HIPAA Compliance Series - Part 2 - Protected Health Information & Disaster Planning

If you remember our previous blog post in our HIPAA Compliance Series was a brief intro of what HIPAA is and who HIPAA targets. Now that you have an understanding of the importance of HIPAA and know who HIPAA targets we are going to move onto the first actual steps to making your office more HIPAA Compliant. The next item to look at now that you have a broad understanding of what HIPAA is and who it targets is to take a look at what devices/systems on your network HIPAA targets. Since HIPAA is about your heath information it targets systems that your information is accessed through or systems that have connections to those systems with protected health information on them.

In order to determine which systems must be HIPAA Compliant you are best to draw out a diagram of all devices on the network and see what systems can be traced back to the protected health information. For instance, you have workstations connected to a server on your network, the health data is actually stored on the server, because the workstations connect to the server, even though they do not actually have data on them, they still must meet HIPAA regulations. Why do computers on your network that do not have any information on them have to be HIPAA Compliant? The reason for this is that since these computers have direct access to the server where your data is hosted they can be considered a potential risk point and as such have to meet compliance. The security of your data goes much further than just your server and workstations however. Your network must be secured properly since the computer on your network more than likely have Internet access this access must be regulated on both incoming and outgoing. You want to know what kind of traffic is coming into your network and whats leaving it! Being able to control traffic with business class firewall is one of the best ways to protect you network and monitor for potential issues. Another preventive measure we put in place on our clients systems is monitoring at each workstation and server connected to your network. This monitoring offers 24/7 alerts to us in the event any of our checks are tripped allowing us to move in and stop the issue immediately should someone make it past the firewall. Without these additional checks in place should someone get past the perimeter firewall you may never know it. Knowing what systems you must protect and how to protect them properly is very important. As we said earlier not only should you protect them but you should have ways in place to monitor for issues too. After you know what devices/systems you must protect on your network the next step if you do not already have this in place is to ensure you have a proper backup strategy in place. In a medical practice it is important to a proper backup system in place. Let's say your server goes down and you are now unable to access the health records that were hosted on it. That is a major problem right? A good backup solution allows for you to be able to backup and restore your data whenever you need to with multiple points to restore from. A great backup system allows the same but also allows you to instantly bring your server backup virtually until the real server can be repaired. What system would you rather have in place? One you can get to the data again in a few days maybe even a week after you get a temporary system in place that can handle your practices workload, work with your software company and get the software reloaded, databases moved over to the temporary system etc. or would you rather have one that is as simple as changing an IP address and your back online? Silly question right? Whether you need help figuring out what you need to protect, how to protect it properly, or what kind of backup to have in place we have the solutions for your medical practice. Give us a call for a FREE consultation today!

#MedicalPractice #MedicalITSupport #DisasterRecovery #Backup #DataBackup #HIPAA