8 Tech Solutions to Aid in a Successful HIPAA Compliance Plan

for Small Optometric / Medical Practices

The Health Insurance Portability and Accountability Act (HIPAA) is as much about controlling human risk factors as it is addressing technological threats.  Most people are under the impression that by just implementing a certain security technology they can cover themselves in a HIPAA audit.  That is incorrect.  HIPAA Compliance can’t be attained by just integrating a technology.  You need perform ALL of the following:
  • Integrate technological solutions that can align with your HIPAA Security Plan (i.e. firewall, software, locks, assets lists, etc…)
  • Address the human risk factors in implementing this technology (i.e. if using encrypted e-mail, how will staff verify patient identities)
  • Address security flaws and vulnerabilities that may arise from using a specific integration (i.e. patches for firewalls, Windows Updates, virus definition updates, wireless penetration testing)
  • Enforce your sanction policy in your office.  Keep a sanction log of even minor
    violations, such as emailing a patient without proper identity authorization.  Make sure sanctions are appropriate for the level of exposure.

Here are your 8 Tech Solutions to Aid in a Successful HIPAA Compliance Plan: 

for Small Optometric/Medical Practices

1. Business Class Firewall
If you are on the modem/gateway provided by your ISP, stop using it now.  More than likely, your router does not have the security to operate in your office.  Unless you have fully analyzed its implementation into your HIPAA Security Policy, it is not HIPAA Compliant. Take a look at a list of major breaches on the HIPAA Wall of Shame

You need a business class firewall.  There are many resources and discussions on Health IT forums and websites as to which firewall is best.  I believe any business class firewall can be implemented IF AND ONLY IF it is accompanied by a solid HIPAA policy that outlines weaknesses/flaws in the firewall.  HIPAA is scalable, so a small practice does not need to have the same network security as a big hospital.

At the very minimum, this firewall could work into your HIPAA Security Policy: Cisco RV110W-A-NA-K9 Small Business RV110W Wireless N VPN Firewall Router

2. Wi-Fi Security
If you don’t need Wi-Fi at your practice the easiest way for you to address your wireless security is to simply turn this function off.  If you use Wi-Fi, you must construct a policy which will mitigate the factors underlined in your yearly risk assessment.
If your equipment requires Wi-Fi you will need these features to maximize wireless security
  • WPA2 Encryption
  • Do not broadcast SSID
  • Use MAC filters to restrict access to desired devices
  • Optional: reduce transmit power to restrict the area of wifi access
  • Do not give wifi access to anyone.

3. Email Encryption
The safest way to communicate with a patient is via phone, fax, and snail mail.  Most major medical institutions do not implement email in their patient communications strategy because it is too difficult to mitigate the risks among a large staff workforce.  

Most discussions about HIPAA and email usually only address the email encryption portion OR the patient identity verification of your email policy. Even if you properly verify a patient's email address, by using a public email server like drjohnsmith@gmail.com, you are opening your unsecured email to multiple risks.
Remember, HIPAA compliance is a combination of security technologies and office policy.  If you decide to implement email into your patient communication strategy you must:
  • Use a secure, encrypted email platform (i.e. Hushmail, EmailPros, Google Apps)
  • Possess a signed business associate agreement (BAA) signed by your email provider
  • Establish an office protocol to mitigate risks underlined in your risk analysis (i.e. confirming a patient’s identity by having them con
  • Use a secured network of workstations with a proper security (i.e. firewall and antivirus protection)
  • Determine any other risks that may result in the system you choose

4. Drive Encryption
A worst case scenario: Your practice is burglarized and computers are stolen.  If you have protected health information in those computers and it is not encrypted, you are liable for any breaches resulting in that theft.
from wikimedia
A good rule for any workstation: Encrypt it.  Without the proper security key, encryption renders data on stolen devices as unrecoverable.  
The easiest way would be to have a PC with Windows 10 Pro or 8.1 Pro.  More info:

5. Password Management
Questions to ask:
a. Determine your password management strategy for your HIPAA Security Policies
  • Use a password manager for: Frame, contact lens, small insurance companies, office supplies, laboratories, and courier services because of the limited ePHI (if any) they contain.
  • I would recommend omitting websites that contain the bulk of your ePHI access (i.e. Patient Communication tools, EyeMed, VSP, Availity, EDI sites) unless you can safely implement it into your policy.
  • Check out a forum conversation here.

b. Determine a password management solution for your office:
  • For 1-3 employees: LastPass Premium
    • Although not designed for small business, (1) LastPass Premium account will allow you to share with other users (including free users).
  • For 4 or more employees: LastPass Enterprise
    • If your office requires a more secure password logging and monitoring interface as part of your HIPAA Security Policy, then you will need LastPass Enterprise which will allow you to do that.
c. Enable 2-step “Multifactor” authentication

A password manager with multifactor authentication, in combination with a solid password management policy in your office, will allow you to efficiently and safely log into any password protected web service you use.

6. Kensington Locks
Physically secure your devices.  These Kensington lock slots can lock up multiple devices: Desktop, monitor, router, external hard drive.  An added benefit of these particular locks is the ability to order a “Master Key” for multiple lock sets.
from wikimedia

7. Antivirus
ESET Smart Security - Save 25% Check out the new ESET Smart Security 8 and save 25% on a 2-year subscription! You can install this for up to five (5) computers.  Opt for a two-year subscription for worry-free protection.

8. Screen filters
There are various 3M Privacy Filters to match your screen size. As part of your HIPAA Security Policy, you can implement privacy filters in public areas, where computer screens are viewable to patients.

Remember to assess your risks first, then determine the tech solutions and office policy to address them.

Popular posts from this blog

4 Steps to Creating your Procedure Manual in Google Docs

A "Clickable" Procedure Manual

Metrics - Patient Response Button Fix

A Guide On Making A Guide in Google Docs