HIPAA Compliance and IT - Resources Regarding

[britechguy]

I am just wondering if anyone here has been doing IT setup for medical practices that need to be HIPAA compliant? If so, what resources are you using to ensure that what you're doing is HIPAA compliant?

I know, for instance, that we would not be responsible for HIPAA compliance for paper documentation and retention of same. For us it would mostly be about making the computers and network(s) being used secure enough to be compliant. I have yet to see something that I find straightforward and accessible with regard to insuring that the IT setup is HIPAA compliant.

 

[Markverhyden]

The first step is a BAA. As I understand it only parties directly tied to the CE need a BAA. Someone I contract with to support doesn't need a BAA. But in my case I'd only use someone who will provide a BAA.

Generally speaking, like many other situations, you need to be able to prove you engaged in best practices. So that means logs. You are correct we are not responsible for patient records. But we would need to prove that the electronic system we setup for storing those records meets HIPAA standards. So not only would we need, for instance, proof of encryption, we need to make sure any third party we engage, for instance iDrive for cloud storage, meets those standards. Along with that comes backups as well.

I seem to remember @YeOldeStonecat mentioning something about a HIPAA audit not too long ago. Heading out the door so I don't have time to look that up. But I'm sure there's a thread mentioning that somewhere.

 

[YeOldeStonecat]

Yup we have a few medical clients.
I don't do the audits...I won't audit my clients stuff, conflict of interest. I had jotted down some notes when my largest client had to get one done, it was a Hospice agency. Used an outside firm that specialized in doing audits. A multiple week project, involves a LOT more than just IT...but I sat side by side with the guy doing the audit on the computers. I'll try to find it and link it.

A few years ago we had a guy on these forums, JD Sims, he was a 1x man show...and then he branched out and started this service here, called HIPAA for MSPs. I used to chat with him a bit before he started that, and a little bit after he started it. Haven't talked to him in a while I should reach out to say "Hey". Great guy.

HIPAA for MSPs – Learn everything MSPs need to know to become successful in the Healthcare IT vertical.

www.hipaaformsps.com

 

[britechguy]

The thing about the BAA is that it really covers outside entities that actually deal with protected information as a part of the "bucket brigade," in a manner of speaking. Or at least the example one does. Most of us doing IT work would not fall under that category, as whatever contact we might have with protected information would only occur in the context of doing our work while doing our work, but not before and not after.

I really admire the intention behind HIPAA I have never felt that it gives clear and understandable guidelines such that you can absolutely, positively know you are fully in compliance. It's easy to tell when you're not, by and large, but there seem to be a lot of teeny-tiny bits that can bite you in the posterior.

As a former healthcare provider (I was a practicing SLP between 2000 and 2010) I knew what my obligations were as far as the reports I generated and the like, and even those could be written on an individual's home computer, not encrypted. It was about reasonable precautions, not absolute inability to every be compromised under any circumstances.

But when it comes to in-office IT requirements, where long term electronic medical record storage is involved, it's a lot less clear to me. Even what's required as far as network security and electronic security in general (e.g. firewalls) is not clear to me.

What triggered this question is I got a call from someone who's an OT who's setting up her own practice near me, and she's looking for IT help. I made it clear to her that I could provide services but that I would not, under any circumstances, say that I was guaranteeing HIPAA compliance. I am not thoroughly versed in HIPAA compliance, and anyone opening a medical practice needs to have an auditor who is look at everything after the initial setup, but before you open for business, so any corrections that may need to be made can be made. I'm not willing to carry the burden of being anyone else's HIPAA compliance officer. That's "above my pay grade."

 

[YeOldeStonecat]

Found my thread from ~4 years ago

https://www.technibble.com/forums/threads/so-my-largest-client-is-in-the-middle-of-a-full-blown-hipaa-audit-this-week.69091/

 

[britechguy]

Found my thread from ~4 years ago

https://www.technibble.com/forums/threads/so-my-largest-client-is-in-the-middle-of-a-full-blown-hipaa-audit-this-week.69091/

Much appreciated. Makes me even more certain that HIPAA compliance is not an area into which I want to get involved at this point in my life and career!

 

[Micheal Cunningham]

I am just wondering if anyone here has been doing IT setup for medical practices that need to be HIPAA compliant? If so, what resources are you using to ensure that what you're doing is HIPAA compliant?

I know, for instance, that we would not be responsible for HIPAA compliance for paper documentation and retention of same. For us it would mostly be about making the computers and network(s) being used secure enough to be compliant. I have yet to see something that I find straightforward and accessible with regard to insuring that the IT setup is HIPAA compliant.

So there are tools for HIPPA for MSPs to resell to the customers that automates their compliance. Syncro is Hippa Compliant and will provide a BAA. Private message me and I can send you links to everything.

 

[britechguy]

Private message me and I can send you links to everything.

Not that I am not grateful for your offer, and will comply if you insist, but why not just share that information here? The whole purpose of these forums, and asking for assistance on them, is so that information of a non-private nature (and I'd presume these links qualify) will be shared as widely as possible.

There are certain to be later searchers who might want the same information. It's better if it's provided in public whenever possible.