Challenges and Solutions, the Heath Insurance Portability and Accountability Act of 1996
HIPAA was created with the best of intentions for the Healthcare industry. As it has grown, however, HIPAA has evolved into a long list of strict standards and requirements which can be painful to implement. Some of these difficulties are so massive in scale that organizations struggle to see the light at the end of the tunnel, especially since HIPAA standards apply to paper-based, electronic, and oral communication of information. Yet, there are advantages to HIPAA compliance. Despite all the difficulties, organizations choosing to integrate HIPAA standards will gain a clear strategic advantage.
Advantages of HIPAA Compliance
The road to HIPAA compliance can be long and confusing, but the rewards are worth the effort. Below are examples of how Circadian Force can help an organization achieve compliance in various areas.
Success with HIPAA
What will make an organization successful in their approach to HIPAA? This will be influenced by several factors, a few of which are listed below:
Documentation requirements - the following is a snippet of documents that must be kept for a period of 6 years. This applies to all written or electronic documentation.
Your Document Retention Solution
When considering a solution for long-term data storage, it is highly recommended that a Covered Entity seek an off-site location for that data storage. To comply with HIPAA, the data must be stored in a facility with guaranteed uptime, a high degree of security, and top-notch reliability/integrity standards. Circadian Force recommends developing a document retention strategy in a Tier-1 datacenter, as this ensures all the mandates of HIPAA are met. Additionally, it is recommended that the data is transported to this datacenter using a reliable and highly secure Electronic Vaulting product so that the data will stand the test of time.
Administrative Procedures: Contingency Plan
In order to protect patient information and an organization's well-being, HIPAA mandates that a Contingency Plan exist for compliance. A Contingency Plan is a routinely updated plan for responding to an emergency, disaster, crisis, or catastrophe. This includes a plan for performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and disaster recovery. The individual elements comprising this plan are the following:
Your Contingency Plan Solution
Circadian Force specializes in the creation of the above plans. Beyond that, unlike other Disaster Recovery companies that simply provide plans, Circadian provides a complete software solution that takes companies from a plan to a HIPAA-compliant backup solution. Circadian Force is a one-stop-shop for all of the above requirements.
Physical Safeguards: Media Controls
HIPAA calls for formally documented policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. The following will be required:
Your Physical Safeguards Solution
Circadian's flagship product, DataForce, stores policy information and enforces strict backup, storage, and deletion rules/regulations. Furthermore, the product generates detailed reports which can be used as audit trails for accountability. The policy information is entered into the software one time and is automatically enforced thereafter. However, should any of the above policies change, the software can be updated to reflect that change within minutes (provided this is approved by the governing committee).
Technical Security Mechanisms: Encryption
HIPAA requires communications over open or private networks to be protected so that patient information cannot be compromised by unauthorized third parties. This means an organization must identify data that is transported over the intranet or internet and ensure that data is fully encrypted.
Your Encryption Solution
DataForce utilizes a 128-bit algorithm that meets this requirement fully. Regardless of how confidential the patient information, DataForce ensures patient privacy through solid encryption.
Technical Security Mechanisms: Alarm
HIPAA calls for a device that can detect an abnormal condition within the system and provide an alert as to the problem. Though many HL-7 transaction systems have alarm features built-in to their architecture, most non-proprietary systems that communicate data back and forth do not.
Your Technical Security Solution
DataForce generates reports after every transaction which can be viewed over the web or e-mailed straight to a user's inbox. Also, DataForce automatically performs data integrity checks and checksums to ensure the data was not corrupted during the transfer. If corruption is detected, an e-mail alert is sent to an administrator.
Technical Security Mechanisms: Audit Trail
Information must now be collected for potential security audits on transactions and data security, as mandated by HIPAA. This may require keeping logs on existing data, archived data, the evolution of that data, and users that accessed that data.
Your Audit Trail Solution
DataForce produces an audit trail which can be used to track the history of existing data, archived data, changes to the data, and access requests to that data for periods in excess of 10 years. This information can be used for security audits, financial audits, data evolution audits, data storage policies, data deletion policies, access control policies, and general data backup policies.
Civil Monetary Penalties (CMPs)