How I Evaluate a Business’s HIPAA Compliant IT Infrastructure

Hipaa compliant logo

Ask anyone who’s been there and they’ll tell you the same thing: buying a business, any business, can get complicated. There are so many things to consider and evaluate about the business in question, and increasingly, IT infrastructure rises to the top of that critical evaluation list.

Often I’m asked to evaluate a business-for-sale’s IT network for a prospective buyer, and most recently, I’ve been doing this type of work for a group of dentists interested in buying their own practices.  I always do the evaluation on site, going through all the workstations, server, and networking equipment to assess their current status with HIPAA Compliance in mind.

About 90% of the time here’s what I see:

  1. Workstations are on Windows 7 or older
  2. Antiquated hardware
  3. The “server” is typically a Windows 7 workstation on consumer grade hardware
  4. Hard drives are not encrypted
  5. Backups are either non-existent or configured improperly without a verification plan in place
  6. Wireless network is on the same network as the business’s production network without any security policies in place
  7. Passwords are not complex and never changed
  8. Firewall being used is the default firewall from the ISP
  9. Email communications with patients and vendors are not encrypted
  10. There is no process for HIPAA Compliance

I conclude my evaluation by drafting a list of recommendations and their importance to the buyer.

Any of these issues can become serious problems that affect the functioning and efficiency of a business, not to mention the legal ramifications for a healthcare organization that’s not HIPAA compliant. (Please note that this is only one part of the required annual Audits/Assessments for HIPAA Compliance.) Clearly before making the purchase, the prospective buyer needs to be aware of the state of the company’s IT infrastructure and what costs might be incurred to correct problems.

Now you have some idea of what an IT professional like me looks for when evaluating a business’s HIPAA Compliant IT environment for the first time. I hope you’ll consider performing a similar evaluation of your own environment. Or, better yet, have me come to your place of business and do it for you. I might see something important you’re not aware of.

And if you’re thinking of buying an existing business, this process becomes even more necessary.