HIPAA Compliance?

[spacebass5000]

I currently co-own an IT Solutions/Outsourcing company and have been told I should become HIPAA compliant.

How do I go about this?

I'm obviously not a physician but I do work with physician's IT systems. Knowing this, how deep does it go for me?

Any help you have to offer will be greatly appreicated...

 

[aquias]

Ohhh, lucky you!!

http://www.wpc-edi.com/hipaa/

That is a site with several of the HIPAA compliance documents.

Some things I can come up with off the top of my head...

1. Firewall must be in place
2. Password changes required for ALL systems every 30 days (maybe 60).
3. Screen Savers set to kick on every 10 seconds.

Those are just a few, I know there are more that impact the IT profession but I cannot recall them all.

 

[svanels]

I failed to see the HIPAA link (something to do with health) with screensvavers or firewalls, probably I am missing something
Spacebass maybe you must have a health insurance plan if you have more than x employees

Steven

 

[lgarner]

HIPAA (Health Insurance Portability and Accountability Act of 1996) relates largely to protecting the privacy of health records. Hence, simple information security measures like screensavers and firewalls are a portion of what's required. Also physical security, security during data transmission and other handling, non-disclosure to unauthorized persons, etc., is all part of it. Policies and procedures, audit methods, and procedures for dealing with breaches would be another section. There's a lot to it.

http://www.hipaa.org

seems to have some information; I just looked at the home page.

 

[svanels]

I just jumped a while around in the first link (5 or 6 pages) and it was not evident to me what it was all about. I am no US citizen either. The impression I have of the website is thick book without index.

Learned something again, thanks

Steven

 

[just1fix]

I currently work in a health insurance company and our company is in the process of changing all computers to XP Pro because we were running 98 on all machines(about 600) and all computers are being changed to XP Pro as your OS needs to support NTFS v5. Anything below supposedly non-HIPAA compliant and is subject about $10K per infraction.

 

[needcoffee]

Wow, I can't believe the lack of HIPAA understanding. In a nutshell HIPAA is about having policies and procedures in place to protect patient information refered to in general as Protected Heath Information or PHI. Electronic Protected Health Information or ePHI has to do with data records holding the same information as PHI. There are some loose minimum technology areas that also need to be addressed that are listed in the HIPAA Final Security Rule. This rule also covers physical security. HIPAA is vague in most areas it covers and is technology neutral so the US government does not have to provide funding to covered entities that would cover some or all of the costs to comply.

If you have a client that is a covered entity, they must send you a Business Associate Agreement and provide your company with their policies and procedures that govern PHI. You have to follow their rules when it comes to transmission and security of PHI. That does not mean you need to spend any money on your own network to become "HIPAA compliant".

In response to some of the comments about technology already posted:
aquias
1. A covered entity must protect their network from unauthorized access. Most companies have a firewall in place but a proper Risk Assesment must be done to see if that is enough.
2. Passwords must be changed. HIPAA does not specify how often. Industry standard is a max of 90 days.
3. An idle screen must lock down via screensaver after an unspecified period of time. The time limit depends on the physical location of the screen and chance of unauthorized persons seeing PHI. Industry standard is a max of 15 minutes. High traffic areas such as reception desks are sometimes set as low as 30 seconds.

just1fix
ePHI encryption is divided into 2 catagories, at rest and in motion. At rest is on hard disk, solid state disk, removable media, etc. In motion is any information being transmitted over wire (ethernet, ATM, internet, external e-mail, etc.), radio wave (WiMax, GSM, WLAN, etc.), laser beam, etc. In motion ePHI must be encrypted at a minimum of 128-bit.

Just a bit of background, I work for a large US health system that faced the HIPAA deadline of April 2005. Ultimatley it comes down to what your risk analysis and lawyers say must be done.

needcoffee