October 22, 2020
Over the last few months, I have had the pleasure of speaking to medical professionals, practice owners, and service providers that work with medical practices. A lot of them expressed confidence that they were HIPAA compliant simply because they were using cloud-based Electronic Medical Records and practice management systems. When probed on whether or not they had internal policies, sign-offs, and secure end-user systems, the response more often than not was a blank stare. When asked if they have every taken the opportunity to review the requirements on the Department of Health and Human Services website, the response was a wry smile and a shake of a head.
To dispel the myth, just because your cloud EMR/Practice management suite vendor is HIPAA compliant, does not mean that you are. Compliance means having and adhering to a written Information Security policy that
1) Identifies the organization and persons responsible for information security
2) Has a set of written policies and procedures that define how the data is accessed, stored, distributed and deleted
3) Has a set of written documents, policies and procedures that explain how the systems that are used to access and store the data are
designed, implemented, monitored and disposed
4) Explains the process to be followed in case there is a breach
5) Provides for periodic audit of the organization to ensure that the policy is adhered to
6) Is updated as the security requirements change
A baseline template for this policy as well as a checklist to help ensure that appropriate items are included can be obtained for a multitude of sources. Here are some of them:
I do recommend that when designing and implementing the information security policy, one consults a professional to ensure that everything is done properly. For any questions, feel free to reach out at email@example.com or here on LinkedIn.
"As a medical data company, compliance and data security are extremely important to our organization. The team at Aegis IT Solutions was instrumental in ensuring that our clients’ data is properly safeguarded while providing strategic advice and helping us navigate through complicated compliance challenges associated with an international enterprise providing and managing access to personal confidential data."
"We do data analytics for many large corporate clients, both in the cloud and on premises. Security was a sore topic for us until we retained services of Aegis IT Solutions. Ilya was very responsive, professional and knowledgeable. With his help and leadership, we improved our processes, properly planning for security-related activities and professionally communicating with clients for the best mutually acceptable security approach."
"Client service is the ethos of Aegis IT Solutions. Ilya and his team never fail to provide the most up-to-date insight on technology and system upgrades. They always take time to meet our law firm’s never ending IT needs. We considered Aegis IT Solutions as one of the most essential assets to the function of our busy practice. I am grateful for having formed this lasting relationship."
© 2021. Aegis IT Solutions. All rights reserved.