Connectria provides HIPAA Compliant Hosting for customers in the healthcare and dental industry or anyone who must comply with the HIPAA and HITECH Act security standards surrounding the storage of Protected Health Information (PHI). Our services include:
c
-HIPAA Cloud Hosting
-HIPAA Managed Hosting (Dedicated Server Hosting)
-HIPAA Hybrid Hosting (a combination of Cloud Hosting and Dedicated Server Hosting)
100% HIPAA Compliant & Business Associates Agreement (BAA) Friendly:
Our world-class data centers and hosting services successfully undergo independent 3rd party HIPAA assessments to demonstrate our 100% HIPAA compliance, allowing our many healthcare and dental customers to satisfy their HIPAA security obligations. Connectria also provides hosting for many SaaS providers requiring HIPAA compliance, as well as organizations looking for HIPAA Compliant Cloud Storage. We are also Business Associates Agreement (BAA) friendly, and routinely enter into Business Associates Agreements with our customers.
2. Agenda
HIPAA Defined
HIPAA Compliance and Non-Compliance
Managed Hosting and HIPAA Compliance
Connectria’s HIPAA Solutions
2
3. Disclaimer
As you will see throughout this presentation, it is the customer’s sole
responsibility to assure that it takes appropriate steps to achieve
compliance with its HIPAA obligations.
Connectria makes no representations or warranties of any kind that
customers will be HIPAA compliant by solely utilizing Connectria’s
services.
3
4. What is HIPAA?
Health Insurance Portability & Accountability Act
Designed to improve the efficiency and effectiveness of the
American health care system
1. Group and individual insurance reform
2. Accountability
3. Administrative Simplification
4
5. The Broad HIPAA Legislation
HIPAA legislation consists of five titles:
Title I Health care access, portability and renewability
Title II
Preventing health care fraud and abuse; administrative
simplification; medical liability reform
Title III Tax-related health provisions
Title IV
Application and enforcement of group health plan
requirements
Title V Revenue offsets
5
6. More on Title II
Administrative Simplification requires:
Improved efficiencies through standardized EDI (electronic data
interchange)
Privacy and security of health data through standards
enforcement
In 2009, the Health Information Technology for Economic
and Clinical Health Act (HITECH) extended HIPAA privacy
and security requirements as well as increased enforcement
6
7. Electronic Information and HIPAA
HIPAA applies to all forms of
information, however electronic
data raises a distinct set of
guidelines, particular for security
Protected Health Information (PHI or EPHI) is
individually identifiable health information
(e.g.name, phone#, email, SS#, etc.) that is
transmitted by, or maintained in, electronic
media or any form or medium
8. HIPAA Security Safeguards
Source: Gartner
8
Administrative
Physical
Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls
Technical
Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access
Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts and
Other Arrangements
9. HIPAA Applies to “Covered Entities”
• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies
…but only if they transmit any
information in an electronic
form in connection with a
transaction for which HHS has
adopted a standard.
Source: US Dept of Health and Human Services, HHS.gov
A Health Care Provider
• Health insurance
companies
• HMOs
• Company health plans
• Government programs
that pay for healthcare,
such as Medicare,
Medicaid, and military
and veterans health care
programs
A Health Plan
• Entities that process
non- standard health
information they receive
from another entity into
a standards
(i.e., standard electronic
format or data
content), or vice versa.
A Health Care
Clearinghouse
A Covered Entity is One of the Following:
9
10. Achieving Compliance
Understand the laws and compliance
Seek outside counsel if necessary
The security rule is expressed as a set of standards and
implementation specifications, with some flexibility built into the
law
STANDARDS
• Are required, must be met,
however…
• …can be met in any fashion that
is reasonable and appropriate for a
given organization
IMPLEMENTATION SPECIFICATIONS
• Are required or addressable (but
not optional)
• Organizations must document any
addressable specification deemed
not reasonable or appropriate
Source: Gartner
10
11. Potential Cost of Non-Compliance
Civil and criminal penalties
for privacy and security
violations
HITECH Act strengthened
enforcement
Fines up to $25,000 for multiple violations
of the same standard in a calendar year
Fines up to $250,000 and/or imprisonment
up to 10 years for knowing misuse of
individually identifiable health information
11
13. The HIPAA Solution Misconception
There is no such thing as a HIPAA
Compliant Managed Hosting
Solution
HIPAA Compliance Extends well beyond securing electronic data (Titles I-V)1
Managed Hosting Companies are not “Covered Entities”2
Managed Hosting Companies can support but not guarantee compliance3
13
14. Connectria’s HIPAA Solutions
Connectria has a HIPAA solution for any type of covered entity
Supports a wide range of mission critical systems including:
Solutions for healthcare related software companies (e.g. SaaS)
Packaged and customized HIPAA Solutions
Extranets/Intranets
Email environments
Disaster recovery environments
e-learning systems
Electronic Medical Records (EMR) systems
Patient management systems
Billing systems,
e-Commerce websites
14
15. Connectria’s HIPAA Solutions
15
Administrative Physical
Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls
Technical
Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security
15
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access
Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts and
Other Arrangements
17. For more information
Interested in learning more about Connectria’s HIPAA
Solutions?
Call us at:
1-800-781-7820 or 314-587-7000
Email us at:
info@connectria.com
Visit us at:
www.connectria.com
17
Hinweis der Redaktion
Thank you for joining Connectria’s on-demand presentation, “Supporting HIPAA Compliance Through Managed Hosting .”
Throughout this presentation, we will provide an overview of Connectria Hosting, including our hosting experience across a wide range of technologies. We’ll also touch upon the strength of word of mouth marketing and how it relates to our Referral Partner Program. Finally, we’ll review our Referral Partner Program along with its benefits and show you how to sign up for the program.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Though passed by Congress in 1996, HIPAA was not fully implemented until 2003. Simply put, the intent of HIPAA is to improve the efficiency and effectiveness of the American health care system. Its focus is reforming group and individual insurance so that those who change or lose jobs will retain coverage; it attempts to reduce waste, fraud, and abuse, with penalties and sanctions for those in violation; HIPAA also aims to simplify health care administration by mandating uniform standards surrounding electronic data transactions as well as protecting and securing private health care information.
The overall HIPAA legislation consists of five titles:Title I, "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions.Title II, "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information.Title III, "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account.Title IV, "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. Title V, "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes. Our focus upon HIPAA compliance and managed hosting that supports HIPAA compliance is related specifically to Title II.
The Administrative Simplification section within Title II requires improved efficiency in healthcaredelivery by the standardization of electronic data interchange (EDI) and the protection ofconfidentiality and security of health data through setting and enforcing standards. On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act(HITECH) was signed into law as part of the American Recovery and Reinvestment Act(ARRA), significantly extending certain HIPAA security and privacy requirements as wellas setting the stage for increased enforcement.
HIPAA security for protecting health data is divided into three categories, administrative safeguards, physical safeguards and technical safeguards. The administrative safeguards contain 9 standards surrounding the conduct of personnel in relation to the protection of data. Four categories within the physical safeguards are intended to ensure necessary physical measures, policies and procedures are in place that protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards as well as unauthorized access. Finally, technical safeguards are designed to prevent unauthorized access to data that is transmitted over a communications network.
The HIPAA Privacy Rule pertains to three categories of "covered entities" - health care providers, health plans, and health care clearinghouses.Health care providers are covered if they transmit health information electronically. Even a doctor in a small practice who keeps only paper records will almost certainly use a billing service that transmits information electronically. In short, it is nearly impossible to provide health care today without using electronic means in some way.As long as information is transmitted electronically, "health care provider" includes your doctors, hospitals, staff involved in your treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment. In short, a provider is almost anyone in the business of providing health care who is licensed or regulated by the states.Health plan means almost anyone that pays for the cost of medical care. This includes: health insurance companies, HMOs (health maintenance organizations), group health plans sponsored by your employer, Medicare and Medicaid, and virtually any other company or arrangement that pays for your health care.Health care clearinghouses can be any number of organizations that work as a go-between for health care providers and health plans. An example of this would be a billing service that takes information from a doctor and puts it into a standard coded format. Patients rarely deal directly with clearinghouses.An organization may also be what is called a hybrid entity. A hybrid entity provides health care as only part of its business. A large corporation that has a self-insured health plan for its employees is one example of a hybrid entity. Only the portion of the company that processes claims and makes payments to health care providers is subject to the HIPAA Privacy Rule.
Now that you have a better idea of HIPAA laws and its applicability, how does one become compliant? First, become familiar with the body of HIPAA laws, including but not limited to privacy and security. This presentation only provides a cursory introduction into HIPAA compliance. You may wish to seek the advice and counsel of a third party source. They are many consulting companies that provide these services. Given our focus is surrounding the privacy and security of individually identifiable information in electronic form, you should be aware that the security rule is a set of standards and implementation specifications. It should also be known that there is some flexibility built into the law as it pertains to its compliance. For standards, each must be met, however it takes into account that each organization may be different so it requires compliance that is reasonable and appropriate for your given organization. Implementation specifications may be required or addressable. Note addressable does not mean optional. If your organization deems a certain specification as not reasonable or appropriate, you must clearly document a defensible position.
The cost or non-compliance with HIPAA laws are real. Violation complaints have steadily risen. For those in violation of privacy and security laws, civil and criminal penalties may result. And the introduction of the HITECH Act has strengthened HIPAA enforcement, with fines now ranging up to $250,000 and incarceration up to 10 years for those who knowingly misuse individually identifiable health information.
So what do you do when you want to be HIPAA compliant? Simply outsource compliance to a managed hosting provider? Not quite.There are many misconceptions surrounding Managed Hosting and HIPAA compliance. Perhaps the biggest misconception is that you can become HIPAA compliant solely through outsourcing a HIPAA Compliant Managed Hosting Solution. Despite claims of many other vendors, you cannot achieve compliance through a managed hosting service alone. As referenced earlier in this presentation, there is much more to HIPAA compliance beyond securing electronic data. This is just one piece of the puzzle. Managed Hosting Companies are not covered entities, and cannot achieve compliance in and of themselves. Managed hosting companies can, however, significantly support efforts to achieve HIPAA compliance. They do so since the very nature of their businesses adhere to security standards through best practices. And additionally, many hosting companies provide HIPAA specific measures and solutions to better assist in protecting electronic data.
So what do you do when you want to be HIPAA compliant? Simply outsource compliance to a managed hosting provider? Not quite.There are many misconceptions surrounding Managed Hosting and HIPAA compliance. Perhaps the biggest misconception is that you can become HIPAA compliant solely through outsourcing a HIPAA Compliant Managed Hosting Solution. Despite claims of many other vendors, you cannot achieve compliance through a managed hosting service alone. As referenced earlier in this presentation, there is much more to HIPAA compliance beyond securing electronic data. This is just one piece of the puzzle. Managed Hosting Companies are not covered entities, and cannot achieve compliance in and of themselves. Managed hosting companies can, however, significantly support efforts to achieve HIPAA compliance. They do so since the very nature of their businesses adhere to security standards through best practices. And additionally, many hosting companies provide HIPAA specific measures and solutions to better assist in protecting electronic data.
Connectria’s HIPAA solutions may support any covered entity’s requirement for compliance. Our HIPAA solutions support a wide range of mission critical systems including EMR, patient management, billing, ecommerce, email, backup and disaster recovery and more. We also support HIPAA compliance for healthcare related software companies seeking a hosted solution, including Software as a Service platforms. Connectria provides packaged and customized HIPAA solutions to ensure each customer has the right solution for their organization….all at a predictable, fixed monthly price.
No one expects healthcare organizations to be experts in securing electronic data….for instance, not many healthcare organizations can provide their own off-site encrypted backups…that’s where Connectria comes in. Connectria’s HIPAA solutions address most all elements of the security rule, allowing covered entities to focus upon their business and do what they do best, whether delivering, administering or supporting healthcare.
Thank you for listening to our presentation, “Supporting HIPAA Compliance Through Managed Hosting.” We hope you found it worthwhile. If you are interested in learning more about Connectria, our managed hosting and HIPAA solutions, please call us at 1-800-781-7820 or 314-587-7000. Alternatively, email us at info.connectria.com or visit us at www.connectria.com. We hope to hear from you soon.