DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

HIPAA

HIPAA Top Priority For Health Care Providers, Others Affected Too

By VAN CARLISLE

In a recent survey of more than 350 IT leaders in U.S. healthcare organizations, 60 percent considered upgrading security for HIPAA compliance to be their top priority in 2002. Additionally, a recent survey, conducted by Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), an organization representing more than 13,000 healthcare institutions, revealed that less than 50 percent of affected healthcare systems have completed an assessment of the effect that HIPAA will have on their organizations.
Who needs to be concerned with HIPAA? Obviously, health care providers, health care clearing houses and health care plans are at the top of the list. However, many other types of organizations are not yet aware that they are considered an entity covered by HIPAA. The below organizations that are included under HIPAA’s definition of a “covered entity” (and are thus required to comply with the law) comprise of the following:
• Indemnity insurers
• Health maintenance organizations
• Any organization that transmits health care claims
• Any organization that transmits health care payment and remittance advice
• Any organization involved with the coordination of health benefits
• Any organization that determines health care claim status
• Any organization that administers enrollment and disenrollment in a health plan
• Any organization that determines and administers eligibility for a health plan
• Any organization that administers health plan premium payments
• Any organization that administers referral certification and authorization
• Any organization that administers first report of injury or health claims attachments
• Billing agents that handle the above activities on behalf of other covered entities
Reaching HIPAA compliance represents a huge challenge to many companies. Although the absence of technological specifics regarding how organizations need to go about securing their records may make HIPAA compliance easier in some ways. In other ways, it will be more difficult for covered entities to understand whether they are in compliance.
One measure to be taken, which is universally understood, is that covered entities must carefully establish security policies and procedures (including business continuity and disaster recovery plans) and document why they chose certain tactics and technologies to secure their systems.
Any organization that does not display due diligence in starting this process will be in noncompliance. As a word of warning, experts predict the government will finger a number of non-complying organizations to be “the poster children for HIPAA compliance.” Failure to comply can result in civil penalties and/or criminal penalties up to $250,000 and up to 10 years in prison.
HIPAA is not only a technology/information security issue; it’s a policy, procedure, and culture change. Change brings opportunity, and HIPAA represents an opportunity for all professionals involved with medical records, not just medical records managers at hospitals, to increase their value to the organization by playing a key role in ensuring HIPAA compliance. A good place to start, experts recommend, is to conduct an overall organizational risk assessment to identify gaps in your current confidentiality and security practices.
The privacy requirement is where much of the media attention has focused, due in part to the overall increase in the level of knowledge that the public has attained over the past few years with regard to privacy. The privacy rules dictate that patient-identifiable information, called “protected health information” (PHI), must be secured. This mostly involves obtaining explicit patient consent to use PHI for the purposes of providing health care, seeking payment for such, as well as requiring patient authorization for any other use of PHI, such as research or marketing.
The main goal of the privacy rule is to put an end to the laxity with which paper-based medical documents are treated – haphazardly passed from person to person, copied, left out in the open, and sometimes lost.
In order to reach compliance for the HIPPA security rule, covered entities must take specific steps to protect the integrity of the health information and prevent unauthorized breaches of privacy. A breach can occur when data is lost or destroyed by accident, intentionally stolen, or sent to the wrong party by accident. Security measures are described as either physical (controlled access to records, including storage facilities), administrative policies or technological (encryption of electronic data and use of digital signatures to authenticate users logging into a computer system).
The security requirement is where disaster recovery professionals are most likely to be called on to lend their expertise to the compliance effort, as HIPAA contains strong requirements regarding disaster recovery and business continuity planning. It is therefore essential that all healthcare agencies launch the disaster recovery and business continuity planning program in a professional and straightforward manner. Section §§ 142.308 (a)(3) of the Security Standard requires that covered entities, the aforementioned health plans, health care providers, and health care clearinghouses, draft a business continuity/contingency plan, defined in the proposed regulation as “a routinely updated plan for responding to a system emergency, that includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.”
One element of the overall contingency plan is a disaster recovery plan, which must contain a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. The plan must allow a covered entity to re-create, in the throes of a disaster such as a fire, the entire infrastructure necessary to guarantee information availability.
It’s not all about HIPAA compliance, however, its good business sense. During the course of developing a good disaster recovery and business continuity plan, you are likely to come up with some good information and data needed for high level business strategy decisions, such as determining and prioritizing all your organization’s critical business applications.
To state it as simply as possible, the first step in disaster recovery and business continuity planning is records protection. The safeguarding of vital and irreplaceable non-electronic documents is absolutely crucial for HIPAA compliance.
Some potential approaches for protection of vital records include: onsite fire-rated vault, safe or file cabinet, offsite storage at another location of the organization, and storage at a vendor that specializes in offsite vital records storage. Most companies employ various combinations of the above approaches. However, you will always have vital records onsite at some point, and no one is able to accurately predict the precise time a business interruption will occur.
Remember, you are attempting to show potential HIPAA inspectors a “best effort” to protect your most vital information assets. As such, it is highly advisable to seek products that are tested by Underwriters’ Laboratory (UL) or other nationally known independent testing labs.

To comment on this article, go to 1603-07 at www.drj.com/feedback.

©Copyright 2003 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.