MEDICAL SERVICES
What is HIPAA and what does it mean to be compliant?
HIPAA compliance from a business requirements perspective
HIPAA compliance from a technical requirements perspective
How can CASO help keep you in compliance?
CASO & HIPAA COMPLIANCE
What is HIPAA and what does it mean to be compliant to
this standard?
HIPAA stands for Health Insurance Portability and Accountability Act. It is
designed to standardize the industry on specific code sets and formats. Insurance
payers, clearinghouses, and billing services have been spending enormous amounts
of time and money to implement this regulation. The enforcement is handled by
the Department of Health and Human Services Office of Civil Rights and is meant
to be self-funding via the fines levied. In addition to standardizing the code
sets and electronic frameworks, the law also established a minimum requirement
for the protection and privacy of Personal Health Information (PHI). The specific
parts of the regulation related to PHI include:
- Regulation: §164.530 (c) Administrative Safeguard of PHI
- Regulation: §164.530 (c) Technical Safeguards of PHI
- Regulation: §164.530 (c) Physical Safeguards for PHI
- Regulation: §164.530 (i) Policies and Procedures
- 42 U.S.C. §1320d-2(d)(2) requires entities that maintain or transmit health information to “maintain reasonable and appropriate administrative, technical, and physical safeguards”
By 2005, the law will also require that covered entities must have Backup, Disaster Recovery and Media Controls in effect,
- Regulation: §164.308 Disaster and Recovery Contingency Plans
- Regulation: §164.308 Media Controls
Since every medical practice that files electronically must comply with
these regulations or face fines of up to $25,000, the need for CASO products
can be readily seen. Large hospitals, clinics and even single clinician
offices will all be required to provide safeguards and security to the PHI
in their care
Back To Top
How does CASO’s software
address compliance from a business requirements perspective?
Our Document Management and Disaster Recovery solutions meet or
exceed the needs of HIPAA, for both security and recoverability in the case
of disaster.
CASO’s use of Legato’s ApplicationXtender suite, combined with DiskXtender 2000, meets and exceeds many healthcare organization needs for the image-enabled aspects of records management compliance under HIPAA. These solutions, configured appropriately, are broadly used to meet practical content management demands within the medical industry (references are available) In addition, many customers are using the ApplicationXtender suite to address HIPAA compliance.
CASO’s system provides comprehensive backup and recovery in heterogeneous
environments, including Windows, UNIX, Linux and OpenVMS. Our solutions provide
complete, online protection for multiple database systems, including Oracle,
DB2, MS SQL Server, and Informix. Thus, CASO can provide support for your organization’s
disaster recovery plan in accordance with HIPAA.
Back To Top
How does CASO
address HIPAA from a technical requirements perspective?
These statements can be made regarding CASO’s ability to
address requirements included within the HIPAA specification.
Audit trails:
CASO’s use of the Legato Content Management suite is ODMA compliant, a software industry standard, and enables comprehensive audit trails to be established for user management, access management and system monitoring functions for content capture and modification. In order to gain compliance, the Audit Trails functionality must be enabled. The audit trails keep the information and parameters in logs that must then be used to create the compliance reports for HIPAA. In order to generate these reports, an industry standard reporting package (such as Crystal Reports) must be obtained to generate the required documents based in the data tracked through the LEGATO audit trails. Please refer to our comprehensive documentation for specific audit trail functionality. Additional audit functionality and reporting can be gained through our Professional Services.
Security Access:
CASO’s Online Document Access (ODA) System offers multiple levels of security. ODA’s security offers encrypted connection for both network and web based user session initiations. Where appropriate, the use of secure sockets and other industry standard technologies are implemented. ODA provides for the granting of system access to users and to defined user groups. Also, administrators or “super users” can also be defined. In addition to system level access security, ODA offers Application, Functional and Document security.
1. System Security: Two alternative security models are
offered for user management regarding access control and user/group privileges
for system functions – Legato Proprietary and through deferral to
NT/ Win2000 security. Customized security deferral to alternate security
protocols, such as Oracle, can be implemented by Professional Services
2. Application Level Security: This enables users and user
groups to be granted access to only subsets of content based on the applications
(libraries) defined within the system. Users and groups can only access
the information contained within the applications to which they have rights.
3. Functional Security: This refers to security surrounding
the functions that specific users or user groups can perform. With over
37 defined parameters privileges such as; add, delete, annotate, modify
etc. defined and administered within the Content Management system. The
privileges can be structured and held within the constraints to meet HIPAA
compliance.
4. Document level security (DLS): Document level security
provides an additional level of security at the individual document level
within an application (library). Users and user groups can be inclusively
or exclusively defined at the document level so that even with other privileges,
specific content can either be presented or excluded based on the parameters
established.
5. Additional Security or encryption functionality can be gained through
integration or through our Professional Services if required.
Data Retention:
HIPAA requirements for information/data/records/image retention within the records management solution are specific. CASO’s use of DiskXtender’s standard functionality, implemented as the storage and archival component for ApplicationXtender, meets these requirements fully.
Backup and Disaster Recovery:
As outlined above, by 2005, healthcare organizations will be required to have
disaster recovery and contingency plans in place. A solid backup and recovery
strategy is a key component of disaster recovery, which can be addressed
by CASO. More extensive disaster recovery plans might include remote mirroring,
off-line media management or vaulting.
Back To Top
How can CASO help keep
you in compliance?
Our opportunity to serve the healthcare industry is multifold.
Providing enterprise and individual office level disaster recovery services for HIPAA compliance, because CASO products are both scalable and easy to maintain. Many healthcare offices have only rudimentary, heterogeneous or outdated IS environments. In such areas, CASO software supports compliance and provides a pathway to the future.
- CASO software reports HIPAA compliance surrounding security, privacy and access of patient information, and thus can be an ideal solution for healthcare organizations of any size – from clinics to integrated care delivery networks. Add-on capabilities provided by partners can streamline compliance reporting.
- Hospitals, healthcare industry service providers and others that are implementing HIPAA compliant records management solutions still have the need for organized Content Management for the portions of their operations that are not affected by the HIPAA compliance requirements, such as materials management, receivables, human resources and other operational functions. Implementation of CASO’s Solutions in these areas can provide direct benefit to the healthcare organization’s bottom line.
