HIPPA stands for the Health Care Portability and Accountability Act of 1996. It holds businesses to the same standards as a doctor who must guard his patients’ confidentiality. It used to be that meant the doctor never talked about his patients except in consulting with other professionals and made sure that the medical records were in a secure location. Today medical records and other health care information are stored on computers and information is passed back and forth via the internet. HIPPA sets rules for electronic health care transactions for doctors, hospitals, other health care providers, health insurance plans, and employers. If your business provides health insurance as part of its benefit package, receives and stores any health information as part of employee disabilities, or for any reason, you are obligated to comply with HIPPA rules and regulations.
The part of HIPPA that your business will be concerned with is Title II of the bill which addresses data privacy and data security. Basically, you need to make sure that any patient data that you have due to insurance coverage, disability claims, or for any reason is kept private and remains secure from anyone without the right to see it. That having been said, HIPPA can be pretty complicated and you may need help both setting up and maintaining a system for handling this. Contact the top accounting firm in the Kansas City area, Exigo Business Solutions, if you would like help.
The three sets of safeguards of patient data privacy in HIPPA are administrative, physical, and technical.
If you have to deal with HIPPA requirements, you need to develop a written policy including safety procedures and designate a policy office who will make sure that the policy is carried out. The policy needs to specify how management handles these requirements and who is responsible.
Then the policy needs to say who will have access the protected electronic information and how information access will be successfully restricted to these individuals. Authorization protocols must be specified. There needs to be an ongoing training program for this and that training and all of the other rules will apply to anyone to whom you outsource any of this work.
HIPPA requires contingency plans for coping with emergencies, internal audits, and writing procedures covering pretty much everything.
On one hand, you can talk to us at Exigo Business Solutions and we can help you develop these procedures but you need to understand them yourself.
This is a bit like the old doctor’s office. You need to make sure that access to information is limited to those with a right to see it. But, since this is the electronic an internet age, that includes computer access and limiting access with administrative privileges. As with the administrative safeguards, you need a written policy and training.
This part becomes more complicated again.
Information systems that hold personal health information, PHI, have to be protected against intrusion. This generally applies to open networks and the cloud and requires a sufficient level of encryption. For a “closed” network such as in an office, minimal protection is required.
In all cases, you are responsible for making sure that any data has not been erased or changed by unauthorized persons. Data corroboration programs like digital signature, message authentication, double-keying or checksum may be required.
If you share this information with anyone else, authentication procedures need to be in place. Basically, you need be sure that you are sending data to someone who is who they say they are and you need to show that is what you are doing. In fact, you need to make documentation of these HIPPA data practices available to the government upon request. Included in this will all configuration setting in your network and any changes need to be documented as well.
And, you need to show that you are taking all reasonable precautions to make sure that no personal health information ends up being used for purposes not related to the person’s health. This may require instituting and documenting risk management and analysis programs.
And then there is the issue of keeping your business records in the cloud.
One of the unforeseen issues (when the law was set up) is that today a lot of information is stored on the internet and the internet is used to transfer the same information. Whereas you are responsible for your HIPPA-related data, much of that data is now stored in the cloud. What you need to know is whether or not this puts you at risk for a HIPPA violation or a dozen!
Many businesses use Microsoft’s Office 365 and work in the cloud. This is a very effective way to do business. And, you may well have HIPPA-related data in your Office 365. The glitch, in this case, is that Microsoft does not back up Office 365 data or related emails. Does this put you at risk of a HIPPA violation? You could just close your eyes and hope that nothing happens or you could check out systems that do cloud to cloud backups, including backing up your Office 365 files. At Exigo Business Solutions we are not only partners with Microsoft, we partner with three different companies that provide Office 365 and email backup. These are Datto, SkyKick, and DropSuite.
All three of these are excellent solutions to the potential problem of losing HIPPA-related data that is stored within Office 365. Talk to us about which one will best fit your business needs.