Last updated on October 18th, 2019
As the information age grows, the need arises for security and regulation with the amount of information being sent, received, or displayed every day. One of the most prevalent fields where data is even more sensitive is in health/medicine. Consequently, HIPAA regulations were implemented throughout the industry due to the sensitivity of this data. Thanks to Optimized Computer Solutions, we have a basis of knowledge about the role HIPAA plays in the licensing ecosystem. In this article we will discuss what HIPAA is, how to license within compliance, and everything in between.
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996. It was subsequently updated by the HIPAA Privacy Rule in 2003 and again in 2005 by the HIPAA Security Rule. In general, HIPAA is a set of laws that provide rules of the road of how health care organizations and those who have access to protected patient data should protect ePHI (electronic protected health information). The law covers four general areas:
- Privacy – Covers patient confidentiality.
- Security – Protection of information safeguards.
- Identifiers – Defines what information cannot be released if collected for research purposes.
- Codes – Related to electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.
HIPAA guidelines do not provide specific technologies (firewalls, AV, etc.), rather they provide a framework for covered entities to abide by and implement as is best for their individual needs. For example, how a large hospital chooses to meet their HIPAA responsibilities may be significantly different than a single provider practice. Also, meeting HIPAA requirements is an ongoing endeavor, not a destination to be reached and then forgotten.
Can I use my O365 Products in my HIPAA covered environment?
The short answer is: YES! By default, O365 products and many other Microsoft products, are automatically covered under a Microsoft BAA agreement. However, there are responsibilities that the end user will have to keep in handy, as documented in the BAA agreement.
- Ensure the products in question are included in the then current “Microsoft Office Compliance Offerings” document. Click Here to download this document.
- Specify an administrative contact that will be notified in the event of a breach.
- Ensure that access controls are configured correctly. Microsoft provides an excellent document called “HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online” that can assist administrators. The document can be found HERE.
- Implement O365 as part of your organizations HIPAA compliance program.
If my email is HIPAA Friendly, can I use it to send ePHI?
It is important to note that all those that are bound by HIPAA requirements that ePHI and email DO NOT MIX. However, if you MUST send ePHI by email there are steps that can be taken.
Ensuring you have taken all the steps to make O365 HIPAA friendly in your environment is only one piece of a much larger puzzle for your practice or organization. Other important steps to achieving HIPAA/HITECH compliance can include
- Performing Risk Assessments Annually.
- Performing quarterly network assessments.
- Creating, implementing, and equally enforcing proper policies and procedures.
- Provide annual employee training on HIPAA policies and procedures as they apply to your organization.
- Assigning a Security Officer.
- Documented breach protocol documentation.
- Documented disaster recovery documentation.
- Encrypt all laptop and other portable devices.
- Enable anti-virus on all devices.
- Review audit logs for unauthorized access of ePHI.
- Have BAA documents for each organization that has access to your ePHI.
Determining these within your environment can be tough, and not maintaining compliance can put your organization at significant risk of both civil and criminal penalties. If you have any questions about how your organization’s HIPAA program, we recommend heading over to Optimized Computer Solutions where you can request a free 30-minute HIPAA review. Their team of HIPAA experts will be able to get you the assistance you need to ensure that your environment is in compliance.
Ensuring all sensitive data is protected is becoming more challenging every day. Maintaining the responsibilities from the BAA agreement that fall on the end user and being cognizant of the intricacies of ePHI are pivotal to navigating through the depths of HIPAA and data security. Optimized Computer solutions, along with Trusted Tech Team believe a properly implemented O365 environment is a great choice to be part of your HIPAA covered environment.