Next Feature 1.13 Live Support
Doctors and medical professionals are feeling a growing pressure to get their business online (i.e. even use of electronic prescriptions is being pushed). This includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients. If doctors can show that they are using digital systems with their health care practices in a meaningful way by 2011, they may be eligible for some serious money (part of the proposed stimulus package — the Health Information Technology for Economic and Clinical Health Act (HITECH)).
However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. So, what do these requirements mean and how can HIPAA be followed in the context of a website?
What are the HIPAA requirements for a web based EHR / EMR?
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items) and in the end, it is up to each organization to determine what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information:
Is always encrypted as it is transmitted over the Internet - We use a 2048 bit encryption certificate. The highest available.
Is not lost, i.e. should be backed up and can be recovered - We backup to 2 locations one onsite and to a sister facility.
Is only accessible by authorized personnel - We have controlled access to primary systems.
Is not tampered with or altered - We never access patients data. All data is only accessed by office personnel.
Should be encrypted if it is being stored or archived. - We store data compressed and password protected
Can be permanently disposed of when no longer needed. - We use DoD level wiping to destroy any data no longer needed.
The above is the simplified basics requirements of HIPAA. We also use the HIPAA security check list. This is what has made us a certified HIPAA compliant hosting facility. We have HIPAA security certified staff.