Every employee at Online Tech is trained to understand and follow HIPAA compliance standards and the importance of protecting sensitive information. We consider ourselves the guardian of your IT infrastructure, but understand the explicit boundaries of that responsibility to maintain privacy and security.
To meet the Administrative safeguards of the HIPAA Security Standards, an organization with protected health information (PHI) must delegate a security officer and implement a Security Awareness and Training program for its workforce (164.308(a)(5); HHS.gov).
While the entire workforce of a covered entity (CE) needs to be trained on HIPAA compliance standards, the business associates (BA) they partner with need to be trained as well. Training in the policies and procedures of day-to-day operations can impact the overall physical, technical and administrative security of an organization that may affect your server environment.
HIPAA Security Rule training is intended to protect the confidentiality, security and integrity of ePHI (electronic protected health information), and involves raising security awareness among staff in order to avoid unintentional data breaches or data loss. Training should be conducted at least annually, and more often if a significant change in management or new technology use occurs.
The Security Awareness and Training standard includes several addressable implementation specifications: security reminds, protection from malicious software, log-in monitoring and password management.
When it comes to data centers, you should check that your HIPAA hosting provider/business associate employs the following:
- Two-factor authentication - Anyone in the data center should be wearing a badge to identify them and need at least two forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge.
- Prolific use of video surveillance - Ask to see the video logs and how long they are kept (should be at least 90 days).
- Visitor logging - The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor's company to confirm their credibility.
- Procedure Documentation - Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or email.