What clients are saying
"I just wanted to thank you for helping Tom and I with our computer. There still seems to be issues with out of-the-country e-mail but I'm dealing with Verizon. Thanks for everything."
| HIPAA Compliance
|HIPAA is the United States Health Insurance Portability and Accountability Act of 1996. There are two sections to the Act.
HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems. HIPAA Title II is the section with IT implication for private and public, halth and medical organizations as HIPAA Title II establishes mandatory regulations that, in all likelihood, require extensive changes to the way health providers conduct business.
HIPAA Title II seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security.
The key elements of Title II are enumerated in 45 CFR Part 142 Subpart C, a Security and Electronic Signature rule proposed in 1998. In §142.308, the key elements are enumerated in section (a):
Certification - an internal or audited review
Chain of Trust – agreement with partners to protect data integrity and
Contingency Plan – a routinely updated plan that includes performing backups
Privacy regulations only pertain to "covered entities," which include healthcare providers, health plans, and healthcare clearinghouses. Covered entities are required to have contracts (a Certification) with their business partners who may come into contact with data that would limit the business partner's uses and disclosures of the protected health information to those permitted by the contract, a system that complies with reasonable security standards.
Finally there must be a Contingency Plan. As per §142.308(a)(3), the elements of the Contingency Plan must include:
2. Data Backup
3. Disaster Recovery
4. Emergency Mode Operation Plan
5. Testing and Revision Procedures
There are other security aspects including control of access, passwords, internal
audit, etc., which are beyond the scope of this analysis but which are important to
consider when evaluating a Backup System.
While HIPAA Title II requires no specific technology – no particular length of
encryption, no particular type of backupm the implications are clear, health care providers need to protect and secure their patients cinfidentiality and data.
HIPAA does require a Backup System, and the data stored in the Backup System must be protected within the same standards as the original data. That is where Factory7 comes in.
The Proposed Rule calls for a Data Backup to “create and maintain, for a specific period of time, retrievable, exact copies of information.” The backups must allow an enterprise to “restore any loss of data in the event of fire, vandalism, natural disaster, or system failure”
The Backup system must meet all of the Security requirements by being secure, confidential, available only to authorized personnel, and subject to the same electronic and physical safeguards as the original data.
An automatic, encrypted remote backup system with redundant servers is the ideal
way to comply with HIPAA, because it meets and exceeds each of HIPAA’s
If your health care company or medical practice needs assistance, Factory7 can assist you. Give us a call and let us show you how we can assist you become HIPAA compliant.