|DSC Vault||Tracking||Peace of Mind||Products|
HIPAA & BUSINESS CONTINUITY / DISASTER RECOVERY OVERVIEW
Originally Published In: Disaster Recovery Journal
What Is HIPAA?
WHAT IS HIPAA?
HIPAA is the acronym for the "Health Insurance Portability and Accountability Act" of 1996. HIPAA regulations consist of a set of national standards which are designed to force the health care infrastructure to comply with strong security and privacy standards to protect personal health information.
Failure to comply with HIPAA can result in civil penalties (mainly fines) as well as criminal penalties (up to $250,000 and up to 10 years in prison).
In a recent survey of more than 350 IT leaders in U.S. healthcare organizations, 60 percent consider upgrading security for HIPAA compliance to be their top priority in 2002. Additionally, a recent survey, conducted by Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), an organization representing more than 13,000 healthcare institutions, revealed that less than 50% of affected healthcare systems have completed an assessment of the effect that HIPAA will have on their organizations.
The final standards for HIPAA will take effect on April 21, 2003, while large health-care organizations have until April 2005 to comply with the regulations. Smaller ones are given an additional year to comply.
WHO NEEDS TO BE CONCERNED WITH HIPAA?
Obviously, health care providers, health care clearing houses and health care plans are at the top of the list. However, many other types of organizations are not yet aware that they are considered an entity covered by HIPAA. The below organizations that are included under HIPAA's definition of a "covered entity" (and thusly are required to comply with the law) comprise of the following:
Reaching HIPAA compliance represents a huge challenge to many companies. Although the absence of technological specifics regarding how organizations need to go about securing their records may make HIPAA compliance easier in some ways, in other ways, it will be more difficult for covered entities to understand whether they are in compliance.
One measure to be taken which is universally understood is that covered entities must carefully establish security policies and procedures (including Business Continuity and Disaster Recovery plans) and document why they chose certain tactics and technologies to secure their systems.
Any organization that does not display due diligence in starting this process will be in noncompliance. As a word of warning, experts predict that that the government will finger a number of non-complying organizations to be "the poster children for HIPAA compliance."
HIPAA is not only a technology/information security issue; it's a policy, procedure, and culture change. Change brings opportunity, and HIPAA represents an opportunity for all professionals involved with medical records, not just medical records managers at hospitals, to increase their value to the organization by playing a key role in ensuring HIPAA compliance.
WHY IS HIPAA AN ISSUE FOR DISASTER RECOVERY PROFESSIONALS?
HIPAA contains strong requirements regarding disaster recovery and business continuity planning. It is therefore essential that all healthcare agencies launch the disaster recovery and business continuity planning program in a professional and straightforward manner. Section f 142.308 (a)(3) of the Proposed Security Standard requires that covered entities, the aforementioned health plans, health care providers, and health care clearinghouses, draft a business continuity/contingency plan, defined in the proposed regulation as "a routinely updated plan for responding to a system emergency, that includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster."
(For simplicity sake, consider contingency plan and disaster recovery plan to interchangeable terminology.)
HIPAA regs describe the business continuity/contingency plan as one "which must contain a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. The plan must allow a covered entity to re-create, in the throes of a disaster such as a fire, the entire infrastructure necessary to guarantee information availability."
Since the first step in disaster recovery and business continuity planning is records protection. The safeguarding of vital and irreplaceable non-electronic documents is absolutely crucial for HIPAA compliance.
One well-known consultant in the HIPAA community, Michael Miora, CISSP, Founder and President of ContingenZ Corporation (www.contingenz.com), an international incident management and security consultancy, strongly endorses the use of fireproof containers for the protection of vital records in both hard copy and electronic form, especially in the healthcare industry where HIPAA mandates protection and preservation of health and related information, including signature information contained on consent forms.
"Protection is also relevant for companies outside the healthcare industry that provide some level of self insurance and, therefore, become subject to HIPAA as covered entities or associates," counsels Miora.
Some potential approaches for protection of vital records include: onsite fire-rated vault, safe or file cabinet, offsite storage at another location of the organization, and storage at a vendor that specializes in offsite vital records storage. Most companies employ various combinations of the above approaches. Whether you go with on-site or off-site, the first action to take is to procure fireproof safes and filing cabinets for on-site storage, as you will always, at one point, have vital records on-site, and obviously, no one is able to accurately predict the precise time a business interruption will occur.
Unfortunately, standard filing equipment is believed to offer fire protection by a large majority of consumers. This thinking, attractive in today's cost-conscious environment because it "seems" cheaper, is erroneous and potentially dangerous. Remember, your attempting to show potential HIPAA inspectors a "best effort" to protect your most vital information assets, as such it is highly advisable to seek the highest quality products for all your records protection needs.
Van Carlisle became President/CEO of Fire King in 1975. Having studied criminal justice at the University of Louisville and serving 6 years in the Air National Guard Security Police Force, Van brings a unique level of security expertise to the company.
SOURCES FOR FURTHER INFORMATION
U.S. Department of Health and Human Services
The International Association of Privacy Professionals
American Health Information Management Association
Healthcare Information and Management Systems Society
Phoenix Health Systems, HIPAA Compliance Recourses
Centers for Medicare & Medicaid Services
Copyright 2003 Vital Records Protection.org