“There’s no training required. It’s very simple,” Marvin Onyemaechi, the hospital’s director of IT operations, tells HealthTech. Typing the word “private” in the subject line automatically triggers encryption. “That’s all you need to do,” he says.
These days, while email is important, it’s also likely a single part of a strategy that spans several devices — even pagers are still active in the healthcare scene. For this reason, it’s important for IT teams to consider a multipronged approach to HIPAA-compliant communications.
As Susan Snedaker, Tucson Medical Center's director of IT Infrastructure and operations, writes in an article for HealthTech: “Any one technology can help an organization keep PHI secure. But an array of HIPAA-compliant communications solutions — such as encrypted email to communicate with patients and secure messaging systems to facilitate time-sensitive internal communications — might be the better bet.”
2. Understand HIPAA-Compliant Cloud Storage
Healthcare organizations have begun to adopt the cloud in earnest. But that move has also triggered concerns about privacy and security for data stored in the cloud. The good news is that an understanding of the basics of HIPAA compliance can assuage these fears and free providers to adopt cloud technology appropriately.
What are these basics? According to healthcare attorney and consultant David Harlow, any cloud storage provider should be approached by the payor or health provider as a business associate. “This means that CSPs storing PHI are subject to HIPAA and need to have appropriate administrative, physical and technical controls in place to address the requirements of the HIPAA Security Rule,” he writes in HealthTech.
Once the cloud provider has been established as a business associate of the covered entity, the rest follows suit. Harlow writes: “The CE and the BA must have a business associate agreement (BAA) in place; the CE needs to understand the BA’s cloud environment for purposes of its own risk analysis; both the CE and BA need to hold up their ends of the bargain in terms of implementing security controls; and so on.”
3. Conduct Regular HIPAA Risk Assessments
As part of HIPAA’s Security Rule, entities covered under HIPAA must conduct risk assessments in order to stay compliant.