Complying to HIPAA regulations

[oneclicksolution]

1. You MUST be on a dedicated server as access control MUST be tight and theres no way to guarantee access control on a shared server.
2. If the server is colocated or is leased as a dedicated server, you run into sticky situations. You cannot let ANYONE work on that server who isn't authorized to do so, including junkie data center techs. You must know at all times who is accessing that data or who may access that data. I recommend that you setup a server in-house and lock it up.
3. There MUST be some measure of secure authentication before any info is provided... preferrably multiple layers.
4. Treat HIPAA sensitive info as top secret classified eyes-only. Super secret CIA spooks will swoop in on you in the middle of the night if you aren't compliant. Better get a copy of Catcher in the Rye
5. Find another way to rtefer to patients than social security numbers. Create your own identifiers. Whatever. But SSNs should never be used. Even over SSL.

I agree with 95% of line items one, two, and three. The other 5% is in disagreeance with regard to most of what his application is dealing with is ultimately, "addressable". This all depends on what MCsolas and his team of lawyers determine as "reasonable" and "appropriate". Line item 4 maybe a little draconian but I haven't worked with the Navy's standards. ePHI (Electronic Protected Health Information) is sensitive, however take into consideration the scope of the information, it is just a hop, skip, and a jump away from being public knowledge. Really, think of how many individuals on a daily basis see your personal ePHI when you visit your doctor for a general checkup. Hundreds in not thousands. It's a serious issue and I am not stating that the information is not important to protect, but maybe not by CIA standards (I.e. "top secret classified eyes-only". )

Oh, and line item five is good too. ;-) As long as you secure the store (database) of NewID# to SSN# moreso than you normally would.

[Technosailor]

I'm probably saying more here than I should and if ever identified, could probably be charged, but I'm not giving away the shop here when I say: Navy standards are STRICT HIPAA regulations. Marines and Sailors fighting a war. Combat casualties. Where treated. Nature of injuries. Combat wounded and dead. Serious stuff. If you like NCIS confiscating whole offices of computers without warning or reason, then just f around a little bit with HIPAA non-compliance. Trust me. I've seen it. I've had to participate in the confiscations.

[oneclicksolution]

Wow. In that situation I can understand. Alot different from from commercial HMO's or CE's. Just a question maybe to better my processes: Could you give some tips on the incident response process? This is a big concern and part of the administrative safegaurds, and from my understanding a good portion of the industry are having issues developing there own program. Thoughts?

[Technosailor]

Well, I'm not a HIPAA compliance officer nor do I deal with incident response. I follow orders. Take the computers. Lock them up so NCIS can do forensics on them.

Word was that someone who was no longer employed there had stolen millions of socials and tried to sell them. Don't know the details though.

[mcsolas]

2. If the server is colocated or is leased as a dedicated server, you run into sticky situations. You cannot let ANYONE work on that server who isn't authorized to do so, including junkie data center techs. You must know at all times who is accessing that data or who may access that data. I recommend that you setup a server in-house and lock it up.

That blows plan A out of the water. Maybe we use the dedicated hosting for the initial get go, then work towards bringing all back in-house and locking it up as security gets better at our 'top secret location' safe from the spooks.

5. Find another way to refer to patients than social security numbers. Create your own identifiers. Whatever. But SSNs should never be used. Even over SSL.

We are going to be assigning a 9 digit random number. This is how we are to ID people. Hopefully a random number is still ok with HIPAA.

The SSN falls into the PHI category. I would like to attempt to list the basics of what would be classified as such information.

• Health Care Providers
  
  • Name, SSN, Contact ( email, phone, mobile, fax ... )
  • Banking / account info
  • Practice locations
  • Call Schedules
• Health Care Consumers
  
  • Name, SSN, Contact info, Banking... plus:
  • Medical history
  • Visit records (consumer went to the doc on jan 12th, 05)

Well .. hmm, maybe I should start by asking what I dont need to encrypt. Note that since I dont have any background in this, I may have included non-PHI categories in this list.

http://privacy.med.miami.edu/glossary/xd_hipaa.htm
- Univ. of Miami has a good outline of hipaa info and links.

http://irb.ucsd.edu/WhatIsandIsNotPHI.pdf

I've worked for CMS and Navy Medicine

CMS = Centers for Medicare & Medicaid Services
Had to look this one up too, CMS is the work I was doing for them until hipaa entered my life. ( hey at least I am good at those )

[oneclicksolution]

Better get some more processors and ram to handle all that encrypting/decrypting you'll be doing!

[OhMyGoshJOsh]

Hi Guys,

I'm Josh Padnick and I'm the President of Omedix. I noticed that Omedix was mentioned earlier in this thread as a company that was gearing up to offer web hosting specifically for healthcare, and I thought I would comment on our experience trying to setup a service in this space.

Most of the information mentioned above is accurate. There is no absolute technical mandate on HIPAA; only commonly agreed upon guidelines. That said, 128-bit SSL is required; All "Personal Health Information" about a patient must be stored in the database so that an individual is not identiifiable (i.e. hash/encrypt the SSN, first name, last name); the server must have strict controls on who can physically access it; the server must be a dedicated server. I'm not sure if this was mentioned, but all access by anyone to Personal Health Information must also be logged.

While all these precautions are appropriate and sensible, it creates some interesting business challenges.

First, we use third party data centers to operate our servers. These data centers have tens of thousands of clients in virtually every industry and can capitalize on the benefits of econcomy of scale to keep their costs down. As our clients number in the hundreds, managing our own data center would be significantly more expensive.

Second, providing support is critical for any web hosting service. Offering a Healthcare Hosting service would require us to beef up our customer support infrastructure substantially since we would be dealing with highly sensitive health information. More costs.

Third, we could only provide server-level security: the physical lock-down; quality database software like MS SQL, SSL certificate, etc. For application-level security, we are limited to providing "guidelines". The problem with this is that, in the event that someone is found to have a HIPAA violation at the application level, we could still find ourselves liable if the legal situation gets out of hand. More costs.

Fourth, we would need to take out an insurance policy against being held liable for a HIPAA violation. More costs.

There were other issues, too, but to sum things up, the more we investigated this, the less and less appealing a business opportunity this appeared. A high-volume data center can lease you a pretty substantial server for $200/month. If you add in everything mentioned above, we'd be looking at maybe $500/month, $600/month? But at that price point, maybe it's better to just spend the time and money upfront to setup your own infrastructure.

In the end, it's unlikely that we'll enter this space, although the door isn't totally shut yet. I just find it interesting how the regulations are all sensible and appropriate, but that they raise the cost of doing business significantly. I'd be interested to hear what others think on this. Thanks for reading!

Josh

[mcsolas]

Thanks for stepping in and clearing things up. I am very impressed and thankful for the level of expertise that has been posted into this thread.

There is no absolute technical mandate on HIPAA; only commonly agreed upon guidelines.

This is good to hear but makes me a little curious as to how one is determined to be in violation of the guidelines.

That said, 128-bit SSL is required; All "Personal Health Information" about a patient must be stored in the database so that an individual is not identifiable (i.e. hash/encrypt the SSN, first name, last name);

We are taking these steps to get the SSL and encrypt the data. This area seems to be where there is a clear picture of what needs to be done.

the server must have strict controls on who can physically access it; the server must be a dedicated server.

So does this remove the option of having a managed dedicated server ?

I'm not sure if this was mentioned, but all access by anyone to Personal Health Information must also be logged.

I dont think this was mentioned yet. What needs to be logged? Simply who pulled that information and at what time?. Wow! Sounds like a lot to log, practically every query that gets executed then. Please make it stop

[davidjmedlock]

What needs to be logged? Simply who pulled that information and at what time?. Wow! Sounds like a lot to log, practically every query that gets executed then. Please make it stop

This was a good point. Yes, you need to have a clear log of everything that happens in your application. When they log in, when they view a record, when they change a record and when they delete a record.

And here's a technical tip:

Never DELETE a record. Add a column to your tables called "Deleted" or "Void", etc. and default it to 0. When a record is "deleted", mark that as a 1. (It could be a bit field.) That way you always have a record of what happened. This way you never lose information. You can then set up controls where you would backup and purge deleted records on a set timeframe (1 year, 5 years, etc.). That way you can at least try to keep your database trim.

[mcsolas]

2. If the server is colocated or is leased as a dedicated server, you run into sticky situations. You cannot let ANYONE work on that server who isn't authorized to do so, including junkie data center techs. You must know at all times who is accessing that data or who may access that data. I recommend that you setup a server in-house and lock it up.

This brings up the area of Hipaa compliant hosting. It sounds like having sites / applications that fall under these regulations is a big risk for the risk-averse hosting world. Understandable if the feds like to show up and 'take all the computers' .. it would decimate their business instantly.

However, I am looking at your post regarding junkie data center techs. I was reading my hosts policy on those tech's being able to access the data and they have very specific guidelines and procedure to keep them from being able to get at this data. At least, they sounded good on paper.

What type of agreement is neded between a host and a business using their services. I am now on a dedicated and looking into following up on all the good advice in here. I feel very safe with this host, they have done a superior job for me in the years past are they are rocking lately.... I dont want to change, so I would like to learn how to structure things specifically and legally for this situation I am in.