HIPAA, Computer Security, and
Domino/Notes
What is HIPAA?
¨ Health
Insurance Portability and Accountability Act of 1996.
¨ Large
far-reaching health-care law from federal government.
¨ Five main
sections, which take effect on different dates.
So What? (There are lots of big federal laws.)
¨ Healthcare
is a $1.3T industry in the US, covering 14% of GNP.
¨ It is one
of the few growth sectors in the economy lately.
¨ It is the only
growth sector in the computer business over the last couple years.
¨ It is
likely that you or your business will be affected by HIPAA in some way.
– Who has run
into this already?
Five Section of HIPAA
¨ Title I,
Insurance Reform (now)
¨ Title II,
Administrative Simplification
– Privacy
(April 03)
– Transactions
and Code Sets (Oct 03)
– Identifiers
(July 04)
– Computer
Security (April 05)
¨ Small
organizations have an extra year.
¨ (These
dates are a summary.)
Insurance Reform
¨ Title I of
HIPAA protects health insurance coverage for workers and their families when
they change or lose their jobs.
¨ Largely eliminates
problems with “pre-existing conditions”.
¨ The
greatest benefit of HIPAA for consumers.
Privacy
¨ Defines who can see your medical information and how
it can be used.
¨ In general, the rules make sense, and are what you
want.
–
Examples: Can always
share information when medically necessary. Cannot shout your diagnosis across
the waiting room.
¨ You received “privacy notices” from your doctors last
spring – for compliance with this privacy reg.
¨ But there are many gray areas.
–
Should a hospital tell a
caller that you are there?
–
Should the hospital
accept flowers if you are there?
Transactions and Code Sets
¨ There were many incompatible formats for the
transmission and coding of medical information.
–
Organizations could not
communicate electronically, because they could not agree on a file format.
–
A medical procedure
might be known as A101 to one insurance company, but 55b to another.
¨ HIPAA mandated standard medical codes, file formats,
and electronic processing.
¨ IT impact; all this is computerized.
¨ Deadline just occurred – 10/03
–
Extended because the
medical business was about to fall apart due to non-readiness.
Identifiers
¨ A common standard for unambiguous identification of
entities involved in healthcare.
¨ Solves problem of Dr. Feelgood being known as provider
XC-546-T3 to Blue Cross, but 12387624 to Tufts.
¨ IT impact; much of this is computerized.
¨ Deadline next summer; July 2004.
¨ (Unique identification of individuals dropped due to
political pressure.)
Computer Security
¨ Five
sub-sections
– Administrative
– Physical
– Organizational
– Policies,
Procedures, Documentation
– Technical
¨ April 2005
deadline
Security, Administrative
¨ Risk
analysis, risk management
¨ Identify
responsible individual
¨ User
authorization / termination procedures
¨ Virus
protection
¨ Log-in
monitoring, threat reporting
¨ Backup and
disaster plan
¨ More…
Security, Physical
¨ Building
security plan
¨ Building
access control and monitoring
¨ Physical
safeguard of workstations
¨ Policy and
procedures for workstation and work areas
¨ Storage of
backup media
¨ Re-use and
disposal of media
¨ More…
Security, Organizational
¨ Contract
between healthcare organization and its business partners
– Important.
Example of shredding company.
– But, who is
a business partner. (Window washer??)
¨ Group
health plan documents must reflect the HIPAA rules
Security, Policies & Docs
¨ Documentation
about the security policies
¨ Modification,
retention, availability of these documents
Security, Technical
¨ Access Controls / Unique User Identification
Assign
a unique name and/ or number for identifying and tracking user identity.
¨ Access Controls / Emergency Access
Establish
(and implement as needed) procedures for obtaining necessary electronic
protected health information during an emergency.
¨ Access Controls / Automatic Logoff
Implement
electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
Security, Technical (2)
¨ Access Controls / Data Encryption
Implement
a mechanism to encrypt and decrypt electronic protected health information.
¨ Audit Controls
Implement
hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health
information.
¨ Data Integrity
Implement
electronic mechanisms to corroborate that electronic protected health
information has not been altered or destroyed in an unauthorized manner.
Security, Technical (3)
¨ Person and Entity Authentication
Implement
procedures to verify that a person or entity seeking access to electronic
protected health information is the one claimed.
¨ Transmission Security / Integrity
Implement
security measures to ensure that electronically transmitted electronic protected
health information is not improperly modified without detection until disposed
of.
¨ Transmission Security / Encryption
Implement
a mechanism to encrypt electronic protected health information whenever deemed
appropriate.
General observations
¨ The HIPAA security rules give wide latitude for
implementation.
–
They never say S/MIME
or two-factor or password expiration.
–
This is by design, based
on objections to early drafts.
¨ Some items are required and some are addressable.
–
Definitions
–
You will hear a lot of
talk about this
¨ Domino/Notes can meet all of the HIPAA security rules.
HIPAA and Notes/Domino
¨ Notes ID files and Internet accounts in the NAB
provide unique identification of each person.
Do
not assign shared generic IDs (such as AcctPayable)
¨ Security rules should not get in the way of patient
care.
Need
way to get around security restrictions, for good medical care. Domino/Notes
can accomplish this in several ways. (Ideas??)
¨ Auto logoff built into Notes security preferences.
HIPAA and Notes/Domino (2)
¨ Data
encryption via encrypted fields or database encryption.
¨ Audit
trails via server log, web log, database user activity, transaction logging,
event records, 3rd party products.
¨ Encryption
(and other methods) achieve data integrity.
HIPAA and Notes/Domino (3)
¨ Notes IDs
and Domino web accounts ensure positive identification of each user.
Of course, no method is perfect and
must be implemented correctly.
¨ SSL and
Notes port encryption.
¨ SSL and
Notes port encryption.
HIPAA Audit Database
¨ Tool I
created, for free distribution
¨ Posted on
my Downloads page
¨ Demonstration
Questions ?
¨ Contact
info:
– Chuck
Connell
– 781-939-0505