HIPAA, the Health Insurance Portability and Accountability Act of 1996, has probably already had a significant impact on your IT department. The 45 CFR Part 164 security regulations and the April 21, 2005 deadline have broad implications to corporate policies regarding the security and confidentiality of individual health information managed by your IT staff. To ensure compliance and meet federally mandated compliance requirements; organizations must formally evaluate their administrative procedures, networks, and applications to meet HIPAA requirements.
Many health-related businesses have been working to achieve compliance over the past few years. They have parts of the compliance model in place but continue to struggle to build a comprehensive sustainable system. A review of the security standards shows that many of the requirements can be filled with accurate documentation of information held within the configuration data of your infrastructure. Automation of the IT infrastructure documentation process, with the right tools, can significantly reduce the cost and time of compliance. This paper is about documenting your IT infrastructure as part of a "best business practice" plan for compliance with HIPAA security standards.
IT Documentation: How it applies to HIPAA
The inevitable evolution of the information age within the health care industry was secured by the passage of HIPAA (Public Law 104-191.) The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule (45 CFR Part 164) specifies a series of administrative, technical, and physical security procedures for covered entities to assure the confidentiality of electronic protected health information.
These regulations are far-reaching and require due diligence to compliance on the part of all health care providers, health care plans, and health care clearinghouses, considered "covered entities" under HIPAA. The security regulations set standards for ensuring a secure Information Technology (IT) enterprise-wide network on which the individual identifiable health information is housed.
Compliance can be viewed as an insurmountable task or as an opportunity to develop enterprise-wide solutions to standardize and simplify health information networks. Although this is not a "technology" law, an integral part of compliance to the privacy standards is compliance with the security standards for electronic health information. The protection of private medical information, as covered by the privacy rules, falls under the security rules. The IT architecture within the Information System (IS) plan of an organization is key to the success and compliance of the business.
Building the security strategy of IT networks protects the privacy of individual health information and avoids potential civil and criminal penalties, while reducing the organization's potential security breaches, liability, and possible loss to business reputation. Negative publicity in local and national news compromises a health care organization's standing in the industry and the public's view.
Organizational policies and procedures need to be enterprise-wide to ensure an effective security plan. Individual departmental policies for the secure and confidential handling of private medical information will not meet compliance with HIPAA. Accrediting agencies look for documentation to prove that policies exist and are followed as written. In accreditation terms: "If it isn't documented, it isn't done."
What is IT documentation?
IT documentation is a written record of all the configuration settings on the components of a network. These components include servers, applications, routers, switches, databases, and more. Documentation is needed because these components are extraordinarily complex, configurable, and always changing. Technical staff is often responsible for large numbers of servers and devices, each with a complex collection of settings. IT documentation can provide a central repository of all the relevant information for these settings, their impact, and their values or options.
IT Documentation General Benefits
A thorough understanding of your existing systems significantly improves your planning and management of the IT infrastructure. This process starts with detailed documentation. This has not always been a priority because it requires time and resources. Most organizations rarely (if ever) document IT infrastructures because, until now, system documentation could only be done manually. By the time a system was entirely documented, the process had to begin all over again to stay current. Good IT documentation lets you:
- Create "Auditor-Ready" documents on demand
- Detect security vulnerabilities
- Simplify server consolidation and network servers
