From the September 2013 issue of HealthCare Business News magazine
What about equipment storing ePHI that’s being retired? Someone in the organization had better make sure that the equipment’s hard drive is destroyed. Even if you’re unsure whether the device contains ePHI, it’s still best to play it safe and have it destroyed. There are companies you can partner with that will erase hard drives onsite, and give you records for a potential HIPAA audit. This is actually a fairly inexpensive option compared to doing it yourself, which would require hiring staff and getting the necessary equipment.
4) Put Business Associate Agreements (BAA) in place with all of your vendors.
With dozens or hundreds of vendors coming in and out of your organization to service equipment, make deliveries and more, chances are that they’ll come in contact with your ePHI and, if you’re not careful, potentially trigger a data breach. The HIPAA Security Rule states that you must have a Business Associate Agreement (BAA) in place with every single vendor that may be exposed to ePHI. A BAA ensures that your vendor will follow your policies and procedures, or have equal ones of their own. Now, if a data breach occurs because of the actions of a business associate, the hospital is still liable, but it may be able to sue the vendor for damages. More than anything, it’s a safeguard that your vendors care as much about protecting ePHI and sensitive patient information as you do. If you come across a vendor who’s not willing to sign a BAA, they’re likely not worth your time, money and risk.
5) Understand the best practices of peers.
Numed, a well established company in business since 1975 provides a wide range of service options including time & material service, PM only contracts, full service contracts, labor only contracts & system relocation. Call 800 96 Numed for more info.
One of the main frustrations with the HIPAA Security Rule is that it’s not prescriptive. Life would be easier if it came with step-by-step instructions, instead of vague statements about requirements. Some hospitals make the mistake of creating their own processes and definitions, which won’t cut it with a HIPAA auditor. Instead, seek to understand industry best practices so you can ensure your hospital’s policies are in line with those around you. In order to do this, attend conferences, seminars and local networking events, read trade publications or look for specific information online.
Adopting these practices will go a long way in strengthening your arsenal and shielding your organization from data security risks.
About the author: Derek Brost is the Chief Security Officer of eProtex, the nation’s first data security company specializing in the hidden risks of connected medical devices.
Back to HCB News