Challenges and Solutions, the Heath Insurance Portability and Accountability Act of 1996

HIPAA was created with the best of intentions for the Healthcare industry. As it has grown, however, HIPAA has evolved into a long list of strict standards and requirements which can be painful to implement. Some of these difficulties are so massive in scale that organizations struggle to see the light at the end of the tunnel, especially since HIPAA standards apply to paper-based, electronic, and oral communication of information. Yet, there are advantages to HIPAA compliance. Despite all the difficulties, organizations choosing to integrate HIPAA standards will gain a clear strategic advantage.

Advantages of HIPAA Compliance

• Fines and criminal penalties avoided
  
• Lower liability potential
  
• Lower risk of public exposure
  
• Consumer / Industry confidence
  
• Streamlined process workflow
  
• Increased efficiency
  
• Reduced administrative expenses
  
• Increased data efficacy
  
• Enhanced immunity to disaster situations
  
• Lower long-term costs (ROI)
  

The road to HIPAA compliance can be long and confusing, but the rewards are worth the effort. Below are examples of how Circadian Force can help an organization achieve compliance in various areas.

Success with HIPAA

What will make an organization successful in their approach to HIPAA? This will be influenced by several factors, a few of which are listed below:

• Understanding and acceptance of HIPAA regulations by executive leadership
  
• Willingness to accept change and invest in a solution
  
• Readiness to implement process improvement strategies 
  
• Readiness to overcome the impact HIPAA compliance may have within the organization
  
• Recognition of new technologies to meet HIPAA regulations and the creation of a plan for applications that are not HIPAA-compliant
  
• Buy-in for HIPAA compliance across the entire organization
  
• Document Retention Requirements
  

Documentation requirements - the following is a snippet of documents that must be kept for a period of 6 years. This applies to all written or electronic documentation. 

• Policies and Procedures
  
• Training provided, Privacy Official, Contact Person
  
• Complaints to Covered Entity and their disposition
  
• Notice of Privacy Practices, Acknowledgement, and Good Faith efforts to obtain Acknowledgements
  
• Authorizations
  
• Business Associate Contracts
  
• IRB/Privacy Board Waivers
  
• Designated record sets that are subject to access by the individual, access contact person, requests, and responses
  
• Amendment contact persons, requests, denials, disagreements and rebuttals
  
• Information required to be in accounting, accounting contact person, requests, and accountings provided to an individual
  
• Restriction Request Agreements
  
• HCC Designations
  
• Affiliated Covered Entity Designations
  
• Certification of Group Health Plan document amendment
  
• Verification documents of public officials, personal representatives, etc
  
• Any other communication required by Rule to be in writing
  
• Sanctions taken against members of the Work Force
• E-mail

Your Document Retention Solution

When considering a solution for long-term data storage, it is highly recommended that a Covered Entity seek an off-site location for that data storage. To comply with HIPAA, the data must be stored in a facility with guaranteed uptime, a high degree of security, and top-notch reliability/integrity standards. Circadian Force recommends developing a document retention strategy in a Tier-1 datacenter, as this ensures all the mandates of HIPAA are met. Additionally, it is recommended that the data is transported to this datacenter using a reliable and highly secure Electronic Vaulting product so that the data will stand the test of time.

Administrative Procedures: Contingency Plan

In order to protect patient information and an organization's well-being, HIPAA mandates that a Contingency Plan exist for compliance. A Contingency Plan is a routinely updated plan for responding to an emergency, disaster, crisis, or catastrophe. This includes a plan for performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and disaster recovery. The individual elements comprising this plan are the following:

• Application and data criticality analysis
  
• Data backup plan
  
• Disaster recovery plan
  
• Emergency mode operation plan
  
• Testing and revision procedures for all plans
  
• Communication and training of stakeholders in the plans
  

Your Contingency Plan Solution

Circadian Force specializes in the creation of the above plans. Beyond that, unlike other Disaster Recovery companies that simply provide plans, Circadian provides a complete software solution that takes companies from a plan to a HIPAA-compliant backup solution. Circadian Force is a one-stop-shop for all of the above requirements.

Physical Safeguards: Media Controls

HIPAA calls for formally documented policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. The following will be required:

• Access control policies
  
• Accountability policies
  
• Data backup policies
  
• Data storage policies
  
• Data disposal policies
  

Your Physical Safeguards Solution

Circadian's flagship product, DataForce, stores policy information and enforces strict backup, storage, and deletion rules/regulations. Furthermore, the product generates detailed reports which can be used as audit trails for accountability. The policy information is entered into the software one time and is automatically enforced thereafter. However, should any of the above policies change, the software can be updated to reflect that change within minutes (provided this is approved by the governing committee). 

Technical Security Mechanisms: Encryption

HIPAA requires communications over open or private networks to be protected so that patient information cannot be compromised by unauthorized third parties. This means an organization must identify data that is transported over the intranet or internet and ensure that data is fully encrypted.

Your Encryption Solution

DataForce utilizes a 128-bit algorithm that meets this requirement fully. Regardless of how confidential the patient information, DataForce ensures patient privacy through solid encryption.

Technical Security Mechanisms: Alarm

HIPAA calls for a device that can detect an abnormal condition within the system and provide an alert as to the problem. Though many HL-7 transaction systems have alarm features built-in to their architecture, most non-proprietary systems that communicate data back and forth do not.

Your Technical Security Solution

DataForce generates reports after every transaction which can be viewed over the web or e-mailed straight to a user's inbox. Also, DataForce automatically performs data integrity checks and checksums to ensure the data was not corrupted during the transfer. If corruption is detected, an e-mail alert is sent to an administrator. 

Technical Security Mechanisms: Audit Trail

Information must now be collected for potential security audits on transactions and data security, as mandated by HIPAA. This may require keeping logs on existing data, archived data, the evolution of that data, and users that accessed that data. 

Your Audit Trail Solution

DataForce produces an audit trail which can be used to track the history of existing data, archived data, changes to the data, and access requests to that data for periods in excess of 10 years. This information can be used for security audits, financial audits, data evolution audits, data storage policies, data deletion policies, access control policies, and general data backup policies.

Civil Monetary Penalties (CMPs)

• $100 per violation
  
• Capped at $25,000 each calendar year for each prohibition violated
• Up to $250,000 and 10 years in prison for wrongful disclosures of PHI