Supporting HIPAA Compliance Through Managed Hosting

Agenda

HIPAA Defined

HIPAA Compliance and Non-Compliance

Managed Hosting and HIPAA Compliance

Connectria’s HIPAA Solutions

2

Disclaimer

As you will see throughout this presentation, it is the customer’s sole

responsibility to assure that it takes appropriate steps to achieve

compliance with its HIPAA obligations.

Connectria makes no representations or warranties of any kind that

customers will be HIPAA compliant by solely utilizing Connectria’s

services.

3

What is HIPAA?

Health Insurance Portability & Accountability Act

Designed to improve the efficiency and effectiveness of the American health care system

1. Group and individual insurance reform

2. Accountability

3. Administrative Simplification

4

The Broad HIPAA Legislation

HIPAA legislation consists of five titles:

Title I Health care access, portability and renewability

Title IIPreventing health care fraud and abuse; administrative simplification; medical liability reform

Title III Tax-related health provisions

Title IVApplication and enforcement of group health plan requirements

Title V Revenue offsets

5

More on Title II

Administrative Simplification requires: Improved efficiencies through standardized EDI (electronic

data interchange)

Privacy and security of health data through standards enforcement

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) extended HIPAA privacy

and security requirements as well as increased enforcement

6

Electronic Information and HIPAA

HIPAA applies to all forms of information, however electronic data raises a distinct set of guidelines, particular for security

Protected Health Information (PHI or EPHI) is

individually identifiable health information (e.g.name, phone#, email, SS#, etc.) that is transmitted by, or maintained in, electronic media or any form or medium

HIPAA Security Safeguards

Source: Gartner

8

AdministrativePhysical

Facility Access Controls Workstation Use Workstation Security Device and Media Controls

Technical Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan EvaluationBusiness Associate Contracts and Other Arrangements

HIPAA Applies to “Covered Entities”

• Doctors• Clinics• Psychologists• Dentists• Chiropractors• Nursing Homes• Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Source: US Dept of Health and Human Services, HHS.gov

A Health Care Provider

• Health insurance companies• HMOs• Company health plans• Government programs that pay for healthcare, such as Medicare, Medicaid, and military and veterans health care programs

A Health Plan

• Entities that process non- standard health information they receive from another entity into a standards (i.e., standard electronic format or data content), or vice versa.

A Health CareClearinghouse

A Covered Entity is One of the Following:

9

Achieving Compliance

Understand the laws and compliance Seek outside counsel if necessary

The security rule is expressed as a set of standards and implementation specifications, with some flexibility built into the law

STANDARDS• Are required, must be met, however…

• …can be met in any fashion that is reasonable and appropriate for a given organization

IMPLEMENTATION SPECIFICATIONS

• Are required or addressable (but not optional)• Organizations must document any addressable specification deemed not reasonable or appropriate

Source: Gartner

10

Potential Cost of Non-Compliance

Civil and criminal penalties for privacy and security

violations

HITECH Act strengthened enforcement

Fines up to $25,000 for multiple violations

of the same standard in a calendar year

Fines up to $250,000 and/or imprisonment

up to 10 years for knowing misuse of

individually identifiable health information

11

Breaches and Penalties are Real

12

The HIPAA Solution Misconception

There is no such thing as a HIPAACompliant Managed Hosting Solution

HIPAA Compliance Extends well beyond securing electronic data (Titles I-V)1

Managed Hosting Companies are not “Covered Entities”2 Managed Hosting Companies can support but not guarantee compliance3

13

Connectria’s HIPAA Solutions

Connectria has a HIPAA solution for any type of covered entity

Supports a wide range of mission critical systems including:

Solutions for healthcare related software companies (e.g.

SaaS)

Packaged and customized HIPAA Solutions

Extranets/Intranets Email environments Disaster recovery environments e-learning systems

Electronic Medical Records (EMR) systems Patient management systems Billing systems, e-Commerce websites

14

Connectria’s HIPAA Solutions

15

Administrative Physical Facility Access Controls Workstation Use Workstation Security Device and Media Controls

Technical Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

15

Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan EvaluationBusiness Associate Contracts and Other Arrangements

A Few of Our Customers…

16

For more information

Interested in learning more about Connectria’s HIPAA Solutions?

Call us at: 1-800-781-7820 or 314-587-7000

Email us at: info@connectria.com

Visit us at: www.connectria.com

17