Thank you for joining me. I’m Gil Vidals and today is the first of a series we’re doing in the VM Racks channel. VM Racks is a hosting provider specializing in HIPAA compliant hosting. Today we’re going to cover the fundamentals of HIPAA – what it means, what it is and why that matters to you. In the other series in the future we’ll be covering the technical aspects of HIPAA and how to implement and really safeguard your data.
Let’s get started. Behind me I have a whiteboard and I will occasionally be drawing on it so that you could see a little bit better what I’m referring to. Right now let’s define HIPAA. HIPAA is H-I-P-A-A. Many people make the mistake when they Google it to put in HIPPA, but it stands for Health Insurance Portability and Accountability Act. It’s a law legislature that was started by 2 senators, Senator Kennedy and Kassebaum. The law was enacted in 1996. The purpose of the law is to protect patient information. As you can imagine, it’s important to have your health information protected. It’s considered private. Even though you don’t mind telling your name what your blood pressure is, that’s okay, but when a person is in the hospital, a procedure is considered personal, private information and the hospital wants to keep that private. That’s what this law did.
In 1996 they enacted the law and it has 3 parts to it – tier 1, tier 2 and tier 3. Tier 2 is a standard of electronic health care for protected health information. Protected Health Information is PHI. That’s what we call the medical records and some refer to it as ePHI, Electronic Protected Health Information and yet others call it EHR, Electronic Health Records. All of it means the same thing. I will be just referring to it as PHI and when I do, I’m referring to it as digital information.
In the digital world on the internet, we don’t print records of patient information. We avoid doing that. We don’t have to worry about storing boxes of paper and protecting the physical paperwork. We just don’t print it. If you are printing that, you must be careful with that and follow proper procedures for that but we won’t be covering that today. For HIPAA we have 3 different safeguards to protect the data. I’m going to write this on the board now.
On the board I have the three safeguards – administrative, physical and technical. The administrative one is the measures that you need in order to protect the data from an administrative point of view. For example, we’re talking about training your staff on being aware of what is PHI data, how to handle it, what to do from their point of view, they have a screensaver. That’s the administrative side. On the physical side, it’s common sense. It’s protecting the data physically. When we think about important things that are protected we think about cameras facing the data, we think about locks and keys, we think about security guards, 24/7 surveillance. That’s pretty obvious to people. They think about security, they know what to think about and use your common sense when you’re dealing with HIPAA. Don’t just try to get it all from the legislature and the blogs; just use your common sense. That’s an important key. The third area is the technical and that’s what we focus on here at VM Racks. The technical side is basically to allow authorized users to access the data and to disallow everybody else. An unauthorized access is known in colloquial terms is known as a hacker. You don’t want to have your data hacked, you don’t want anyone inadvertently getting in there. That covers the three main tiers.
The next question is who cares – What do I do about this? What does it matter for me? It makes a big difference to have the data protected. If the data were to get out inadvertently then you could be fined. There is a follow up law after HIPAA called Hitech which basically allowed the government to fine you if you are not protecting the data and if it leaks, there have been several cases. There was a case in Florida where a laptop was stolen from a car and the laptop had about 500 medical records that belonged to a medical facility. That business, that facility, was fined about $50,000 for only losing 500 records. You can imagine if they lost a lot more, what that fine would look like.
It matters to you. It matters to your pocketbook to make sure the data is protected. It’s not something you need to lose sleep over if you do it correctly. What I recommend you do if you’re entering into this whole HIPAA arena is to be self educated. Be self didactic. Look at up at HIPAA survival guide; go to Google, type in HIPAA survival guide. Read through that guide, it’s one of the better ones on the internet. You can read blogs and you can read different manuals if you like about HIPAA.
Also I recommend that you subscribe to a newsletter such as the HIPAA compliance from Clearwater. Clearwater is a consulting company that has a great newsletter and you go to Google and type in Clearwater, compliance and HIPAA and you’ll get the newsletter. I don’t have any vested interest in anything I mention in here. These are just things I have found to be useful.
Finally, you can get a consultant. You can hire a consultant like Three Pillars out of Wisconsin that specializes in security and compliance. Keep in mind when you hire a consultant to help you with HIPAA, they’re not going to do the work for you. They’re simply going to instruct you on how you do the work. They will test to make sure the data is secure. They’ll give you reports saying you’ve done well here, you’re not done so well here and they would expect you to rectify or what they call remediate areas where you’re weak and vulnerable.
Thank you for joining me. This was just an introductory video. Please watch the other ones we have online to get far more in depth and cover other topics on HIPAA compliance and specifically HIPAA hosting.