How can businesses ensure HIPAA compliance?

Posted: April 1, 2009 in HIPAA, Posts

With recent changes in HIPAA standards announced earlier this week, we wanted to examine how healthcare organizations of all sizes could ensure complicance from a technological perspective. We spoke to NCP Engineering’s Rene Poot for his thoughts:

HIPAA is a collection of standards striving for an effective and efficient method of exchanging information to the right people in a secure manner, thereby creating streamlined workflows in an electronic environment, and so delivering higher quality yet affordable health care. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

This ranges from keeping file cabinets/record rooms locked, stricter access controls to computers (password requirements or smart card authentication), to the more complex data storage, digital signatures to ensure non-repudiation, etc.

Let’s focus on the PHI that is being transmitted, or in other words, when Electronic Protected Health Information is being transported over open networks: that’s where secure communication plays a role; this is where NCP steps up to the plate.  These requirements are not by any means limited to HIPAA, as these same requirements are also applicable to the financial institutions, government departments, police departments, and so forth.

What our customers in these different fields appreciate is NCP’s understanding of secure communications: the safeguarding of the data in transit; but also verifying the authenticity and authorization of the person receiving and transmitting the information by means of strong authentication (multi-factor authentication).  The HIO in question can select which vendor/provider they want to use for this; be it a PKI environment with smart cards or an OTP setup, NCP is flexible and will allow for this freedom of choice.

– Strong Authentication: the assurance to one entity that another entity is who he, she, or it claims to be,

– Integrity: the assurance to an entity that data has not been altered (intentionally or unintentionally) in transit,

– Confidentiality: the assurance to an entity that no one can read a particular piece of data except the receiver(s) explicitly intended.

Of course one can impose a lot of restrictions on the user; but besides some user awareness (often overlooked; as not everything can be locked down by technology — think about discussions about patients and treatments in public areas between personnel or with family members), is user-friendliness.  When a user is confronted with a lot of barriers that keep them from performing their work in an efficient effective manner, they will inevitably find a way to circumvent this.  By making the procedure of establishing a secure connection as easy and as transparent as possible for the user, yet maintaining a high level of security, an administrator can tick this requirement on the list and have the assurance that this base is covered.

Comments
  1. Foresight says:

    The HIPAA guidelines for maintaining the patient information security will definitely change the health care sector. In the i-age there is a greater need for information security.

  2. […] what we’re reading, week of 7/20 By vpnhaus Leave a Comment Categories: Highlights Branden Williams’ Security Convergence Blog… Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? Guest blogger, Bindu Sundaresan discusses the changes to HIPAA, and how they will impact healthcare management’s current way of dealing with electronic health records (or EMRs). As these ‘rules are here to stay’, Bindu reminds us to seek advice from our security consultant to stay compliant. How does this relate to VPN? EMRs need to be sent over secured VPN networks—check out NCPs Rene Poot’s comments on HIPAA. […]

  3. […] Network Security with EMRs By vpnhaus Leave a Comment Categories: Posts In last week’s highlights, we included a post from Branden Williams’ Security Convergence Blog on EMRs. We thought this weeks’ post would be a good opportunity to elaborate on Branden’s and our own from earlier in the year, How can businesses ensure HIPAA compliance? […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s