HIPAA compliance and EHR compliance are two completely different umbrellas, even if you may be caught in the same storm. Ferran warns healthcare providers that the new HIPAA Security Rule requires that systems are required to be protected against 75 specific security controls. Ferran goes on to state that in order to ensure that your organization’ procedures, policies, and security measures are designed to protect patient health information (PHI) and defend against regulatory penalties, it is important for organizations to “assess their security programs as a whole,” rather than just “simply checking a box”.
So, how can an organization protect itself and do everything in its power to safeguard HIPAA compliance? Ferran recommends that organizations take the following actions right away:
Implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities
Implement intrusion prevention
Utilize identity management
Integrate data-loss prevention tools
Designate a HIPAA compliance officer or team member
Conduct annual HIPAA security risk analyses
Check organizational policies and procedures against HIPAA requirements
Encrypt patient health information (PHI)
Use a key accessible only by authorized individuals
Implement workstation security