HIPPA System Requirements for Computer Hardware and Software

Healthcare businesses are obligated to comply with HIPAA in how they manage certain protected patient information, and what information you disclose to third parties. In particular, they are permitted to disclose patient information generally to the patient, individuals authorized by the patient, and for use in the provision health services. The goal of HIPAA is to balance privacy, but at the same time, enable the flow of information to those professionals who need and or can use the information in the care of the patient.

As a general rule, HIPAA does not prohibit the sending of protected patient information over the internet or via emails. However, businesses are required to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to protected information. The regulations in particular require the following:

1. Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

2. Implementation Specifications:

  • Unique user identification: Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
  • Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

Accordingly, all business that manage patient information should verify that your computer systems satisfy the above technical requirements. Moreover, adopt policies that contain the above requirements. As far as operating systems, HIPAA does not mandate minimum requirements for computers. The goal of the rule was to provide flexibility to enable you to best fit your organizational needs. However, the rule does mandate requirements for information systems. In other words, your informational systems must contain certain safeguards. The following requirements must be present:

1. Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

2. Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

3. Implementation Specifications: 

  • Integrity controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.  
  • Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

In order to operate in today’s business world, healthcare businesses, like any other, must utilize electronic information. However, healthcare businesses must also ensure the privacy of protected patient information. Therefore, all healthcare businesses must be compliant with HIPAA with all of their software and information technology.

If you would like more information on this topic, you can contact the author, Theodore McGinn, at (847) 705-7555 or tmcginn@lavellelaw.com.