| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume One, Numbers 15-17No. 15 (2/6/01): TechTerm: Privacy in Public: VPNsMany covered entities will want secure network communications. Building your own private network to connect geographically dispersed members is obviously cost-prohibitive. A Virtual Private Network (VPN) allows you to use the Internet in a "secure" mode. A VPN is defined more by what it does than what it is. What a VPN does is simulate a dedicated network over an open network. VPNs ensure that only authorized users can access the network and that the data cannot be intercepted. Security features differ from product to product, but most VPNs include encryption, strong authentication of remote users or hosts, and a way to hide the VPN from potential attackers. Despite the large (and rapidly expanding) number of VPN products, all fall into three broad categories: hardware-based systems, firewall-based VPNs and standalone VPN application packages. What solution will work best for your organization will be determined by your risks, needs, vulnerabilities and budget. For more information on security technology, go to: http://www.hipaadvisory.com/tech/ No. 16 (2/21/01): HIPAAterm: Consents & AuthorizationsPatients are often required to sign a "release" allowing the provider to use their health information. Under HIPAA, releases will take on two distinct forms: consents and authorizations. A "consent" must be obtained for treatment, payment and healthcare operations. Consents are general in nature. Providers are permitted to refuse care for those who do not consent. An "authorization" must be obtained before using individually identifiable health information for any purpose other than treatment, payment or healthcare operations. Authorizations are specific in nature. Providers are not permitted to refuse care for those who do not authorize. While providers will be dealing with consents, all covered entities must examine their business practices to see if authorizations will be required. In particular, many marketing efforts will require prior authorization from the people they are focused on. No. 17 (2/27/01) HIPAAdetail: Training on PoliciesHIPAA not only requires technology changes, but implementation of new documented policies and procedures as well. All members of a covered entity's work force are required to be trained on these policies. The training for all current members must be completed by the date of compliance. Employees hired after the required compliance date must be trained within a "reasonable" amount of time. It's often said that nothing's complete until the paperwork is done, and the same is true for training. Since HIPAA compliance requires training, entities must document that this training has taken place. Some may remember that the Proposed Privacy rule mandated initial training certificates and triannual updates. Since the Final Rule eliminated such specific requirements, covered entities now have the leeway to determine for themselves how best to demonstrate their training programs. For more information on the Privacy rule, go to: http://www.hipaadvisory.com/action/privacy
|
