HIPAA - The Insource Approach
Insource has extensive experience and ongoing responsibility for providing complete onsite IT outsourcing for HIPAA designated covered entities. For these engagements Insource has entered into Business Associate (BA) Agreements with the covered entities pursuant to HIPAA Subpart C, section 164.308(b)(1). In its capacity as the IT department, Insource provides full end-to-end IT management including most of the technical safeguards set forth in the Administrative Simplification provisions of HIPAA.

The final HIPAA rule adopted standards for the security of electronic protected health information (ePHI). These standards are organized into the following three high level categories:

• Administrative safeguards include policies, procedures, and practices that guide security management and information access authorization/revocation, contingency planning and training.
  
• Physical safeguards include protections that minimize physical access to information within buildings, floors, departments, offices, and desks.
  
• Technical safeguards include limiting electronic information access to particular users or user groups, including different levels of software access rights, and tracking access through audit controls.
  

Insource typically participates extensively with clients to establish the policies and procedures required to meet all three HIPAA safeguard standards but in some cases the role is limited because of the nature of the services being provided. This only presents a generalized overview of Insource's security program approach utilized to meet the standards set forth in the technical safeguard provisions of the act.

Insource recommends a multi-layered and multi-vendor best of breed approach to security. Each layer uses a vendor product (either hardware or software) designed to secure that portion of the environment and to restrict access to only authorized users. The idea is to treat the security products as a portfolio and to mitigate risk by diversifying across multiple vendor products. Diversification helps in two significant ways: (1) some vendors respond faster than others when new threats quickly break-out and (2) a best of breed approach can be used to implement the most appropriate and cost effective solutions.

There are several critical areas of all networks that Insource strongly recommends to protect.
The key areas of protection are:

• Public facing access points (i.e. Internet router),
  
• Data transmission (VPN (Virtual Private Network) technology),
  
• email gateway (if email is being used),
  
• Internal routers and firewalls (restrict unauthorized access within the network), and
  
• All desktop computers and servers need to be fully protected with proper patches and current anti-virus solutions.
  

In addition to security processes, there are administrative functions that HIPAA states must be performed to protect data and to restrict authorized users to the appropriate areas while keeping unauthorized users out.

To fulfill these responsibilities Insource uses a set of guidelines for network administration, account maintenance, Active Directory management and data backup and restore procedures. Furthermore, Insource has developed a process to assist in determining that HIPAA standards are in place. These guidelines and processes in conjunction with the Insource on24 program help organizations to stabilize, secure, and ensure regulatory compliance of their IT environments.

For more information about Managed IT Services, watch this informative three-minute movie or Contact Us now.