Email/Security Officer

nyankeesfl wrote on Monday, March 10, 2014:

Hello,sorry this is not a question about OpenEMR but I figured since the forum is active, it wouldn’t hurt asking.

I’m trying to find a HIPAA compliant email.I understand that both Office365 and Google Apps(as of last year) are willing to sign BAAs.I’m trying to migrate away from an Exchange Server and into web-based email.I understand that both have tools to migrate the emails data.
I’m used to gmail as my personal email and I like it but I was wondering if you guys could give me some feedback on what you guys use and how you use it(I read that in Google Apps you have to disable certain features such as Google+,etc) and which one would be the better option to use in a small practice in case of an audit.We don’t plan to send over any type of PHI through email at the moment and maybe just store office forms as well as the paperwork we have employees sign and also things like disaster plan,etc in Drive(Google Docs).

Also,I’m finding a lot of contradicting information on the web,as it is expected,regarding the steps that a Security/Privacy officer should take to secure the practice(encrypt hard drives,etc) .If anyone could please send me over to a reputable website regarding HIPAA security/privacy that might contain good document templates and such,that would be highly appreciated.

Thanks!

ajperezcrespo wrote on Monday, March 10, 2014:

Google BAA states that you should not activate any third party options/apps. It does cover drive but if you are going to use drive/sync the device should be encrypted. My rule of thumb as a Compliance consultant is encrypt all storage that has or may have access to PHI.
Encryption is an Addressable implementation. You can improve compliance by establishing encryption as a norm. It also puts it into the safe harbor provision (aka The Happy Happy Place). So just document it and do it.

I originally began using templates but after doing Risk Assessments and Risk Analysis, I found that so much modification was required they were close to worthless and ended up re-writing most of it.
http://www.HealthIT.Gov
Alfonso