HIPAA – What’s the deal?

Star-Tech Services is now supporting computer services in physician offices. As we grow in this arena, it is important that we understand all the components included in being HIPAA compliant as it relates to the computers and data stored on the computers.

What is HIPAA? Well, it stands for Health Insurance Portability and Accountability Act. Does that explain it? Ok, here’s the deal. This Federal act was passed by Congress in 1996 and it does the following:

1. Provides the ability to transfer or continue insurance coverage for workers who have lost or changed their jobs.
2. Reduces fraud and abuse in the health care industry
3. Mandates standards for health care information in billing systems
4. Requires the protection and confidential of protected health information (PHI). This is defined as any data that can identify an individual, such as: name, telephone numbers, email addresses, medical record numbers, any vehicle identification…

Let’s take a closer look at how it relates to IT.

In my opinion, a big key is to document the standard operating procedures you are using. This includes account maintenance, backups, disaster recovery procedures, security (both physical and network). Here is a list of some of the items to be considered:

1. Isolate systems that either store or have access to key data (PHI Protected Health Information). Make sure the public does not have access to these systems. Store them in an environment that the public does not have access to.
2. Secure the systems from Internet access.
3. Establish password expiration policies.
4. Establish screensaver passwords. Initiate after 10-15 minutes and enable password secure.
5. Monitor access and security logs.
6. Document how data is backed up and where the backup media is stored.
7. Document the owner and administrator of key data
8. Document the network security setup and guidelines.

The real HIPAA struggles come from the conflict of keeping individuals’ health information private and protected, while still allowing some data to flow to health related research. I’m sure there will be modifications made to the rules as it’s studied. One change will probably be in defining methods of removing personally identifiable information while still submitting the key components on to research. The complication is that in some research, it may be necessary to include personal information. How do they get around this? I’d suggest that the organization doing this study must be approved by a board and demonstrate that they have all the protection safeguards in place.

And, one last item to further confuse the matter, there is a lot of room for interpretation of the HIPAA rules, especially amongst different types of health organizations.

So, what’s the answer? I don’t know. What I do know is that Star-Tech Services must have a set of procedures that it follows to be HIPAA compliant as we support computers in physician offices.