When it comes to meeting the requirements of the Health Insurance Portability and Accountability Act (HIPAA), there are many potential controls that health care providers can implement to protect themselves against threats that could compromise sensitive data, like patients’ electronic personal health records (PHR).
Getting a handle on the controls of your particular environment starts with an understanding of your particular environment – your information systems – and the types of threats you are likely to face.
A threat is essentially any agent (person, activity, or event) with the potential to cause harm to the information system that could result directly or indirectly in a financial or data loss. The first step in evaluating a threat is to understand how the system will function, with regards to implemented technologies, and in what environment it will function.
These two areas will then dictate which threats are present and to what extent the system is exposed to present threats.
Since it’s impossible to list every technology/environment scenario and spell out exactly which threats apply and to what level the system is exposed, the best approach is to fully understand the system variables and then evaluate each granular threat by asking:
“Is this system exposed to this threat?”
“Is this system exposed to this threat less than or greater than normal?”
Controlling the HIPAA controls
At that point in the HIPAA conversation, we can talk about controls.
Controls are the active processes, procedures, and system features that are used to detect, reduce or eliminate the probability of a threat, thereby reducing risk. Controls are usually categorized as administrative, operational or technical.
Administrative controls address threats created by human behavior (users, administrators, vendors, attackers). Operational controls address threats created by the system’s operational or physical environment (server location, operating system, disasters). And technical controls address threats that are created by the use of certain types of computer or communications technology (remote access, public networks, peer computing, wireless).
As you might imagine, there are a large number of potential controls that can be used singularly or in combination to protect against threats. At ZZ Servers, we help customers track 24 different items on our HIPAA Security Control Checklist methodology.
Managing the devilish details
This is where the devil appears in the details.
Having a solid understanding of your system variables enables you or your service provider to begin evaluating the controls of the system. It is still possible to understand a system and still not know the specifics around a particular control.
In those cases, ask your service provider or appropriate contact how the particular HIPAA security controlhas been implemented, if at all. Based on the responses, you can track the effectiveness of each implemented control.
This is all critical work. For the 24 HIPAA Security Controls mentioned earlier, the ZZ Servers checklist helps track the existence of more than 40 process, procedure and test-related items that substantiate the given controls.
More than just checking the HIPAA boxes
Working through HIPAA compliance is daunting task for health care providers who lack the sufficiently skilled and dedicated resources to do it themselves.
And while many IT service providers may claim to build the right amount of security into their product or service offering, what about HIPAA?Achieving HIPAA compliance requires sound security practices, robust technical solutions and expert security support.
Do you trust your service provider to be on top of the detailed controls and checklists that will ensure your HIPAA compliance?
This is what we do. Cost-effective HIPAA-compliant systems and managed services are among ZZ Servers’ core competencies.
We’ve assembled infrastructure, systems hardening and managed services into convenient, cost-effective solutions that are ideally suited for smaller and medium-sized healthcare service providers. We offer fully dedicated and semi-dedicated HIPAA enabled hosting solutions.
Plus, each HIPAA environment is custom designed by our system engineers and security specialists to meet the unique needs of a given business, better ensuring HIPAA compliance.
So rather than trying to dance with the devil in the details, turn to a trusted expert like ZZ Servers for reliable and affordable assistance with the implementation of your HIPAA controls.
