Medical IT folks: HIPAA and VPN?

Factual Questions
1

Since there is a wealth of experience here, and a paucity of medical administration message boards, I thought this might be the place to start my search for “the truth” and “the answer”.

We have a problem in that we have one server and two sites, plus I often (used to, anyway) work at home. This means that patient information - demographics, dx codes, etc. - is going over the internet. Our software/hardware vendor has notified us that we can no longer access the server from remote sites. We instead need to buy a server for each physical site that houses personnel that need access to the billing system. Of course, a server costs $40,000 plus that would eliminate my ability to work at home.

But it seems to me that VPN would solve the problem. Is this not correct? Our server is Unix and all the PCs that would be used to access the server are Windows, all XP except mine at home which is 98SE.

I know there MUST be a solution with all the remote accessing that needs to be done in the healthcare field.

If anyone knows for a fact this is possible, please provide any credible cites because my boss, being a middle-eastern male, will not just take the word of me, a white female. I need proof from and “official”.

Also, since we do not have an IT dept, (we contract out to an idiot who knows nothing about medical, HIPAA, or for that matter, anything technical!) how easy/complicated is it to set up a VPN? I have tried Googling it but only came up with sites that had something to sell. Which is fine if that’s necessary, but if not I would like to pointed in the direction fo how to learn how to set up a VPN.

Please note I am not talking about our electronic claims - I am only referring to our telnet access to the server from off-site PCs.

I just can’t help but think our vendor is trying to pull a fast one on us. Plus, I was this close to proposing to my boss that I be able to work from home full-time. So I must solve this problem!

I sure hope there are enough IT personnel in the healthcare field out there to help me with this!

2

Maybe this would help?

http://www.google.com/search?q=cache:DwS98_7juNIJ:www.blueridgenetworks.com/pdfs/HIPAACompliance.pdf+%2BVPN+%2BHIPAA&hl=en&ie=UTF-8

It seems to indicate VPNs would be more than adequate for HIPAA compliance.

3

Sorry, no cite, but I can say that we use a VPN for that very purpose. In fact, we had to install a dedicated one for teleradiology. Those big image files were slowing down everyone elses access.

4

Google HIPAA and VPN. It turned up good hits for me. I could copy and paste them in here, but then again so could you.
Here’s what I reccomend though… don’t do a VPN. Instead, just have a dial-up modem installed at the workplace which will allow only people with approved passwords in, and then once you’re connected, just telnet in to the Unix server in question.
The phone company appears to be implicitly trusted based on the fact that HIPAA doesn’t stop me from having sensitive discussions with my doctor over the phone.
If you were to have a PC at your desk with a modem and access to an analog line (meaning a REAL phone line, not a PBX), and the right software (along with company permission) you should be able to accomplish what I discussed in the last paragraph.
It would take me perhaps 3 hours to implement that, the first time, and the second time I did it I’d probably be able to do it in 10 minutes.
If you do want to go the VPN route though, you’ll want to get together with your technical person and discuss adding VPN functionality to your company’s internet routing setup (if it isn’t there already) and then installing VPN client software to the home PC you’ll be using.
Depending on vendors and equipment, this may cost you anywhere from $300 up… using certain open-source packages, it would actually be free to do, but clueless sysadmins such as the one you describe would be afraid to do that.
It appears based on the sites which I found through googling HIPAA and VPN that the whole concept of VPNing into a network that stores Private Medical Info (or whatever the jargon is) is in fact perfectly valid.
Good luck!

5

Would something like using SSH to access the UNIX box work? What is this issue here, encryption of the connection or encryption of the data within the (possibly encrypted) connection?

See if something like http://www.openssh.com/ would help.

6

I can’t speak to the technical aspects of the solutions others have suggested, but as an expert in the HIPAA legislation, I can tell you that the HIPAA security rule regarding transfer of protected health information IS satisfied through use of a VPN from everything I’ve read, and that is what we recommend for remote users in our consulting when this issue comes up.

The best site I know for HIPAA information is a rival vendor’s (Phoenix Health Systems) but they have a great reference section on the regulations in my opinion:

www.hipaadvisory.com

Check out the ‘regs’ section and search for ‘VPN’. I’m sure you’ll find lots of proof for your boss there.

7

I work for a claims clearinghouse in Montana, and we have our own VPN that we transact most of our business through. V-One set up our VPN and with Smartpass software installed on our clients PC’s, they can safely xmit claims and pickup reports over an internet connection without a problem.

8

RSA has a new “secret-splitting” technology called Nightingale that will be well-suited for HIPAA purposes, but for now, it’s just a “developer’s toolkit” item and not a shipping product.

More info on strategies for complying with the final HIPAA Security Rule.

9

I’m also in the network security end of things by trade (my ‘www’ link below is to my company). And we have many customers in the healthcare field as clients as part of HIPAA compliance. And I’m one of the early patent holders on VPN itself.

a) a properly set-up VPN will make access to the system safe (per HIPAA compliance) for any sort of traffic, including telnet. Of course, you’ll need to make sure that your home site is safe as well, as it now becomes an extension of your work, and hackers that could break into your home computer can now break into your work computers. But that’s relatively simple to do. Put a firewall in place (likely already part of your vpn equipment) and do some regular vulnerability scanning.
b) If telnet access is all you’re after, look into ssh
c) there may be more to the vendors claim then meets the eye. It may be that they need to upgrade other aspects to make it HIPAA compliant as well. Or perhaps the current system uses too much bandwidth to sync very well over the internet, or some other issue.
d) This is the most important point: You say your boss is telling you you can’t work at home because of this. And you say you used to work at home but don’t any more. To me, these add up to your boss not wanting you to work from home, but trying to be kind in the matter. My suspician is that even if you solve the technical problem, you still won’t be able to work from home.

Perhaps you should talk to him directly about this. I.e. say “I really want to work from home. If the HIPAA compliance weren’t an issue would it be possible?” as opposed to “you can stay HIPAA compliant using a VPN, and here are references. when can I start working at home?” The second approach will only get you a new excuse and bitterness from your boss.

Or perhaps I’m wrong about #c. You make the call.

10

Errr… perhaps I’m wrong about #d

11

A very good site is www.hipaacomply.com

12

I knew the SDMB netizens would not let me down!

Sorry, mojave66, that link didn’t work.

Danalan, when I was expressing my incredulity to my boss about our vendor’s comments, I was racking my brain trying to come up with a scenario in which health info would have to be tranmsitted electronically. That’s it! Teleradiology! Thanks for the good example!

Jonathan Woodall, I neglected to mention I did Google HIPPA VPN but I am too ingorant in all things technical and all things HIPAA to be able to determine for myself if all the gobbledygook on those pages was indeed saying “yes, lorinada, tell your boss that’s possible and compliant.” :smiley: But my Google skills were at least adequate enough to determine the VPN might be a solution! In fact, I’m not technologically advanced enough to know how you dial up and telnet at the same time! :smiley: But I think I’m knowledgable enough to know your phone call analogy doesn’t cut it because you are not a third party! :slight_smile:

Opengrave, I’m not savvy enough to know the difference, sorry!

Yarster, not only did I indeed find VPN on a search through the regs, but I also am interested in the on-line HIPAA courses! Very reasonably priced! Thanks! Sorry it is your competition, though.

SylverOne, although our claims would be transmitted through the server as usual, which is already HIPAA compliant and secure, the “picking up reports” would be very similar to the types of activities we would be doing over the net. Thanks for the link to your vendor. We might need it!

gotpasswords, there was a link on that page you linked to that I think will help convince my boss. Thanks!

Bill H.:

If I do indeed work at home again I would install a firewall.

Right now I use PowerTerm. Would I need another software to use ssh? I am very computer-communications illiterate. And, I’m not sure what you mean by “if telnet access is all you’re after” as it is the only way I have ever connected from a unix server to a pc, no matter where I worked or what industry I was in.

I don’t think so since, like I say, I’ve been working at home off and on for quite some time. Also, the vendor itself can and frequently does connect to our server, either by dial-up or TCP/IP. This is one of the main reasons why I suspect they’re trying to take my gullible boss for a ride.

Actually, my boss is much too…um…well…he can’t figure things out for himself very well. I quit working at home becuase I won’t let myself as long as this may be a HIPAA issue. He himself would not be, um, intuitive? enough to realize that if the other site can’t telnet, I can’t either. However, I have a vested interest in the solution because, like I said, I want to propose my working at home and not being able to connect to the server will smash that all to hell! :smiley:

E-Sabbath That’s a great site, too. Thanks!

Thanks for the great help, everyone.

13

I’m not familiar with PowerTerm, but looking at their website (http://www.ericom.com), it looks like they do support SSH. So, you would have to change your home configuration a bit, but more importantly, you’ll need to have the host computer (that you’re telnetting into) setup to run SSH as well. This shouldn’t be a big deal for a computer savvy person, so I expect you could bring in a consultant and solve the problem in a couple hours tops if you can’t handle it inhouse.