The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996, in order to address concerns about the privacy of patient's medical and personal information in the healthcare field. Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions. The AS provisions also cover the security and privacy of health data and are meant to encourage the widespread use of electronic data interchange in health care in order to increase efficiency, accuracy, and effectiveness.
While the deadline for HIPAA compliance has passed for most health organizations, many are still dealing with the changes wrought by the requirements. It's helpful to look at how your office complies with HIPAA and how you can leverage those systems for even greater security and efficiency.
There's no doubt HIPAA compliance means major changes for doctors and other health professionals, both administratively and in the way you practice medicine. Overall, the security rules apply to the way electronic patient-related information is handled, stored and protected. The privacy rules, however, apply to all individually identifiable patient information, in whatever way it is stored. While the HIPAA Security Rule describes what providers should do to implement the requirements and recommendations, it doesn't say how to do it. That leaves you free to make your own choices about the technologies and approaches you want to use.
If you work with a vendor for automation in your healthcare organization, your vendor will be involved in helping set up policies and procedures. You can expect HIPAA education and suggestions from them as well as within your own organization.
Technology components
Security should be a priority at every level of your infrastructure, from wireless networks to PDAs. In particular, you may want to consider these components:
1.
Servers with extra security features to store your sensitive medical data. See HP servers.
Your implementation should ensure you are in complete compliance with HIPAA. Your front-end, user-level implementation should include the following steps:
1.
Create a security policy for your office. This should consist of a clear set of written guidelines regarding data management. Communicate this to your staff.
2.
Secure workstations and equipment. Protect all portable equipment – do not leave devices unguarded in public areas. Turn monitors and screens away from the public (especially important in the reception area).
3.
Use password protection. Many computers are in public places or work stations where sensitive materials could be viewed by unauthorized persons. Passwords protect data. Also put in place a regularly scheduled password update program and teach users to change their passwords immediately if they suspect someone has learned their password.
4.
Enable virus protection. Invest in a good anti-virus protection plan, update it regularly, and use it, scheduling regular scans of your equipment.
5.
Turn off network file sharing on your wireless interface when it's not in use.
6.
Disable IR, Bluetooth, and Wi-Fi ports when they're not in use.
7.
Plan for the types and location of output devices (like printers and fax machines) to ensure that sensitive patient information is not generated on devices in locations that are accessible by unauthorized personnel.
Network and Servers
Ensuring your data security is crucial. For instance, HIPAA specifies that controls must govern the introduction and removal of hardware and software from the network. HIPAA also makes healthcare organizations responsible for backing up their data and having a disaster recovery plan in place.
Encryption of data that flows over open networks is required by HIPAA. Authentication of data is another requirement for HIPAA compliance. Do you know who has been viewing or retrieving your patient data, and what, if any, changes have been made? Ensuring authentication and integrity of data-showing it has not been altered or accessed by unauthorized staff-is a main component of implementing a HIPAA compliance solution.
But does this mean you have to set up yet another complex security level for your practice? Not at all. Server and storage technologies today have security and authentication features built in, making it easy to implement and manage these important functions.
Steps at the network level:
1.
Create a policy for controlling additions and removal of hardware and software from your network.
2.
Put in place a backup system and a disaster recovery plan. Your plan should make it possible to recover your data such that both recovery and re-connections to the restored data remain in compliance with HIPAA in regards to who has authorization to see that data during storage at the backup facility and the recovery process. For example, are the off-site storage staff HIPAA trained? Do they have policies and procedures for handling your data so that their personnel cannot get access to key data elements?
3.
Implement authentication throughout your network and data access system.
Printable version
