Securing PHI for Behavioral Healthcare Organizations – A Real World Scenario

Sam Guiliano
by (86 posts) under Healthcare IT
0 Comments

government compliance joke

Our site shares a large amount of information with medical companies about finding viable HIPAA Hosting and infrastructural solutions. We’ve found that the general information we provide meets the needs of many businesses. However, it also assists many professionals to be able to get a feel for the process through specific situations.

Our Real World Scenario series serves this function. Through this series, we show actual discussions between our hosting consultants and clients as they get their questions answered about our services. In this installment, a web developer works with our representative to determine the best solution for securing protected health information (PHI) of behavioral healthcare firms within a HIPAA-compliant environment.

The basics: HIPAA, PHI, and behavioral healthcare

Before we look at an individual interaction related to these issues, it will help to establish an understanding of the basic terms we are using.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 safeguards the medical records of patients, with a special focus on electronic medical records (EMR). The three basic categories of organizations that must meet the specifications of the law include healthcare practitioners, plans, and clearinghouses.

All data that must meet the HIPAA requirements is referred to as protected health information (PHI). PHI includes demographics, medical history, tests, insurance details, and all other data that healthcare companies compile from patient documents, equipment, and practitioner observation.

HIPAA places guidelines on the scope of protected health information that medical organizations can acquire, the extent to which it can be shared, and its usability for marketing purposes. PHI has to be fully accessible to the patient, who also has the right to correct any errors in the data. It cannot be sold except in situations which involve government projects or the sale of an entire healthcare organization.

Behavioral healthcare is a multidisciplinary area of medicine that focuses on the mental and emotional state of the individual. Many people use it synonymously with the terms psychological healthcare or mental healthcare. Practitioners in this field understand the behaviors of a patient – called biobehavioral interactions within the specialty – as indications of the health of a patient’s mind.

HIPAA Compliant Behavioral Healthcare Solution

The following is the interaction between our hosting consultant and a client in need of an IT environment for their PHI.

Consultant: Tell us about your hosting needs.

Client: I need an architecture for a Windows Forms SQL app for use by a behavioral healthcare company. I have a client with four locations that wants to go this route over the traditional MPLS or hardware VPN combined with a local server.

Consultant: One of our hosting specialties is HIPAA compliance and the protection of PHI. The only way we can create a network of this type is to host the SQL server in our data center. Each location would then be connected to the SQL server through an Encrypted VPN. The hosting platform would be HIPAA compliant, and we would issue a Business Associate Agreement (BAA) for the hosting services.

In order to provide you with a proposal, we require the following information:

  1. How much Total Storage Space do you require for the data?
  2. What version of MSSQL do you require?

Client: We would need a minimum of 20GB of storage, and the MSSQL could be 2008 or above.
Consultant: The smallest HIPAA compliant hosting platform that we have available includes 500 GB of Storage Space. I have attached the formal proposal along with a copy of the Business Associate Agreement for your review. Please submit the SQL license, and we can then load it for you. We are not allowed by Microsoft to resell their licenses; it is also less expensive for you to purchase it outright than to lease it from us. Below are the highlights of the proposal:

1.) Windows Standard 2008 R2 64 Bit Operating System

2.) Dual Core I3-3220 Processor w/HT / 8 GB of Ram / 500 GB of RAID Storage

  • Core I3
  • 3220 3.3 GHz Dual Core w/HT
  • 8 GB of RAM (expandable to 32 GB)
  • 2 X 500 GB SATA 3 Black Raid 1
  • LSI 9240 RAID Card – 10 TB  of Monthly Data Transfer, 100 Mbps Port

3 ) Fully Managed Hardware Firewall with ( 5 ) managed VPN’s

4 ) Intrusion Detection System with Log Monitoring and Management

5 ) Fully Managed Daily Backup

6 ) 100% Uptime SLA

7 ) 24 X 7 X 365 Live Technical Support by phone / email

8 ) SSAE 16 SOC II Data Center

9 ) Anti-Virus Protection

10 ) SSL Certificate.

Client: Excellent. I will get the Business Associate Agreement to my client immediately and be in touch once I hear back from them. Thank you for the assistance.

Consultant: Let us know if you have any additional questions. Have a great day.

As indicated by the above interaction, Atlantic.Net is well prepared for those in need of HIPAA Compliant Hosting on a reliable Cloud Server. We have been in business for two decades, with a five-year track record helping companies fulfill the parameters of healthcare regulations.

Comic words by Kent Roberts & art by Leena Cruz.