HIPAA Help


How to answer your SMB health-care customers' concerns about HIPAA protocols


Health care has moved far beyond the days of "take two aspirin and call me in the morning." Emerging technologies have led to more accurate and quicker diagnoses, better communications between providers through the use of electronic medical records and the freedom for health-care professionals to concentrate on preventative care.

But as health-care technology evolves, so do concerns about patient privacy. HIPAA is the Congressional mandate that requires health-care providers to ensure patient privacy and to secure Electronic Protected Health Information (ePHI).

SMB health-care providers often face a compliance conundrum. They are not exempt from any regulations because of their size, yet they may not have the budgets of larger health-care agencies to upgrade and implement fully HIPAA-compliant systems.

However, there are several key areas to which VARs can turn when focusing on their SMB health-care clients. These areas are reflective of some of the requirements of the HIPAA security rule. To have administrative, physical and technical safeguards in place, consider the following:

1. Contingency Plan
Administrative Safeguard: Providers should have procedures in place that outline the course of action in the case of an emergency, including backup procedures. A smaller facility doesn't have to invest a lot for a decent backup strategy. Native OS backup programs like Windows Server Backup used in conjunction with an incremental tape- or disk-based backup should suit the SMB fine. Also, clients should be urged to rotate backup sets, keeping a set on-site and a set off-site in the event of a disaster.

2. Auditing
Administrative Safeguard: Knowing who is accessing sensitive data and when they are accessing it is a big part of HIPAA compliance. Many of the more popular health-care clinical and billing systems now have HIPAA-auditing modules that will generate reports. There are also a few third-party auditing tools designed specifically for HIPAA purposes. Providers do not have to necessarily max their budgets to meet this area of compliance.

3. Encryption And Data Security
Technical Safeguard: Providers should be urged to implement some sort of encryption and data security strategy when it comes to ePHI. Strategies could range from password-protecting backup tapes to implementing server-side encryption software that will secure outbound e-mail. Smaller providers that may not normally transmit large volumes of protected health information should, at the very least, use a simple encryption method like WinZip. A better option is to implement a client-side solution like Secure Mail, which provides cost-effective encryption and a digital signature.

4. Facility Security
Physical Safeguards: Minimal and no-cost measures include keeping printers and faxes clear of patient data, discarding printed protected health information in separate bins for shredding, strategically placing monitors at angles in which the display is not easily seen and placing privacy guards on them.

5. NPI
Unique Identifiers Rule: By May 23, 2008, smaller facilities will have to use a National Provider Identifier (NPI) number on their billing claims, submissions and other standard forms. The NPI is a 10-digit number unique to every health-care provider issued by the Baltimore-based Centers for Medicare & Medicaid Services. Health-care software vendors should be engaged now to ensure that this assigned number is integrated in the provider's billing/clinical systems--and therefore, so should VARs.

No matter what their size, steering health-care organizations in the right direction toward HIPAA compliance is beneficial to the provider and, ultimately, to the consumer. It doesn't have to break the bank, either.