Cloud storage and HIPAA compliance

Cloud computing reduces reliance on internal resources, cuts down on manpower requirements, and keeps you free from administration and fixing problems.

However, the fact that the botheration is on someone else with the implementation of cloud backup may not be an idea liked by all. To start with, the compliance officer, who must ensure that all data storage, backup, and archiving strategies are in line with the many different regulations and internal policies that govern how data is stored and for how long.

Ensuring compliance that relates to data storage is hard enough when storage is internal, but when using a cloud system, you’re relying on the provider. If you’re in healthcare for example, your internal strategies revolve around HIPAA, but if you’re a cloud provider, technically you’re not bound by the regulation. Because of these regulations, you will typically have to have a long-term data retention policy.

However, online backup services have often failed to meet long-term commitments. There have been several online backup services, including those run by very large companies such as Hewlett-Packard which have been unable to meet long-term storage strategies.

Another factor to be considered is who has the access to data and how is it governed. Compliance with HIPAA and other regulations call for strict access controls to be in place.

To sum up, when opting for cloud storage, one must always take in consideration the compliance legislation such as HIPAA or Sarbanes-Oxley and opt for in-house management if there seems to be any doubt.

Adhering to HIPAA regulations is important

Privacy to personal information is the right if any individual at any part of the globe. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to prevent unauthorized access to patient information, and it is something by which all medical-related businesses should abide.

HIPAA is to be abided by all ‘covered entities’ and the term includes:

  • Hospitals and clinics
  • Insurance Companies dealing with health and medical policies
  • Private Practices – General practitioners and specialists, dentists, chiropractors, etc.
  • Psychiatrists and Psychologists
  • Medical Billing Centers and Collection Agencies

Whether you have two people or two hundred working in the office which deals with medical health records, the security of patient information is important. It’s imperative for all employees to make sure sensitive data is not compromised and exposed to unauthorized people.

The medical information which is considered personal and private and which is not to be disclosed by healthcare centers as recognized by Federal law include and are not limited to:

  • Prescription Information
  • Medical History Records
  • Appointment Logs
  • Phone and Voice Mail Message Notes
  • Insurance Forms and Claims
  • Billing Information

While adhering to HIPAA rules, you need to destroy all the patient information which is outdated or no longer necessary. The destruction of records must be done in accordance to HIPAA regulations and it says that every sticky note, every printout needs to be shredded thoroughly. Simply throwing away papers does not guarantee security – as any unscrupulous person could sift through the garbage and have access to credit card numbers and addresses. One could also hire a professional to destroy documents.

Webcast released by VirtualHealth Technologies

VirtualHealth Technologies, Inc. has released an on-demand corporate Webcast on Breakthrough Healthcare Software to Meet HIPAA Compliance, Lower Healthcare Costs and Reduce Crime. The company has also introduced Real-Time Prescription Drug Monitoring, Healthcare Security, Practice Management and Electronic Health Records Solutions.

Webcast offers solutions for improved healthcare management and the reduction of prescription fraud and crime through real-time prescription drug monitoring software. Additionally, the Webcast provides an overview of the Company’s healthcare security and authentication solutions, and practice management and electronic health records technology.

VirtualHealth has over 1500 clients and has completed government trials for the Company’s next generation real-time, web-based prescription monitoring solution focused on reducing controlled substance fraud and crime. Additionally, the winner of the 2008 Hot Product TEPR award, PrivateAccess, Inc., has licensed solutions from VirtualHealth that provide security platforms to facilitate data sharing and communication.

Getting to know the definition of ‘Covered Entity’

On of the terms mentioned in the HITECH privacy provisions of the American Recovery and Reinvestment Act that President Obama signed into law on Tuesday, February 17, 2009, in Denver, CO, is ‘Covered Entity’. The definitions for different terms appear in Subtitle D—Privacy, Section 13400 in the Conference Report on page H1345 of Congressional Record—House, February 12, 2009. These definitions are critical in understanding the content of the new HITECH privacy provisions and how they relate to existing HIPAA Administrative Simplification Privacy Rule standards.

Here we reproduce the definition of ‘COVERED ENTITY’ as per the act. The term ‘covered entity’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

Section 160.103—

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter [e.g., HIPAA Administrative Simplification transaction standards].

How to look for a Security Official to safeguard your EPHI?

HIPAA’s Security Rule requires that all covered entities designate one person or a security official to look into the development and implementation of policies and procedures that safeguard electronic protected health information. As such a official, one needs someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via unsecure email such as AOL, Yahoo!, and Comcast, and also is skilled at shouldering broad responsibility while delegating assignments.

Before entrusting someone with the security of your health information, you need to conduct a risk assessment to determine the practice’s security safeguards and vulnerabilities.

For going through your risk assessment, assign a value from 1 to 5 for each risk. For risks which are low, but still receive attention, assign value ‘1’. A risk with rating ‘5’ could mean events, such as theft, breaking into the offices, fire, weather damage, has happened at least once, and is likely to happen again.

For those risks given a 3 or 4 rating, assign an owner or owners to manage those risks. HIPAA’s physical safeguard standard, (45 CFR 164.310{b}) requires that you implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.

You not only want to safeguard protected health information, you also want to safeguard your investment. The owners of this physical safeguard could be a lead physician, a nurse, and a lab technician.

Who should comply with the Red Flags Rule?

The Red Flags Rules issued by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) requires financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft and should be in place by November 1, 2008.

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

The Rules define a financial institution as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer.

Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts. A transaction account is a deposit or other account from which the owner makes payments or transfers. It includes checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit and regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. The term also includes finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

New Boundary Technologies introduces its HIPAA Compliance solution

At the HIMSS 06 conference in San Diego, New Boundary Technologies introduced its HIPAA Compliance Solution. New Boundary is a provider of automated configuration and security management solutions and it claims that this solution ensures IT compliance with the HIPAA Security Rule.

The solution comprises of three components:

  • HIPAA Security Guide which breaks down the various HIPAA Security Rule provisions and guides the organizations through the steps to be taken to become HIPAA compliant.
  • HIPAA Security Policy Library which helps organizations meet HIPAA requirements by continually safeguarding electronic protected health information and the computers that have access to it.
  • Policy Commander which is an automated security policy management and enforcement product. This Commander automatically assigns security policies to the right computers, and automatically takes corrective measures for computers when they fail to comply with assigned policies.

The HIPAA Security Rule is intentionally vague because it is based on the concepts of flexibility, scalability and technology neutrality,” said Kim Pearson, president and CEO of New Boundary Technologies adding, “That’s been frustrating for many IT professionals tasked with implementing security solutions for HIPAA compliance. With our HIPAA Compliance Solution, we correlate security policies to the various sections of the Security Rule so administrators have a clear map of which policies will help them achieve specific security levels required by HIPAA.”

Axway & Edifecs to provide integrated solutions for new HIPAA regulations

Axway, the leading global provider of multi-enterprise solutions and infrastructure has recently formed a partnership with Edifecs to provide integrated migration solutions for the Health Insurance Portability and Accountability Act (HIPAA) modifications recently disclosed by the Centers for Medicare and Medicaid Services (CMS). Additionally, these solutions will support companies with Workgroup for Electronic Data Interchange’s (WEDI) Strategic National Implementation Process (SNIP) Type 1-7 testing, and provide validation and error reporting capabilities to trading partners.

“Healthcare organizations should put HIPAA 5010 and ICD-10 migration initiatives in place soon, as delays may be costly and create process inefficiencies,” said Todd Feinroth, senior vice president, sales & alliances, Edifecs adding, “The Axway/Edifecs joint solutions will deliver compliance tools, 5010 transaction processing capabilities, and services that are unmatched in the industry to assist with various global and internal company initiatives.”

To facilitate U.S. transition to an electronic healthcare environment, one of the two final rules in the new HIPAA mandates is the updated X12 standard Version 5010 which includes new guidelines for claims, eligibility inquiries, referral authorization, remittance advice and more. It adopts an updated version of the National Council for Prescription Drug Programs (NCPDP) standard, and a standard for Medicaid pharmacy subrogation transactions.

“These new HIPAA regulations and changes in the industry are causing pharmacy benefit managers, hospitals, doctors, and insurance companies to implement new policies in order to facilitate the interoperability of stakeholder systems and drive efficiencies,” said Sia Zadeh, director, business development, Axway. “Our objective with Edifecs is to develop solutions to make achieving data quality and compliance easier for healthcare companies. This will help them be more competitive by driving automated transaction processing throughout their organizations.”

1 March 17, 2009 was the first of two effective dates for the latest modifications to the HIPAA Electronic Transaction Standards final rule. The final rule adopts new versions (ASC X12 Version 5010) of the electronic transactions standards and (ICD-10-CM and ICD-10-PCS) Medical Data Code Set Standards of HIPAA. The final rule also adopts two standards for billing retail pharmacy supplies and professional services, and clarifies who the “senders” and “receivers” are in the descriptions of certain healthcare transactions. Mandatory compliance of these standards is January 1, 2012. Finally, a transaction standard for Medicaid pharmacy subrogation will go into effect January 1, 2010, with mandatory compliance January 1, 2013.

The HITECH Act revises HIPAA regulations

After the COBRA changes in the economic stimulus package signed by President Obama on February 17, 2009, come the changes to the Health Insurance Portability and Accountability Act, or HIPAA.

The revisions don’t affect all employers, but some of those in the healthcare sector such as insurers, healthcare providers, and healthcare clearinghouses. Jennifer N. Willcox, an attorney with Pullman & Comley at the firm’s Bridgeport, Connecticut, notes that Title XIII of ARRA, known as the HITECH Act, is the source of these dozens of HIPAA revisions. When the HITECH Act becomes effective, in February 2010, the business associates will be subject, for the first time, to the same civil and criminal penalties that can now be assessed against plans and providers for HIPAA violations.

At present, many state laws state that people whose personal information is stolen must be notified by the company from which it was stolen. Now, the HITECH Act adds a federal obligation to those laws which states that individuals must be informed by the plans or providers, within no more than 60 days, if their personal information has been acquired or used without authority. And, if the data on 500 or more people are breached, the covered entity from which it was taken must report the incident to the Secretary of Health and Human Services (HHS).

Earlier, when the individuals requested under HIPAA that the disclosure of their private health information must be restricted, the covered entities could dishonour such request. Once the HITECH Act is in effect, such a request must be honored if the information is related to an item or service for which the patient paid out of pocket.

Again, HIPAA enforcements have been made stronger. So, criminal penalties will apply not only to covered entities that violate privacy rules but also to those organizations’ individual employees. And, not only have civil penalties been increased but they can be shared with harmed individuals. Most important, HITECH gives state attorneys general the power to enforce HIPAA rules.

Is HIPAA Privacy Rule a failure in protecting Patient Privacy?

Institute of Medicine has released a new report on its findings that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule not only fails to adequately protect the privacy of people’s personal health information but it also hinders important health research discoveries. HIPAA act regulates what uses and disclosures of personally identifiable health information are permitted by health plans, health care
providers, and other entities covered by the regulation.

The report clarifies that the current HIPAA rule is difficult to reconcile with other federal regulations governing research involving people and their personally identifiable information. Based on this report the Institute recommends that Congress should authorize the development of an entirely new approach, separate from the current HIPAA Privacy Rule that would help protect personal health information in research. This new approach should apply privacy, data security, and accountability standards uniformly to information used in all health-related research regardless of who funds or conducts the research.

Again the committee has also stated recommendations in case the policymakers decide to continue relying on the current rule to protect privacy in health research. It recommends a
series of changes to improve the rule and the guidance that the US Department of Health and Human Services (HHS) gives on how to comply with it. In addition, the report urges all institutions conducting health research to strengthen their data protection, including encryption for all laptops, flash drives, and other portable media containing such data.