Information Show for Computer Repair Techs and Business Owners
Hosted by: Jeff Halash from TechNutPC.com
Google+ Jeffery Halash
Computer Repair Podcast #231 Video
Jeff and I, to include the Podnutz network, its guests, sponsors and listeners are in now way providing legal or specific advice as it applies to HIPAA, Compliance, Networking, Computer Technology or anything contained in, referred to or mentioned on this show. We are just some old computer techs providing personal advice. Take it for what is worth and the content is provided with our best effort only.
HIPAA = Health Insurance Portability and Accountability Act of 1996
WHAT IS IT
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
Addendums, Rules, Regulations and Rulings are constantly updating the provisions and requirements.
** Keep in mind that the HIPAA security rule is approximately 8 pages
Acronyms you need to know:
(D)HHS = Health and Human Services
DHS = Department of Homeland Security
OCR = Office For Civil Rights
ONC= Office of the National Coordinator for Health Information Technology
NIST=National Institute of Standards and Technology
PCI = The Payment Card Industry Data Security Standard (PCI DSS)
PHI = Protected Health Information (ePHI – electronic PHI)
BAA = Business Associate Agreement (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html)
What we are talking about: create, receive, maintain, or transmit PHI (our job – protecting it)
HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical
What you need to know as a tech?
- You do not provide HIPAA compliance. You assist your customers to reach compliance. Much of the compliance burden rests on your client’s actions and behavior.
- There is no such this a HIPAA certified. Customers do not reach a point of being compliant (like an ISO cert or something) and at this time there is no governing body that certifies companies, software, individuals, etc. as such.
A review of your customers compliance plan:
What are the basics for your as a tech in helping your customers.
- No part of HIPAA is optional and the rule is not going to change with ObamaCare, etc. The word addressable does not mean optional.
- Get and review a BAA with customers.
- Once you are a BAA, you are bound by the same HIPAA compliance rules.
- Let the doctrine of reasonable and appropriate guide you. HIPAA rules are guidelines to work with all sizes and types of healthcare organizations.
- Identify location of PHI or data. (backup and protection) (who has it, where is it, how transmitted)
- PHI needs to be encrypted in transit and at rest as addressable (just encrypt everything IMO). If it moves, encrypt it.
- Unique passwords on everything.
- You need to have documentation for everything. You need to have 1 year of history. (Audit Logs, Virus Logs, Access, Logs, Etc.)
- Your service providers need to sign a BAA with your or customers (GSuite, Backup, etc.)
- Have plans: Disaster Recovery, Risk Assessment, Breach Response, Incident response, etc.
- Intrusion Prevention & Intrusion Detection = Requirement
- Endpoint Virus Protection (Managed)
- Secure email (encrypted) – ProtectedTrust or Virtru
- Do not forget about other devices: printers, credit card machines, copiers, mobile devices, IOT, etc., etc.
- It’s all about the people. (yours and theirs)
- HIPAA can be an element in other assessments: Insurance, choosing providers, etc.
- Make sure both you and your customers know what a breach is. For example, Rasomware is a privacy breach… unless proven otherwise.
- Create policies…
- Did I mention you need to document.
- Tackle HIPAA bit by bit…. Try to build a culture of compliance in your organization and your customers.
- You need ongoing, documented training.
- Do not be fooled by cybersecurity insurance.
- Do not mislead or misinform. Do not sign anything.
- Why is this important. Because it is what we should have always been doing.
- HIPAA should be used for all customers… IMO
- Use the NIST guidelines: https://www.nist.gov/cyberframework
Donna Grindle & David Sims