HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) affects most organizations that provide healthcare or support, and/or transact business with other health-related organizations. As a result, HIPAA affects employers, financial institutions, information technology outsourcing vendors, and ISPs.
HIPAA is intended to ensure the privacy and confidentiality of personal health information and its privacy rules apply to healthcare payers, providers and clearinghouses that qualify as “covered entities” (CEs). Under HIPAA the owner of the data in an outsourcing relationship must require the service provider (known as a “business associate” under HIPAA regulations) to maintain the confidentiality of the information.
Of the five major parts comprising HIPAA, the Administrative Simplification Act most affects Information Technology systems. The Administrative Simplification Act calls for industry standard electronic data interchange (EDI) combined with stronger security standards that will ultimately guard against fraud, abuse, and eliminate unauthorized use of healthcare information.
It is important to note that there isn’t a true HIPAA hosting certification, but that there are stringent guidelines that have to be met. Still, without a benchmark, compliance with security and privacy rules is open for interpretation. Logicworks maintains a SAS 70 Type II audit, and exercises the utmost diligence in the evaluation and implementation of processes, policies, and systems. LogicOps, our asset management and tracking system, will provide detailed, auditable documentation on all activity related to your account at Logicworks.
HIPAA-Compliancy Overview
HIPAA-compliant hosting requires that Covered Entities, such as HMOs, group health plans, etc., meet certain standards. While the onus is on the healthcare organization to meet the listed requirements, Logicworks will provide an infrastructure that ensures clients comply with HIPAA’s newest “Security Rule”. A combined approach, where the client provides the methodology for compliance, and Logicworks provides compliant hosting and database services, is the ideal solution to meeting compliancy with a cost-effective solution.
A HIPAA-compliant solution must meet all of the following criteria:
Identification & Authentication
The process of correctly identifying and authenticating users.
Authorized Privileges & Access Control
Authorizations or privileges can be obtained.
Confidentiality
Access controls have to ensure that there is no accidental or unauthorized disclosure of data (encryption).
Integrity
Measures to ensure that data does not get unintentionally or maliciously altered.
Accountability
Track actions or behaviors of users (auditing; how data is accessed).
HIPAA's Security Rule
The HIPAA Security regulations apply to protected health information that is electronically maintained or used in an electronic transmission. Its requirements are divided into administrative, physical and technical safeguards. These safeguard categories are further divided into standards and implementation specifications that provide instructions for enabling the components of the three categories. This standard aims at assuring the integrity and availability of electronic protected health information (PHI). As such, the Security Rule addresses issues such as data backup, disaster recovery and emergency operations.
Logicworks will aide customers in compliance by jointly fulfilling the requirements through the following means:
Physical Security
- SAS70-compliant hosting facility
- Exclusively dedicated server infrastructure
- Monitored, authenticated access to servers and facilities
Personnel Security
- Background check on Logicworks’ employees
Electronic Security
- Secure authenticated access (VPN)
- Penetration and security testing
- Stringent firewall and router configurations and settings
- Strong Logicworks’ password requirements and procedures
Additional Compliance Opportunities
In an effort to substantially ease the deployment of and transition to HIPAA-compliancy, Logicworks is partnered with Oracle and Microsoft, companies that provide software to meet auditing and authentication needs of HIPAA-compliant environments. Logicworks is particularly well-equipped to support the regulatory-compliant database systems from both vendors through Logicworks’ own No Transactions LostTM Managed Database service.
Both Oracle 10g/11g and Microsoft SQL Server 2005 have security and encryption features to safeguard information contained within databases. It is now possible to shield confidential data from DBAs and server administrators without impacting the efficacies of the day-to-day tasks they perform.
Therefore, aside from being able to supply a compliant infrastructure, Logicworks is also ideally equipped to maintain Covered Entities data-integrity.
