Nearly every practice in the United States today uses computers in the day to day operations of their practice. Most are using some form of Electronic Medical Record (EMR) software and also use electronic billing to insurance carriers. Fifteen years ago, it was common for practices to only have two or three computers for the front desk and billing. But now with tablets or computers in the exam rooms, that has all changed. Modern medicine runs on computers. Because of this, practices are more dependent than ever on IT service companies or person. These companies can make or break a practice at a time when the margin of profitable income is shrinking. How do you know if your IT support is up to the task for a medical practice or are they a time bomb waiting to go off? Read on to find ways you ensure you are getting competent support for your practice.
Medical IT service companies aren’t the same as those for other businesses
Let’s face it. Medical computer support isn’t the same as supporting most other kinds of businesses. The biggest difference is that people’s lives and health are at the center of things. Most other businesses don’t have to contend with that. Adding to that are HIPAA regulations which enforce a certain level of security and privacy that practices must enact. Failing to do so can lead to stiff penalties or even jail time. While other industries also have compliance laws to follow, medicine is under the microscope because it involves patient health.
Computer and IT related services aren’t complicated but introducing compliance regulations can make it more so. This is because compliance mandates a level of security most businesses won’t implement because it causes inefficiency. In addition, computer security and IT services aren’t the same things. While there is an overlap, those who have become certified in security are specialists within the IT services field. In fact, in the US alone, there will be an estimated shortage of 3.5 million security techs by 2021.
An even smaller number are those that are trained and certified in HIPAA compliance. Supporting a medical practice’s computers and networks isn’t the same as those for other businesses due to the complexity of HIPAA regulations. Are you working with a company that has your practice in good hands or are they a time bomb waiting to explode? You can find out by asking the questions below.
10 questions you need to ask your IT support
1. Do you have a Business Associate Agreement with them? Were the willing to sign it and did they even offer one to you before performing any work?
This is a good indication of whether your IT person or company has any experience with HIPAA. If they didn’t ask to sign a Business Associate Agreement BEFORE touching your network, then you both are violating HIPAA regulations. The Business Associate Agreement is required for any third party who has access to your Protected Health Information (PHI).
2. What training or certifications do their staff have in both security and HIPAA compliance?
Both HIPAA and security are complex topics that require training. There are numerous certifications available for those willing to test. This is a good differentiator when you are comparing various computer companies. Those that have invested in certifications are much more likely to be serious about HIPAA and security.
3. Do they practice what they preach? Do they have their own HIPAA policies and procedures, disaster recovery plan, and security policies?
Ask them to show you a copy of their own policies and procedures, security policies, disaster recovery plan, and incident response plan. If they don’t have these documents or aren’t willing to show them to you, keep looking for other IT service companies.
4. Did they implement a disaster recovery plan for your practice? Did they even discuss this with you?
In the worst-case scenario (natural disaster, server crashes, ransomware, robberies), does your IT company have a plan to get you back up and running? Is it documented? Is this even something that they have discussed with you? A disaster recovery plan is critical to the survivability of your practice.
5. Did they offer to perform a Security Risk Assessment?
A Risk Assessment is the cornerstone of HIPAA compliance. It measures where you are and what needs to be addressed. A company that is HIPAA focused will know this and include one in their service offerings.
6. Did they install a firewall in your practice? If so, how do they monitor it?
Firewalls are crucial to protecting your practice from attacks from the internet. If you don’t have one, you are wide open to attackers from all over the world. But just having one isn’t enough. It must be monitored and kept up to date. Not monitoring your firewall is like having an alarm system that doesn’t call the police: its usefulness is very limited.
7. How do they monitor your computer’s access logs for signs of intrusions or employees accessing records that they have no medical need to access?
This is similar to monitoring your firewall logs. Your computers generate logs whenever an event occurs. In the event of an attack, these logs will be full of clues to alarm anyone that is monitoring them. But if no one is, then they are useless. In addition, employees aren’t allowed to access records that they have no medical need to access. Is anyone monitoring these? Does your IT company offer this in their service to you?
8. Do they provide you with HIPAA and security awareness training?
Many practices think that HIPAA training is performed once per year. Recently, HHS has decided this isn’t enough and have been grading compliance efforts based on the quality of the training an entity provides. In addition, security awareness training is needed to keep office staff up to date on the latest threats to the security and privacy of your PHI. Because this is a very important component of HIPAA compliance, your service company should offer this in their offerings.
9. Do they provide any reports so that you can judge if they are doing the things that need to be done to protect your practice?
Reports provide you with the information, and documentation, to prove HIPAA compliance. In the event of a HIPAA audit, this documentation will show that you have performed your due diligence.
10. What procedures do you have in place for my practice in the event a breach such as ransomware does occur?
An incident response plan is a required part of HIPAA compliance. When something happens, what do you do, who do you call? It services companies that are HIPAA and security-focused will provide a written plan for you.
Computers are very integrated into medical practices today. Your practice depends on them to work well and run so that you can efficiently see patients. On top of having IT support that resolves the normal computer issues that occur, it is best to consider if they are also able to help you with your network security and HIPAA compliance. This is equally important to fixing computers. Having the wrong company support your computers puts your practice in jeopardy and also invites HIPAA violations.
These questions will give you a clear idea of the company you are working with or contemplating working with, really can do what is needed to help you be HIPAA compliant. It will also let you know if they are a liability for your practice rather than a partner that is there to help you.