The Health Insurance Portability and Accountability Act
(HIPAA) Summary

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 as part of Congress’ attempt to develop standards and requirements for the maintenance and transmission of health information. Various sections of the Act have been coming into effect at various staggered times to allow “covered entities” that is, health care providers (doctors and hospitals), health plans, healthcare clearing houses and healthcare billing corporations or individuals; time to understand and change their practices in order to comply. A major portion that went into complete effect in April of 2003 were the HIPAA privacy rules. The office for Civil Rights, which is part of the US Department of Health and Human Services, enforces these privacy provisions. These provisions ensure that any identifiable health information is protected and disclosure is limited to the individual themselves or to the Secretary of Health and Human Services to determine compliance. Health information includes any information that is transmitted or simply maintained in any form (paper, oral and electronic) and this information must be protected for privacy purposes.

Another area of regulation for HIPAA that came into effect in April 2005 is the security and electronic signature standard, which are designed to implement controls to guarantee confidentiality and integrity. The April 2005 deadline is for compliance by most health care entities, while small health plans will have an extra 12 months before they need to comply. These provisions require that any electronic data must be stored securely and they dictate how electronic data is shared among other systems. Of note, is that data that is stored electronically must be also stored offsite to ensure availability and security of the data.

This white paper provides a short overview of this section of HIPAA regulations and discusses how implementing GPmicro’s GPArchive Data Host Service can address HIPAA’s requirements regarding data backup remotely as well as disaster recovery requirements. GPmicro’s solution for data backup and recovery can help to decrease the costs associated with this portion of HIPAA compliance. More importantly GPmicro’s solution ensures that the health information that is stored offsite (as required by HIPAA) is both transmitted securely and stored securely.

Introduction

HIPAA compliance in general can be achieved through the use of either manual or automated processes or any combination. The focus of HIPAA is on standards for record keeping and keeping track of these records. For example a doctor’s office must have a written policy for privacy of its patients’ records and a specific person must be designated as the security officer. In regards to a doctor’s electronic records, the main factors are to ensure confidentiality, integrity and the availability of the data. HIPAA describes requirements for polices and planning for the manual aspect of a good security system and then describes physical safeguards that must be implemented. This includes requirements to protect the physical media, e.g., backup tapes, regulating access to the data center and the security of workstations. Further, specific controls such as authentication and access control mechanisms must be implemented. Also transmission security mechanisms must be in place to protect the data as it is transmitted through networks from one system to another to guarantee confidentiality, integrity and availability of the data.

Many of HIPAA’s requirements regarding security and electronic data regulations are effectively routine standards that all organizations should follow to ensure their data is protected. Nevertheless, there are some specific requirements that only the health industry will be subjected to (e.g. a strict requirement for a digital signature). No single solution from the IT industry assures full HIPAA compliance. Also there is no ‘certification process’ at all even though many IT providers tout ‘HIPAA compliance’. HIPAA compliance will only be conferred after an audit of a covered entity and then HIPAA will confirm that that entity has met all requirements out-lined in the HIPAA regulations.

A simple and practical method is best for compliance

In order to comply, any office must identify all its data, which may include databases, word-processing and spreadsheet files as well as any scanned documents. This is the information that is being protected. After noting where the data is stored then determining how it gets there is important. For example a typical database with a PC application front end has direct input from administrators while others may transfer data between systems, e.g., a payer receiving data from covered entities. Covered entities must evaluate these authorized access points to the data. Each part of any system must be evaluated.

GPmicro’s remote data backup product, dinkum, has been designed by the company’s programming engineers with many effective yet routine security standards that also meet all of HIPAA’s regulations relating to the data backup and safekeeping of patient health care information, as well as meeting HIPAA’s disaster recovery plan requirements. Further, the transmission of data between GPmicro’s servers and the covered entities’ computers is protected using a digital certificate as specifically required by HIPAA. These digital certificates that are issued by several companies such as VeriSign, Inc. provide a level of secure transportability that is essential in the healthcare industry. A digital certificate is a credential that can be used by different systems. The certificate contains appropriate attributes about an individual and is verified by a trusted third party. The digital certificate has a secret counterpart called a private key that is retained by the individual while the certificate itself is published to the community. This digital certificate ensures that the operation (in this case the data backup or data restoration) that is validated by the certificates could have only been performed by the private key owner. Also by using encryption to protect the data, only the owner of the private key can reveal it through the decryption process. Further, the data itself does not change when being transmitted from point A to point B.

It should be noted that all companies that may have access to health care information need to also comply with the Privacy Rule and this is accomplished by Business Associate contracts. This contract effectively confirms that the outside company (in this case GPmicro) would use appropriate safeguards to prevent use or disclosure of the health information. Any breaches must be immediately reported and any violations lead to the termination of the contract, unless there is no viable alternative. If this is the case, the Department of Health and Human Services must be notified. The security section of HIPAA also requires that a Business Associate contract must be in place and this section requires that the Business Associate implements administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives, maintains or transmits on behalf of the covered entity.

Further, any breaches need to be reported to the covered entity and the Business Associate’s policies and procedures and documentation relating to such safeguards need to be made available to the Secretary of the Department of Health and Services to determine the covered entity’s compliance with the Business Associate contract requirements of the security rule.

Note: If a company cannot access the information then a Business Associate contract is not necessary.

Conclusion

GPmicro’s dinkum Data Backup service meets or exceeds all of HIPAA’s regulations relating to data backup that needs to be stored remotely as well as HIPAA’s disaster recovery requirements.

For instance:

HIPAA requires that electronic data backups need to be stored offsite and allows covered entities 30 days grace in order to physically move the backups to a remote and secure location located at least 6 miles away. GPmicro’s solution assures compliance of remote and secure data backup storage by automatically transmitting the electronic data at least daily (or more often should an entity so choose) to a secure remote location. The backup utility is easy to use as once installed the backups run automatically in the background without the need to hire extra staff to oversee this process.

Where does the data go? GPmicro’s backup solution is run from a data center situated in the Las Vegas area and it is one of the top five in network connectivity in the US. Also the Las Vegas area is not riddled with hurricanes, earthquakes, floods, tornadoes, power outages, or ice storms. The data center that is also used by top telecommunications companies has 24/7 security personnel and employs photo ID and biometric access screening so that direct access to the storage servers is restricted to authorized personnel. Before the data leaves a covered entity’s computer it is encrypted with the same requirements as for online bank transactions. Also the data is stored encrypted at the data centers’ servers. Only a covered entity’s authorized personnel can access the data that is stored offsite.

HIPAA requires that health care information remains “available” and requires covered entities to be prepared for disaster recovery. GPmicro’s solution allows covered entities to quickly restore any healthcare information from the data center’s servers by simply selecting the information that needs to be restored and saving that information into the required file directory area of the covered entity’s onsite computers. This process can take a matter of a few minutes for small amounts of data and up to several hours for larger restores. This time strongly depends on the covered entity’s Internet connection speeds and the file sizes.

Overall the ease of use of the GPmicro solution for data backup and disaster recovery allows for costs of implementing this portion of the HIPAA compliance requirements to be kept to a minimum.

From US government’s HIPAA rules

Physical Safeguards to guard Data integrity, confidentiality and availability contained in s142-308b of proposed rule.

Requirement	Implementation

Assign security responsibility	To specific individual or organization assignment to be documented
	Responsibilities include management and supervision of the use of security measures to protect data and the conduct of personnel in the protection of data.
Media Controls	Need to be formal documentation policies and procedures for receipt and removal of hardware/software in/out facility. Controls included: controlled access to media Accountability (a tracking mechanism) Data Backup Data Storage Disposal