Archival note: Although information contained in OIT Newsletter articles was current at the time of publication, some details may no longer reflect the present state of technology and the Office of Information Technology.
OIT Home > OIT Newsletter > March, 2005 Contents > HIPPA March, 2005 | Information Technology Newsletter |
HIPAA ComplianceWhat is HIPAA?The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is a piece of federal law that affects the way health care information is shared and stored. HIPAA is the first federal legislation to address private health care information. Before HIPPA the systems used in Minnesota could be radically different from the ones used in California or even South Dakota. The policies contained in HIPAA are aimed at standardizing the way healthcare information is stored and shared. In order to do this, the information needs to be secure, and it needs to maintain its integrity. This article looks at the steps that must be taken at the University to ensure the privacy and security of health care information. Private health care information at the UThe number of places at the University where private health care information pops up can almost boggle the mind. For starters, almost 35,000 University employees and dependents are insured under the UPlan Medical Program. The University also shares network resources with several health care facilities, including Boynton Health Services, University of Minnesota Physicians, and Fairview University Medical Center. Health care information is also kept by many University scientists, who compile it in the course of their research. Private information can even show up in unexpected places, such as the Music Therapy program in the College of Liberal Arts. Some people see HIPAA as another layer of regulations designed to make their jobs harder. But Ross Janssen, the HIPAA Privacy and Security Officer at the Academic Health Center, says most people realize the importance of the rules. He adds that everyone needs to understand that patients have a right to know that their health care information will be handled properly at the University. HIPPA is the law That said, HIPAA is also the law; and there can be stiff penalties for not following it. So it is important that University employees understand what they need to do to comply with it. Training and the myU portal You probably already know if you have to comply with HIPAA. The University has been working to identify which departments have protected health information (PHI), and most of the employees who need to have already gone through the training course. That training material is being distributed through the myU portal: https://www.myu.umn.edu. If you think you may be covered, but this is the first you've heard about HIPAA, you can find your privacy coordinator at http://www.privacysecurity.umn.edu. If you do need to go through the training, you will find that it is relatively short and painless. Much of the training material can be applied to keeping all of the information on your computer more private and secure. And when it comes down to it, your computer is the part of the system that you are responsible for. Securing a staff computerNetwork and Telecommunications Services will be installing network firewalls and other features to help secure the campus network, but each individual computer on the network also must follow a set of security policies; and users need to have a better understanding of the technology they are using and how secure it is especially when dealing with protected health information. You can find more information on how to secure your computer by selecting Secure a Staff Computer at http://www.safecomputing.umn.edu. One of the simplest and most effective things users can do to keep information secure is to access only the information they need and no more. Also, if you deal with any kind of health care information, think about whether it might be affected by HIPAA. The security standards in HIPAA address any technology that creates, stores, or maintains electronic private health care information. So, any time you are considering a new tool for your job for example, new USB flash drives to store and share medical images you may want to contact your privacy coordinator. All in all, complying with HIPAA probably will make your job a little more complicated. But Ken Hanna with OIT Security says most of the measures come down to common sense. None of them are designed to make it impossible to get work done, and all of them will help employees and patients know that private health care data is being properly secured. Compliant by April 21, 2005The big day for HIPAA compliance is April 21, 2005. Ross Janssen says that's the day that HIPAA compliance begins, not the day that all of this work and preparation is done. There will be continuous auditing and monitoring built in to the HIPAA standards and policies at the University. These processes will also help ensure that security standards keep up with developing technology. Janssen says that by and large, the transition to HIPAA compliance has gone smoothly and on time. He adds that most people recognize the importance of keeping private data secure and are willing to do what needs to be done to make that happen. Joshua Welsh, Network and Telecommunications Services (NTS) |
Page: http://www.umn.edu/oit/newsletter/05/0305_itn/hippa.html |