When HMOs, health care insurance providers, hospitals, or any healthcare organizations are transferring funds, ordering tests or viewing the status of their patient records it is with over 80% certainty that the data is been transferred using BPIC products such as IBM’s WebSphere. Given that any transaction can trigger multiple business processes, even the smallest mis-configuration in the BPIC layer can have severe implications for an organization. To realize acceptable security levels, an organization utilizing this type of messaging BPIC infrastructure must be able to keep information confidential, should not be able to modify or insert information without proper authorization, and assure messages reliably reach their destination. In addition, the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, the introduction of the HIPAA Security and Privacy Rules in 2003, and passage of the HITECH Act as a part of the American Recovery and Reinvestment Act of 2009, has made data confidentiality and security compliance of Protected Health Information (PHI) mandatory.
The HIPAA Privacy Rule pertains to all PHI including paper and electronic, while the HIPAA Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. In particular, organizations must be diligent in observing Section 164.302-318, which requires strict controls around the use and disclosure of (PHI) and Section 164.306 a1, which requires ensuring the confidentiality, integrity, and availability of all EPHI the covered entity creates, receives, maintains, or transmits.
At Evans Resource Group, we can help you understand and meet HIPAA security requirements including mandatory risk assessment; implementing appropriate BPIC safeguards that assure controlled data access, availability and confidentiality; assisting your organization in demonstrating compliance through robust auditing procedures.