HIPAA Compliance for Local Doctors and Dentists
Most of us have done it: We need something on our work computer that is on our home computer, so we email it to ourselves. We use our home account that may be a free gmail or Yahoo mail account, and email it to our corporate address. Boom. Quick, simple. Data has travelled from Point A to Point B and now, we now have it in the handy, searchable database that is our email account should we ever need to access it again.
When consumer cloud storage contenders Dropbox, Box, iCloud and Google Drive showed up, many of us stopped the home-to-work emailing campaigns and began simply storing our data on the “cloud” where we could access it from work, home or our hotel while vacationing in Tahiti.
For many professionals, this works very well; however, for medical professionals (and their business associates) based in the United States, we are regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) we are held to a higher standard. The convenience is still afforded to us, but we must first ensure partner compliance.
In 2013, the U.S. Department Health and Human Services launched an investigation into St. Elizabeth's Medical Center in Boston based on a November, 2012 complaint that the medical center failed to “implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level.”
Evidently, St. Elizabeth's didn’t “identify and respond to a known security incident” associated with the cloud storage either. This improper use of cloud storage cost St. Elizabeth’s $218,000 in penalties alone, to say nothing about the negative press.
Depending upon what is being shared, whether it be digital x-ray files belonging to patients or simply a patient contact and address list, the information is likely considered to be electronic Protected Health Information (ePHI) and should be held on a HIPAA compliant server, an easy way to know if your cloud-file-sharing server is HIPAA compliant is to ask your cloud provider for a BAA agreement.
Certain advanced patient file sharing systems will have advanced compliance certifications enforcing today’s security standards such as SSAE16 / ISAE 3402 Type II, ISO 27001, ISO 27017, ISO 27018, FedRamp ATO, and PCI DSS v3.
Flat Fee HIPAA Training & Compliance
DigitalGoals partnered with one of the top HIPAA & Cybersecurity lawfirms in the U.S. to put together both a fixed-fee HIPAA compliance program and an annual video-based HIPAA training and certification program. These two investments are inexpensive and effective for keeping HIPAA violations at-bay. You can read more about potential HIPAA violations in our book. Schedule a strategy session to get your free copy!