Contact us at info@uzado.com

Four Measures Your Organization Needs to Achieve HIPAA Compliance

David Millier

HIPAA Compliance Healthcare Survey.jpg

With revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how does my organization become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information can be important, especially if doctors need to share information with hospitals or other practitioners. But this kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that the following four measures are being followed: physical, network, process security measures and “addressable” measures.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have an authentication process to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implement—and the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management and have proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to and clients. protecting your systems against malware. These items should be addressed by businesses dealing with health information—not just to be compliant with the law, but to provide more security for patients.

To learn more on how Uzado can help your organization become HIPAA Compliant, click below to request a demo.

 Request A Demo

Read More
Topics: Compliance, HIPAA Compliance, Security

Cybersecurity and Health Care Don’t Mix… Said No One…

Alix Postan

1% of Health Care Organizations say they are not vulnerable to cyber-attacks.security-health-IT.jpg

The truth is, Cybersecurity and Health Care should be much more intertwined. HealthCareCAN and the Canadian College of Health Leaders requested that IPSOS survey health care professionals in March 2017, after the WannaCry Ransomware virus spread throughout 310 countries and shut down 16 hospitals in the UK. As a result of the malware attack, Canadians wanted to know, how secure is their healthcare system – hence the survey.

The United States has a protection act (Health Insurance Portability and Accountability Act – HIPAA) which requires healthcare services to mandate a certain level of cybersecurity within their organizations. In Canada, we have PIPEDA (Personal Information Protection and Electronic Documents Act), which is applicable to federally-regulated organizations (i.e. banks and telecommunications companies) and private-sector organizations. According to McMillan, PIPEDA was amended in 2015 with regulations for responding to a breach or an attack; however, still lacks preventative regulations.

According to the HealthCareCAN and the Canadian College of Health Leaders’ 2017 survey, 85% of hospital CEOs, department heads, medical directors and other senior health administrators say their organizations are vulnerable to cybersecurity attacks. 85%!! The survey found that 90% of these institutions were confident that they are prepared for natural disasters (floods, fires, ice storms, etc.) or man-made emergencies (terrorist attacks, infrastructure failures, etc.) – but not cybersecurity.

The poll also indicated that 32% of health leaders believe there’s an urgent need for the federal government to become more involved in “setting up standards, oversight and providing leadership to address cybersecurity.” That’s followed by “security monitoring/protection” (22%); “provide funding” (19%); “address IT/cybersecurity issues” (13%); “help with infrastructure” (12%); and “providing plans/strategies” (9%).

The statistics from this article are derived from GlobeNewswire.

For more information on becoming HIPAA Compliant, click here.

Why Compliance Does NOT Equal Security

Read More
Topics: Compliance, HIPAA Compliance, Security

What is HIPAA Compliance?

David Millier

HIPAA Compliance Healthcare Survey.jpgWith revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how do you become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information is important, in some cases doctors need to share information with hospitals or other practitioners. This kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that all required physical, network, and process security measures are in place and being followed.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have authentication processes in place to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implement—and the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management to ensure it has the proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to protecting your systems against malware. These items should be addressed by businesses dealing with health information—not just to be compliant with the law—but to provide more security for patients and clients.

Want to know how Uzado can help with HIPAA Compliance? Click below to request a demo:

 Request A Demo

Read More
Topics: Compliance Management, HIPAA Compliance, Security, Remediating Risks

How Do I Become HIPAA Compliant?

David Millier

How_Do_I_Become_HIPAA_Compliant.jpgWith revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how do you become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information can be important, especially if doctors need to share information with hospitals or other practitioners. But this kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that all required physical, network, and process security measures are in place and being followed.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have an authentication process to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implementand the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management and have proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to protecting your systems against malware. These items should be addressed by businesses dealing with health informationnot just to be compliant with the law, but to provide more security for patients and clients.

New Call-to-action

Read More
Topics: HIPAA Compliance