Posts

HIPAA compliance software – Office 365 HIPAA

Office 365 HIPAA

HIPAA Compliance Software

hipaa compliance softwareProtected health information is an important subject in the technological age. The use of mobile devices such as smart phones and tablets make it more consequential for companies to have protections in place. With the use of online services, like Office 365, HIPAA compliant takes on a new level of complexity. Not only does your business must have regulations and safe practices in place to protect sensitive data, but the online service must have HIPAA compliance software measure as well.

The IT manager can easily be confused by which services have the proper protections in place to help safeguard data.  A quick search and hundreds of names appear, all claiming to have the certifications necessary to meet your needs. While many do, not all are as compliant as they pretend to be. So, one wonders is Office 365 HIPAA compliant?

Certified to Protect

Microsoft has robust security features necessary to help protect information stored on their servers. The company offers two-factor security authentication to help keep your accounts secure. In short, Office 365 is HIPAA compliant.

As an Office 365 user, there are some things you must do to take advantage of their compliance standing. All companies using Office 365, must complete a business associate agreement, or BAA, with Microsoft. Once in place, Microsoft, for their part, will do everything in their power to ensure your protected health documents are secure.

Configuring Office 365 Email

After signing a BAA, Microsoft helps you set user emails to comply with HIPAA regulations using the Exchange Online Protection program. Only administrators can configure these settings, as they are reached from the Exchange Admin Center page.

Once on the Admin page, select Compliance management, then select Data Loss Prevention. From here click on the “+” sign and select New DLP policy from the template. Scroll until you find HIPAA and choose template.

By default, Office 365’s HIPAA rules scan messages for Drug Enforcement Agency (DEA) number and Social Security numbers. However, if you need more coverage, you can add:

  • US Passport number
  • US Bank Account
  • US Driver’s License
  • US Individual Taxpayer Identification number

To add any of these items to your HIPAA configuration, just select them on the template. You can also customize rules to add fields such as Date of Birth.

Once enacted, Microsoft scans each email for selected sensitive information. In the event of an incident, Microsoft reports it as dictated by their standard notification procedures to the system administrators.

Office 365 HIPAA Compliance Is Not Enough

Using an email service that is HIPPA compliant, like Office 365, is not sufficient. Microsoft is only responsible for maintaining security on their end of the agreement. It is up to business owners to use best practices to protect customer information and comply with HIPAA regulation.

Adding two-factor security authentication is just one step to help protect your files in an HIPAA regulated situation. Using encrypted email when sending data contributes to protecting your customers from potential information loss.

Another step you can take is limit who on your staff can send emails concerning patient information. Limiting who can access and edit client files is also another way to protect sensitive data.

Patient consent forms, which must be signed for health information to be shared with anyone other than the patient, are the responsibility of your office. Microsoft does not take responsibility for this document. It is up to your staff to obtain and retain written permission. Under HIPAA regulation, this agreement is obtainable via email. However, you must inform the patient of any potential risks they may have using email to communicate sensitive data.

Properly managing where protected health information is the most important thing you can do to maintain HIPAA regulation. While mobile devices often come with Office 365, it can only help to increase the risk others gaining access to patient information. Misplaced laptops and cell phones can lead to stolen documents if saved internally.

Having a cloud backup in place can act as a barrier to malicious data loss. Storing information in the cloud keeps it from being stored on the hard drive of a mobile device that is easily lost. However, if you choose to store your information in the cloud, make sure your backup service is HIPAA compliant to adhere to government regulation.

CloudAlly is certified ISO 27001 and is thoroughly HIPAA compliant software. We offer business associate agreements with all clients who ask for them. Our Office 365 backs up email, calendar, tasks, and contact data.

Try us free for 15 days, no credit card required to sign up

HIPAA IT compliance – G Suite

HIPAA IT Compliance - G SuiteFor many companies, moving to the cloud is supposed to solve many of the headaches they have with compliance and regulatory agencies. Cloud hosting offers redundancy and protection, an area where some businesses lack. However, when it comes to the Health Insurance Portability and Accountability Act of 1996, best known as HIPAA, many cloud services are lacking, and are not ready for HIPAA IT compliance. Google G Suite however, has worked extremely hard to be one of the few that is not one of those providers.

Making G Suite HIPAA compliant is easy.

Google published a guide to making their G Suite service HIPAA compliant. The lengthy explanation includes share settings for Drive and calendars. They also recommend users have strong passwords with a combination of upper and lower-case letters, numbers, and special symbols. Google suggests in addition to strong passwords; all users turn on two-step sign in authentication.

To make securing G Suite accounts less confusing, here are five primary ways to ensure G Suite is HIPAA compliant.

Sign an Agreement with Google

Google strives to make their service as secure as possible. However, they cannot guarantee HIPAA compliance if there is no agreement in place dictating the account need these protections.

Google’s Business Associate Agreement only covers some of the apps G Suite employs. Apps permitted by the Personal Health Information (PHI) agreements include:

  • Gmail
  • Calendar
  • Google Hangouts (chat messaging feature only)
  • Hangouts Meet
  • Drive (including Docs, Sheets, Slides, and Forms)
  • Keep
  • Google Cloud Search
  • Sites
  • Vault

At this time, all business associate agreements concerning PHI’s do not cover Google Groups, Contacts, or Google+.

Monitor Access

HIPAA compliance is not something you can turn on and forget about it. The administrator console contains reports and logs allowing you to tell at a glance where potential security risks may be. Reports show you how frequently employees access and share data. These reports also measure user collaboration on a given file, who signs in, and even analyze administrative activity.

To help lower the risk of lost information due to unauthorized activity, Google allows for alert notifications. Whenever Google detects activity such as a suspended user, new user, or suspicious login, administrators can view the attempt. You can also set notifications for making a suspended user active and adding a new user.

Installing third-party software designed to scan for shared files with sensitive information is another way to ensure all data remains secure.

Set Restricted Settings

With a signed business associate agreement, Google helps you protect HIPAA confidential information in their core applications. You can do more by setting restrictive settings when creating user accounts. In Google Drive, turn off automatic link sharing by choosing the option Specific People, which only allows invited individuals to view the document. You can then give control of link exchange to the Drive user or can retain this control with administrators only.

Gmail allows individuals to restrict shared Drive files further. The sender can choose to limit the recipient’s ability to view only rather than edit or comment on the document. Senders can also restrict access to those with Gmail accounts.

Consider Separating Users within the Domain

Many companies using G Suite segregate their employees who work with HIPAA sensitive documents from those who do not. Creating different groups allows administrators to manage which groups have access to specific Google services.

Smaller companies may be able to get away with creating two groups, one which handles HIPAA sensitive documents and one that does not. Administration can limit those with sensitive documents, blocking them from services such as Google+ and YouTube. The other group has permissions for all G Suite services.

Companies can choose to create as many groups as they want, segregating their employees’ accounts further if they choose. While an entire HR department may have access to HIPAA sensitive files, only a small few works with those documents. You may have the HR department as one group. You can create another group with just those employees handling sensitive information. You can choose to do the same with each department.

Backup Sensitive Information

Data loss is no laughing matter. When it comes to confidential information, it is even more important. You should have an HIPAA compliant backup service assisting in the protection of all your PHI files.

CloudAlly is an HIPAA compliant backup service. After becoming ISO 27001 certified, it allowed us to begin offering backup for patient sensitive documents and information. We comply with all federal guidelines concerning how to handle this information including every aspect of data handling when backing up, accessing authorization, and encryption. Companies that require a business associate agreement, we can provide one upon request.

At CloudAlly, we backup all your files automatically, giving you peace of mind that important HIPAA controlled documents are never lost or corrupted.

Try it free for 15 days, no credit card required for signup.

 

 

HIPAA Compliance – Box.com

HiPAA Compliance – The electronic age has made it easier for doctor’s offices and hospitals to store patient information hipaa compliancewithout much paperwork. They do, however, must adhere to special regulations concerning storage of that data. These rules are known as the Health Insurance Portability and Accountability Act, or HIPAA, and the Health Information Technology for Economic and Clinical Health, better known as HITECH.

Cloud computing is becoming more prevalent. It is imperative for business which collects sensitive information to use a cloud service provider which adheres to HIPAA and HITECH. Box.com is a leader as a commercial cloud provider. Is Box.com HIPAA compliant?

How Does Box Meet HIPAA Compliance Standards?

Box is considered HIPAA compliance standards. For Enterprise and Elite accounts needing HIPAA protection, Box signs business associate agreement, BAA, when they ask for it. Any BAA required should be signed before the customer begins storing sensitive information within their cloud account.

While there is no official certification process, Box’s features ensure that protected health information stays safe in the cloud. This provider not only encrypts data as it is transferred from hard drive to cloud, and the cloud to the hard disk, but it remains encrypted while on their servers.

Additionally, Box restricts access to the physical server farms where the information resides. The company also uses strict logical system access controls to maintain security.

Consumers have administrative controls to help govern their data. Administrators choose which the following employee access:

  • Download
  • Read
  • Edit
  • Lock documents
  • Password protect files

Administrators can monitor access to data seeing who accessed them, shared them, or edited the. Audits also report the account activities for not only content but users alike. Administrators can also use this area to train employees on different security controls and policies.

Box – HIPAA Compliance, to Extent

Like all online service providing HIPAA compliance, the responsibility does not just lay with them to protect your data. In fact, their compliance standards only go so far as to ensure documents are safe while in storage. Box does not control how your employees treat protected health information.

For better security, all users need to activate Box’s two-factor verification. The first factor being a secure password with upper and lowercase letters, as well as numbers and special symbols. The second factor is a unique code sent via SMS to the user’s cell phone, a voice call, or use of particular security application to access their account. This additional step prevents unauthorized logins.

As an administrator, you can limit who within your corporation has access to sensitive information. By restricting access, you limit the danger of file sharing when there is no need. Using Box’s built-in feature for locking and password protecting data helps to keep these records from unnecessary user access.

As Box is simply a cloud storage provider, it is up to the network administrator to ensure email services, like Office 365 or Gmail, is HIPAA compliant. Both Microsoft and Google have HIPAA compliant services using BAA just as Box. If you use these services for email, contact their support groups for assistance in bringing their services into compliance if you have not already done so.

Any patient authorization forms allowing you to transmit data to them or others via an electronic service is your responsibility to maintain. As with email services, Box does not take responsibility for ensuring you have permission to share files from your Box account with a third party or the patient. While all records transmitted to and from Box are encrypted, you must explain the risks of sending information electronically.

Backup Your Backup

Many health professionals use Box as both a storage and backup location by many health practitioners. It is uncommon for data loss while stored on their servers; it can happen. That is why it is necessary to have a backup of your backup.

CloudAlly offers backup solutions for Box Enterprise customers. Our Amazon S3 servers save all files and folders for each user. Administrators can choose to back up every day or every few days as they see needs. Additionally, administrators can include all users in the backup or just a select few.

For added security, CloudAlly can send you a daily log of your backup activity. This record includes a summary of data added to your account and a more extensive look at which users and files contained in the daily sweep.

In the event data is missing from your Box account, restoration of the missing file is easy and non-destructive. You control what files remain in your CloudAlly account. CloudAlly doesn’t delete files unless requested and authorized by your admin.

Try our service free for 15 days, backup your business critical data today!