HIPAA, Computer Security, and Domino/Notes

By Chuck Connell, www.chc-3.com



What is HIPAA?

¨  Health Insurance Portability and Accountability Act of 1996.

¨  Large far-reaching health-care law from federal government.

¨  Five main sections, which take effect on different dates.

¨  www.cms.hhs.gov/hipaa/


So What? (There are lots of big federal laws.)

¨  Healthcare is a $1.3T industry in the US, covering 14% of GNP.

¨  It is one of the few growth sectors in the economy lately.

¨  It is the only growth sector in the computer business over the last couple years.

¨  It is likely that you or your business will be affected by HIPAA in some way.

   Who has run into this already?


Five Section of HIPAA

¨  Title I, Insurance Reform (now)

¨  Title II, Administrative Simplification

   Privacy (April 03)

   Transactions and Code Sets (Oct 03)

   Identifiers (July 04)

   Computer Security (April 05)

¨  Small organizations have an extra year.

¨  (These dates are a summary.)


Insurance Reform

¨  Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

¨  Largely eliminates problems with “pre-existing conditions”.

¨  The greatest benefit of HIPAA for consumers.



¨   Defines who can see your medical information and how it can be used.

¨   In general, the rules make sense, and are what you want.

    Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room.

¨   You received “privacy notices” from your doctors last spring – for compliance with this privacy reg.

¨   But there are many gray areas.

    Should a hospital tell a caller that you are there?

    Should the hospital accept flowers if you are there?


Transactions and Code Sets

¨   There were many incompatible formats for the transmission and coding of medical information.

    Organizations could not communicate electronically, because they could not agree on a file format.

    A medical procedure might be known as A101 to one insurance company, but 55b to another.

¨   HIPAA mandated standard medical codes, file formats, and electronic processing.

¨   IT impact; all this is computerized.

¨   Deadline just occurred – 10/03

    Extended because the medical business was about to fall apart due to non-readiness.



¨   A common standard for unambiguous identification of entities involved in healthcare.

¨   Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but 12387624 to Tufts.

¨   IT impact; much of this is computerized.

¨   Deadline next summer; July 2004.

¨   (Unique identification of individuals dropped due to political pressure.)


Computer Security

¨  Five sub-sections




   Policies, Procedures, Documentation


¨  April 2005 deadline


Security, Administrative

¨  Risk analysis, risk management

¨  Identify responsible individual

¨  User authorization / termination procedures

¨  Virus protection

¨  Log-in monitoring, threat reporting

¨  Backup and disaster plan

¨  More…


Security, Physical

¨  Building security plan

¨  Building access control and monitoring

¨  Physical safeguard of workstations

¨  Policy and procedures for workstation and work areas

¨  Storage of backup media

¨  Re-use and disposal of media

¨  More…


Security, Organizational

¨  Contract between healthcare organization and its business partners

   Important. Example of shredding company.

   But, who is a business partner. (Window washer??)

¨  Group health plan documents must reflect the HIPAA rules


Security, Policies & Docs

¨  Documentation about the security policies

¨  Modification, retention, availability of these documents


Security, Technical

¨   Access Controls / Unique User Identification

    Assign a unique name and/ or number for identifying and tracking user identity.

¨   Access Controls / Emergency Access

    Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

¨   Access Controls / Automatic Logoff

    Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.


Security, Technical  (2)

¨   Access Controls / Data Encryption

    Implement a mechanism to encrypt and decrypt electronic protected health information.

¨   Audit Controls

    Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

¨   Data Integrity

    Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.


Security, Technical  (3)

¨   Person and Entity Authentication

    Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

¨   Transmission Security / Integrity

    Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

¨   Transmission Security / Encryption

    Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.


General observations

¨   The HIPAA security rules give wide latitude for implementation.

    They never say S/MIME or two-factor or password expiration.

    This is by design, based on objections to early drafts.

¨   Some items are required and some are addressable.


    You will hear a lot of talk about this

¨   Domino/Notes can meet all of the HIPAA security rules.


HIPAA and Notes/Domino

¨   Notes ID files and Internet accounts in the NAB provide unique identification of each person.

    Do not assign shared generic IDs (such as AcctPayable)

¨   Security rules should not get in the way of patient care.

    Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??)

¨   Auto logoff built into Notes security preferences.


HIPAA and Notes/Domino (2)

¨  Data encryption via encrypted fields or database encryption.

¨  Audit trails via server log, web log, database user activity, transaction logging, event records, 3rd party products.

¨  Encryption (and other methods) achieve data integrity.


HIPAA and Notes/Domino (3)

¨  Notes IDs and Domino web accounts ensure positive identification of each user.

   Of course, no method is perfect and must be implemented correctly.

¨  SSL and Notes port encryption.

¨  SSL and Notes port encryption.


HIPAA Audit Database

¨  Tool I created, for free distribution

¨  Posted on my Downloads page

¨  Demonstration


Questions ?

¨  Contact info:

   Chuck Connell