Perhaps it’s in my nature as a millennial, or maybe I’m lazy with my words, but I love an abbreviation! FOMO, y’all, bday. Some words and phrases just sound better shortened or condensed. So upon deciding to join @BioOhio for their #TechExpo, we decided to address the most infamous abbreviation in the medical industry, HIPAA- the Health Insurance Portability and Accountability Act, which created protocols for protecting medical records.
In the bio medical industry, data is paramount and it is vast. An average organization sees 30% compound growth year over year. When it comes to those who work in this arena, there are some basic parameters when handling patient data. It must remain private and be securely stored and exchanged. If your business interactions might even entail you to encounter patient data accidentally, then you better listen up!
HIPAA compliance is serious and failure to take it as such can be detrimental to your business. Under HIPAA, ransomware attacks are now considered “reportable breaches”. That is, an organization has to follow the HIPAA rules (and fines!) unless they can prove no data left the organization. But, you probably already knew that, right? Do you know the steps necessary to make certain you are complaint? Did you know Practical Assurance has a platform that will walk you through a HIPAA compliance health check as easily as Turbo Tax does your IRS return? If there’s even a chance you could be audited, then you need to check out the HIPAA for startups presentation delivered by Aaron Botsis.
Aaron lays out specific steps a startup- or really any business- should take to assure they remain HIPAA compliant. I sat-in on his presentation to learn a thing or two. Here are a few of my takeaways from listening to Aaron’s presentation:
- As notorious as HIPAA is, creating a plan to remain compliant is not as daunting as it seems. Aaron breaks down the security policy document into simple, tangible components. Think KISS folks!
- It’s okay to have a policy that your business will not interact with PHI or EPHI data, with a plan to destroy such data, should it accidently be passed to you.
- Even if your organization doesn’t handle PHI data, one of your business associates might. And, by nature of your Business Associate Agreement, you are responsible (and liable!) for any data you come in contact with. You may need to prove your compliance in order to validate theirs.
Although I learned some fine points from Aaron, he’s the real expert. I recommend you review his presentation(or talk to him), but if you’re curious, here are the three basic steps he laid out, in a nutshell:
- Assign a security / privacy officer
- Perform a risk-assessment
- Create a security policy document
If you’re interested in the details, feel free to download Aaron's entire presentation. Aaron is our Security Practice manager at RoundTower. He and his team are IT security experts. If you’re serious about the security of IT functions within your business, you should talk to Aaron and I’ll be happy to connect you.