HIPAA Computer Regulationsby Alex Burke
When the health industry began to see a rise in the use of electronic media, the government stepped in to assure consumers of medical records privacy and security. The Health Insurance Portability and Accountability Act known as HIPAA was the result. Regulations are broken into two areas--privacy and security. HIPAA computer regulations fall under the HIPAA security rules. Health care providers have to follow HIPAA guidelines when transmitting personal health information in electronic format.
Physical Computer Safeguards
Personnel workstations and electronic media must be protected from unauthorized access under HIPAA regulations. All entities covered under HIPAA rules are required to write and implement procedures and policies that outline the proper access and use of all computer equipment. The policies and procedures must be based on an individual risk analysis conducted by the facility's management. A risk analysis includes the identification of all computers, devices and networks in detail---all software, hardware and network systems must be examined. The facility or business in question must outline and understand the use of computers and technology in its day-to-day routines and in the overall management of its patient records. Electronic interaction with outside vendors, like billing companies, laboratories and product suppliers, should be included in the risk analysis.
Technical Computer Safeguards
HIPAA regulations require a series of technical controls be put into place to protect patient records. Included is a written procedure and a software control tool for the following: user access, system audit and data integrity. Access control should allow only authorized users to enter and use the computer system. Password and log-in procedures along with firewall software can protect the computer from intruders at several levels. Audit software can record computer activity and examine access or attempted access of systems and records. Integrity issues like the destruction or damage of electronic records should include a backup and restore software tool. In addition, procedures should cover how to identify records ready for storage and what to do in cases where the records have become corrupted within a database.
Unauthorized access of records during transmission from one entity to another is included in HIPAA regulations. The risk analysis of each business will dictate the needs for securing transmission using authentication tools on computer workstations and networks. Offices or facilities that do not connect to an outside computer system, but instead use only a local (on site) network of computers, will create a different solution to transmission security than those with networks that reach into other businesses. Entities falling under the requirements of HIPAA regulations should examine their transmission options with their software and hardware vendors. Information Security Publication number 800-63 entitled "Electronic Authentication Guideline," produced by the National Institute of Standards and Technology, provides insight into the ways federal agencies design electronic authentication or e-authentication. The information is recommended reading for health care managers handling the implementation of HIPAA regulations.
- photo_camera Andrew Bret Wallis/Pixland/Getty Images