Helping a company comply with HIPAA
-
So I've been speaking to a friend that works for an early learning (0-3) company and they have their clients signing documents relating to HIPAA but I'm finding a lot of gaps in their IT systems which don't come close to complying with HIPAA. They are using a cloud document system, OpenDrive, that has no reference to being HIPAA compliant for instance, laptops that have no encryption or security on them, etc.
I've not been involved with any company before that needs to be HIPAA compliant so wondering what resources there are I can look at or advice from those here to help move them to being more compliant.
They are a small company (8-10 staff, all 1099 employed in IL) with nearly 0 extra funds or resources so any solution needs to keep this in mind. Most of their staff are either on Gmail or familiar with it so looking at the GApps platform I see there's a HIPAA BAA solution with them and for $5/user/month the cost isn't going to be much more than OpenDrive but it provides them much more than just document storage.
-
Their website is likely the best place to start.
-
@DustinB3403 sure, that was the obvious first site but I'm looking for a more practical site that more specifically applies directly to IT as well as real user experience in the implementation of it.
-
@larsen161 said:
, laptops that have no encryption or security on them, etc.
FYI, there is no requirement for encryption. That specific measure is addressable. In other words, they could say that they keep no medical data on laptops, therefore they don't need the laptops to be encrypted.. but it's even easier than that.. they could say that the laptops never leave the building.. therefore encryption isn't needed. Of course that doesn't help them in cases where it's stolen, so at that point they would have a breach, but they wouldn't be in violation of the law.
just subject to the breach requirements. -
@larsen161 said:
@DustinB3403 sure, that was the obvious first site but I'm looking for a more practical site that more specifically applies directly to IT as well as real user experience in the implementation of it.
If you find one, I'd love to see it.
-
@larsen161 the website has a lot of technical documentation for businesses and outlines how a business should go about becoming HIPAA compliant and maintaining that compliance.
I'd be wary of trusting outside sources, for the very reason of what if HIPAA changes the criteria.
-
@DustinB3403 Thanks, I'll take a closer look
-
@Dashrender they are all field workers so laptops are never even in an office - they don't even have one. from what I've seen so far that data is on laptops so either a change in procedure or encryption may be useful if left as is.
-
@larsen161 Or you setup a policy that no data is on the laptop and configure VDI, using a VPN and RDP.
2FA with basic AD information would likely go a long ways as well.
-
As Dustin mentioned - just don't have any local data, then you have no worries. It would be awesome if you could just use somethign like a Chromebook. all web all the time.
-
@Dashrender well chromebooks do have local storage but they are encrypted by default and with Apps for Work there's the ability to disable some of the Drive sync abilities to limit storage on local devices.
Some staff are currently using Dell Inspiron laptops from ~5 yrs ago so it's definitely time for an update.
-
They could do their own storage on ownCloud for pretty cheap. I don't know their needs but often you can do that for $20/mo or so. That's total, not per user. Use encrypted partition(s) for the data and make sure you are encrypted on the front end with SSL and you are in pretty good shape.
-
@Dashrender said:
As Dustin mentioned - just don't have any local data, then you have no worries. It would be awesome if you could just use somethign like a Chromebook. all web all the time.
Yeah, this is often a very good way to go.
