HIPAA compliance basics for email and data storage

T

TC10284

Limp Gawd
Joined
Jan 8, 2006
Messages
213
I have a few clients that need to be HIPAA compliant. I know what HIPAA is, but everytime I try to find a set of guidelines online, I come up more confused than when I started.

What are some of the basic guidelines for HIPAA compliant email and storing data on workstations, servers, backups, and offsite?

They currently have an Exchange server handling their email. But the owner wants to do away with it and use an external host because the Exchange server is a lot of maintenance, when the company only has a few employees and no full-time IT staff. I also need to help him figure out the best route for backups and some offsite solution. I can do offsite backups for him, and it is encrypted. I just don't know what will/won't meet HIPAA requirements. It scares me away from serving health-related clients. I take security as seriously as I am allowed to by the business owners.
 
I dont know anything about the HIPAA....BUT, I can help you with exchange hosting. I work for 2 companies. One company owns the other one, so i manage both of them. I'm the in house IT. One of them has been using USA.NET for their exchange hosting. Awesome company, great customer service, no issues whatsoever. The only downside is their price. It's like $16.95 per user per month for only 250 MB of storage. Not alot of space!! We have just been archiving the user's emails pretty often to get the emails off of the server. Also, If you want blackberry support it's an extra like $5.00 a month.

The other company i manage..we have an in house Novell GroupWise server...it's been a real pain in the ass to support this thing, and keep it up and running. Sometimes it abends..sometimes not..Anyway, long story short: we've been having the discussions of moving to exchange. At first it was all about hosting it ourselves, maybe even move the other company off of USA.net and onto another in house exchange server.

Then we stumbled on to Microsoft's hosted exchange solution. Yes, Microsoft themselves have their own exchange service..AND..it's only $5.00 per user per month..and that gives you 25 GB's of storage!!! Activesync is free. BlackBerry use costs $10.00 extra per user per month, which makes no sense, but i'm sure it's just the BB license fees. So, when we do this, we will probably move away from BlackBerrys, just because of the license fees, and frankly the hardware sucks. We just bought a user an iPhone as a test, and so far so good. SO we might move to iPhones or Droids when we switch exchange providers.

Good luck man, I hope all of this helps.
 
Thanks for your info! I appreciate it a lot.

Does anyone have any HIPAA info?
 
Under HIPAA, organizations must ensure that email messages containing protected health information are secured, even when transmitted via unencrypted links, that senders and recipients are properly verified (technically, HIPAA’s “person or entity authentication” standard applies only to “a person seeking access to electronic protected health information,” not to the sender of that information) and authenticated, and that email servers and the messages they contain are protected. In other words, HIPAA affects both information in transit, and information at rest; lock your information down as much as possible.

Much like Sarbanes-Oxley, there are no specific references to particular technologies used to implement these rules. Rather, the rules can be seen as an attempt to mandate best practices of information security.There is a broad consensus in the IT community that technical approaches such as authentication, encryption, content filtering, hardened message server software, and archiving, as well as anti-spam and anti-virus technology, are appropriate means for meeting HIPAA requirements. This remains a dynamic area however, and the Centers for Medicare and Medicaid Services (CMS) announced its intent to issue additional guidance on this issue but I don't have more information in this area.

To sum up: any email that is not for the eyes of the sender and receiver should not have access. Much like every other company out there. Encryption, authentication, and the sort are required, server hardening, AV/AS, firewall, and limits on unsecured links must be done. If you don't comply with this: Your organization can be fined between $10,000 and $250,000 for every single email communication.

Hope that helps.
 
Last edited:
TC10284 said:
everytime I try to find a set of guidelines online, I come up more confused than when I started.
Click to expand...

I was in the same boat in college during a project. We were tasked with setting up a network for a hospital and it had to meet HIPPA standards. Searching the internet gave nothing concrete only incredibly vague guidelines. Luckily I dont think the professors knew much about it either because it was never an issue.

So you're not alone when it comes to this.
 
Remember the laws for these guidelines are written by the same people who write the IRS tax laws...
 
I've not found much, if anything, as far as minimum guidelines or "you must do THIS"

I've been told it's mostly a matter of "Have you taken reasonable measures to protect..."
 
Clockworks said:
To sum up: any email that is not for the eyes of the sender and receiver should not have access. Much like every other company out there. Encryption, authentication, and the sort are required, server hardening, AV/AS, firewall, and limits on unsecured links must be done. If you don't comply with this: Your organization can be fined between $10,000 and $250,000 for every single email communication.

Hope that helps.
Click to expand...

Well that's scary. Basically one of those $10k fines would bankrupt my business.
 
Look here to for the requirements.
http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php

There are not hard and fast rules. It will say " Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
i.e. Make sure each user has unique login credentials with password requirements that have reasonable complexity, expiration, history, etc.

If you need something more specific let me know.
 
TC10284 said:
Well that's scary. Basically one of those $10k fines would bankrupt my business.
Click to expand...

nitrobass24 said:
Look here to for the requirements.
http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php

There are not hard and fast rules. It will say " Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
i.e. Make sure each user has unique login credentials with password requirements that have reasonable complexity, expiration, history, etc.

If you need something more specific let me know.
Click to expand...

What he said. All they want you to have is a backup of the emails, security in place, and maintain a proper, secure connection between the patient and the doctor with nobody in-between.

Just encrypt the connection, keep a backup in a secure place (encrypt that as well), and keep the server secured with proper settings, updates, and an anti-virus. Essentially, follow IT protocols for any and all businesses.

nitrobass24 said:
BTW MS hosted exchange is HIPAA compliant when you use their encryption.
http://www.microsoft.com/online/exchange-email-encryption.aspx
Click to expand...

This too is a good solution, and the prices aren't bad, especially for a small office.
 
For HIPAA compliance I would recommend looking into HITRUST. It does cost money to get access but they have taken all the different healthcare regulations and created a common framework for compliance and include specific controls.

HITRUST probably doesn't make sense if you're a small shop and only have a few healthcare clients but perhaps you could get them to help pay to ensure everyone is fully compliant.
 
HITRUST is a good framework to follow but is very broad.
Its kind of like COBIT but healthcare specific.

If you just had to do SOX compliance, you probably would go through with COBIT because its just too much that isn't really necessary.
 
Basically HIPAA comes down to protecting PHI/PII from anyone who doesn't NEED to access it. Even if it's someone internal, and they don't have a legitimate reason for accessing the data. Also, just home Medicare/Medicaid isn't involved, because if it is, there's even more restrictions involved.

My company does whole hard drive encryption on all laptops, and access to each system is granted on an individual basis and is reviewed periodically and revoked if not needed. This is just a small sampling of what we do, but it should give you the basic idea.

A breach of PHI/PII is a big deal, and depending on how it happens individuals can be held personally accountable/liable for it now.
 
So what I am thinking is folder encryption (TrueCrypt) and storing any private data in the encrypted folder/partition. My only question is how will this play with backup programs that run automatically? What about shared folders?

Also, for email, I am thinking SSL encryption on both POP3/IMAP and SMTP connections. Does it make a big difference of outside email hosting? How do you make a backup of all emails if the email service is hosted outside? Just backup the email on the client machines?

Close any unneccessary ports on the firewall.

Lock down the server as much as possible.

Implement password changing policies and complexity requirements.

Keep all client computers updated with patches/updates/AV/antimalware. Full disk encryption for each client computer?

Make all employees store data on the server.

Am I missing anything?
 
TBH look at PCI compliance.
Its fairly straight forward and explicit. Just subsitute healthcare data for PI and you should be more than covered.
 
You must log in or register to reply here.
Back
Top