HIPAA for Your Help Desk
by Katie Joll ·
Updated Aug 18 2020
HIPAA is one of those things that not every help desk requires, but when you do need it, it’s critical that it is done right.
Data protection is of the utmost importance when you’re required to be HIPAA compliant, so you need the right help desk software and associated tools that meet those requirements.
Here’s what you need to know about HIPAA:
Free download: What is a BAA and why do you need one?
What is HIPAA?
HIPAA is the U.S. Health Insurance Portability and Accountability Act (1996). It provides a number of rights and protections to patients, including requiring the confidential handling of Protected Health Information (PHI).
PHI includes identifiable health information including demographic data relating to:
- an individual’s past, present, or future physical or mental health or condition
- the provision of healthcare to the individual
- the past, present, or future payments for the provision of healthcare to the individual.
Healthcare providers and any of their business associates (including those contracted to provide a help desk) must have systems and procedures in place that ensure the security and confidentiality of PHI. This includes things like ensuring only authorized users will have any access to such data.
In fact, the basic premise of HIPAA as it concerns help desk software is to protect PHI from anyone who should not have access to it and to ensure that authorized users are accessing it securely.
HIPAA compliance is part of JitBit’s feature set for help desks and is a key reason why healthcare organizations choose the hosted version of our software. (Note: we can only guarantee HIPAA compliance on our hosted version as we have no access to your own server, or say over trained IT personnel if you choose to self-host).
Why does HIPAA matter for help desks?
If you’re required to be HIPAA compliant due to handling of PHI, then it’s a matter of critical importance. Penalties for HIPAA violations can be stiff, including fines or even criminal charges and jail time. In 2018, Anthem, one of the US’s largest health benefit companies, paid what was the largest fine for HIPAA violation to date. They paid out $16 million as a penalty for a data breach that exposed the PHI of 79 million individuals.
Besides those penalties under the law, HIPAA violations are often well-publicized. This could be a devastating reputational blow for any company or organization that has fallen short of the regulations. It can take a lot of hard work to regain trust once it is lost.
If you are a business associate of a healthcare organization (such as one contracted to provide help desk services), being HIPAA compliant is likely to be a condition of your contract. It certainly matters if you want to keep your contractual relationship!
HIPAA matters for all help desks that provide services to healthcare
How can you ensure your help desk is HIPAA compliant?
The first thing for all help desks to know is that not all help desk software is built to be HIPAA compliant. There are some very specific requirements that require careful construction by the software company. Look for those that can specifically show you how they are HIPAA compliant (which we’ll get into).
While you’re at it though, be very wary (actually run!) if any help desk software tells you that they are “HIPAA certified.” HHS has stated several times that there is no HIPAA Certification process and that no organization has authority to certify HIPAA compliance. There are third-party organizations that will audit for PCI compliance, however - you can view JitBit’s PCI compliance certificate here.
HIPAA compliant software should have features that meet regulations for technical, physical and administrative safeguards. Here are some examples:
Technical safeguards
Technical safeguards are about the encryption of data, electronic storage and safe exchange of data. For example, software providers should conduct regular audits to determine whether encryption of PHI is appropriate. (At JitBit, we regularly audit our app with a full HIPAA checklist).
As part of the safe encryption and storage of data, software companies should be very careful about how their software is hosted (this is one reason why we don’t suggest JitBit is HIPAA compliant if a company has self-hosted it - we have no say over key aspects of how it is hosted). Our hosted version servers are all hosted on Amazon’s AWS, which has been carefully chosen due to their high standards for security protocols and their compliance with HIPAA.
An important point on data transfer for help desks is that email is not a secure means of sending PHI data. It’s just too easily breached. For this reason, there is something you need to do on your end to ensure that emails sent only contain generic notifications that invite people to login to get specifics. For JitBit, that process is:
Go to the "Admin - Email settings" and do the following:
- Edit the email templates in the admin area to remove all the sensitive ticket information from messages (so the emails look generic, like "your ticket has been updated, click here")
- Disable file-attachments in the email notifications
- Or even disable email notifications completely.
Physical safeguards
Physical safeguards refer to the protection of access to files and machines. This includes how PHI is disposed of when it’s no longer needed. At JitBit, we also keep back-up servers in a completely separate location in case of a natural disaster taking out our main servers.
Physical safeguards cover all sorts of possible physical access to PHI. For example, your company should have policies regarding how your team physically accesses your systems. Things like mobile devices and access from home can create an extra level of physical security risk. What would happen if an employee were logged in on their device then left it somewhere?
If you have a policy where employees can’t access data anywhere else except physically on the premises, you still need security protocols for entering the premises and accessing any computers used for processing PHI. For example, workstations where the user has stepped away should be locked so that no one else can access data using someone else’s sign-on.
Administrative safeguards
Administrative safeguards refer to who should have access to the PHI data and how they will be authenticated. For example, JitBit has settings to help you control access with unique users and logins, as well as determine how much information each user is authorized to access.
A person’s access to information should be aligned with their role in the organization. There should also be access logs so that you can see who accessed what and when at any given time.
Along these lines, you should also have policies and procedures for terminating access, such as when an employee leaves or moves to a different role. It’s important that at all times, only those who should have access do have access.
Underpinning all of these things, organizations should keep employees trained and up-to-date with their obligations under HIPAA. JitBit undertakes employee training regularly to ensure that everyone remains compliant and familiar with what is required of them.
Download our quick guide to HIPAA BAAs here
Final thoughts
If you belong to or contract with a healthcare organization, any old help desk software won’t do. You absolutely need a software solution that is HIPAA compliant and allows you to easily meet your obligations under the regulations.
JitBit undergoes extensive auditing and frequent checks in order to maintain HIPAA compliance. Only the most rigorous standards will do so that the chances of data breaches are minimized as much as possible.