If you are a small medical office such as a doctor, dentist or another similar practice you at the very least have some computer workstations and server, a firewall, a wifi network and some printers. While there are many ongoing parts to making sure your technology stays compliant the are some basic items you must do to at least show an auditor that you are making a best effort.
With HIPAA It's All About Documentation
The below checklist is a basic IT list every medical office should not only implement but also check and document on a regular basis to make sure not only that you have it but that it's working.
Anti-Virus Software - Do you have anti-virus software actively running on each PC? If yes, the more important question is are you able to prove it? You need to show that you have AV software running on each PC and you have scheduled scans running daily and weekly.
You also need an alerting system in place (and documented) so you can prove if your AV software detected something that it couldn't fix that you knew about it, researched it and made sure your patient data is still safe.
Windows Updates and Patching - Assuming that Windows builtin patching is working and keeping your computers up to date simply isn't good enough in the event of an audit. You should have a managed windows patching system in place and checked weekly to make sure computers are being kept up to date and current.
Backup - HIPAA requires that backup data stay encrypted while at rest and in transit. What that means is if you are backing up your server, either to a USB drive or in a cloud environment the data must be encrypted before it leaves your server (it's encrypted "in transit") and at it's final destination either on a cloud resource or usb drive (it's encrypted "at rest"). Documentation is key to prove this process is in place.
Laptop Encryption - Chances are you have a mobile device like a tablet or laptop that allows you to work when you are on the run. Do you store patient data on your laptop such as xrays and charts? If yes your laptop must be encrypted in the event it's lost or stolen. A lost or stolen laptop is considered a breach and must be reported and you must prove that your laptop was encrypted to prevent a data compromise.
Neotech Networks is an IT provider in in the New York and Long Island area that serves small businesses. If you would like a free consultation please use our contact form or call 212.858.9022
224 West 35th Street 11th Floor
New York, NY 10001