Inoculate Your Doctor Against HIPAA Violations

Inoculate Your Doctor Against HIPAA Violations


Healthcare has moved far beyond the "take two aspirin and call me in the morning" days. Emerging technologies have led to more accurate and quicker diagnosis, better communications between providers with the use of electronic medical records, and the freedom for healthcare professionals to increasingly concentrate on preventative care.

But as healthcare technology evolves, ever-more concerns surface regarding patient privacy. HIPAA (Health Insurance Portability and Accountability Act) is the congressional mandate that, among other things, requires healthcare providers to ensure patient privacy and the securing of electronic protected health information (ephi).

SMB healthcare providers are often caught in a compliance conundrum. They are not exempt from any regulations because of their size yet they may not have the budgets of larger healthcare agencies to upgrade and implement fully HIPAA-compliant systems. Think of it this way: your family doctor might also be a small business. He or she might be concerned about upgrading their servers, PCs and databases because of fear that HIPAA compliance costs could break the bank. But that doesn't need to be the case.

There are several keys areas where VARs can focus with their SMB healthcare clients. These areas are reflective of some of the requirements of the HIPAA Security rule. To have administrative, physical and technical safeguards in place:

Contingency plan- Administrative safeguard. Providers should have procedures in place outlining the course of action in the case of an emergency. This includes back up procedures. A smaller facility does not have to invest a lot for a decent back up strategy. Native OS back up programs like Windows Server Backup used in conjunction with an incremental tape or disk-based back-up should suit the small to midsize business fine. Also clients should be urged to rotate backup sets, keeping a set on-site and a set off-site in the event of a disaster.

Auditing-Administrative Safeguard. Knowing who is accessing sensitive data and when they are accessing it, is a big part of HIPAA compliance. Windows (or Linux or Mac OS X, for that matter) features auditing capabilities that can report on AD objects like NTFS folders. Many of the more popular healthcare clinical and billing systems now have HIPAA auditing modules that will generate reports. There are a few third-party auditing tools available out there as well designed specifically for HIPAA purposes, like Risk Watch. Again, providers do not have to necessarily max their budgets to minimally meet this area of compliance.

Encryption and Data Security-Technical Safeguard. Providers should be urged to implement some sort of encryption and data security strategy when it comes to ephi. Strategies could range from password-protecting back-up tapes to implementing server-side encryption software that will secure outbound mail. Some smaller providers, who may not normally transmit large volumes of ephi should, at the very least, use a simple encryption method like Winzip on the occasion they do need to send a file containing phi out via email. A better option though, is to implement a client-side solution like Secure Mail, which provides cost-effective encryption and digital signature.

Facility Security- Physical Safeguards. There are measures providers can take, which are of minimal or no cost. They include keeping printers and faxes clear of patient data, discarding printed phi in separate bins for shredding, strategically placing monitors at angles in which the display is not easily seen and placing privacy guards on them. (Opting for LCDs that provide shading features can work, as well.)

NPI-Unique Identifiers Rule. By May 23, 2008, smaller facilities will have to use an NPI (National Provider Identifier) number on their billing claims, submissions and other standard forms. This is a 10-digit number unique to every healthcare provider issued by CMS (Centers for Medicare & Medicaid Services). Healthcare software vendors should be engaged, now, to ensure that this assigned number is integrated in the provider's billing/clinical systems.

Getting healthcare entities, no matter what the size, in the right direction towards HIPAA compliance is beneficial to the provider and ultimately, to the consumer. It can be achieved for the smaller facilities in an economical manner.

(For a full review of HIPAA compliancy regulations, visit CMS' website at www.cms.gov.)