HIPAA, Computer Security, and
What is HIPAA?
Insurance Portability and Accountability Act of 1996.
far-reaching health-care law from federal government.
¨ Five main
sections, which take effect on different dates.
So What? (There are lots of big federal laws.)
is a $1.3T industry in the US, covering 14% of GNP.
¨ It is one
of the few growth sectors in the economy lately.
¨ It is the only
growth sector in the computer business over the last couple years.
¨ It is
likely that you or your business will be affected by HIPAA in some way.
– Who has run
into this already?
Five Section of HIPAA
¨ Title I,
Insurance Reform (now)
¨ Title II,
and Code Sets (Oct 03)
Security (April 05)
organizations have an extra year.
dates are a summary.)
¨ Title I of
HIPAA protects health insurance coverage for workers and their families when
they change or lose their jobs.
¨ Largely eliminates
problems with “pre-existing conditions”.
greatest benefit of HIPAA for consumers.
¨ Defines who can see your medical information and how
it can be used.
¨ In general, the rules make sense, and are what you
Examples: Can always
share information when medically necessary. Cannot shout your diagnosis across
the waiting room.
¨ You received “privacy notices” from your doctors last
spring – for compliance with this privacy reg.
¨ But there are many gray areas.
Should a hospital tell a
caller that you are there?
Should the hospital
accept flowers if you are there?
Transactions and Code Sets
¨ There were many incompatible formats for the
transmission and coding of medical information.
Organizations could not
communicate electronically, because they could not agree on a file format.
A medical procedure
might be known as A101 to one insurance company, but 55b to another.
¨ HIPAA mandated standard medical codes, file formats,
and electronic processing.
¨ IT impact; all this is computerized.
¨ Deadline just occurred – 10/03
Extended because the
medical business was about to fall apart due to non-readiness.
¨ A common standard for unambiguous identification of
entities involved in healthcare.
¨ Solves problem of Dr. Feelgood being known as provider
XC-546-T3 to Blue Cross, but 12387624 to Tufts.
¨ IT impact; much of this is computerized.
¨ Deadline next summer; July 2004.
¨ (Unique identification of individuals dropped due to
¨ April 2005
analysis, risk management
authorization / termination procedures
monitoring, threat reporting
¨ Backup and
access control and monitoring
safeguard of workstations
¨ Policy and
procedures for workstation and work areas
¨ Storage of
¨ Re-use and
disposal of media
between healthcare organization and its business partners
Example of shredding company.
– But, who is
a business partner. (Window washer??)
health plan documents must reflect the HIPAA rules
Security, Policies & Docs
about the security policies
retention, availability of these documents
¨ Access Controls / Unique User Identification
a unique name and/ or number for identifying and tracking user identity.
¨ Access Controls / Emergency Access
(and implement as needed) procedures for obtaining necessary electronic
protected health information during an emergency.
¨ Access Controls / Automatic Logoff
electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
Security, Technical (2)
¨ Access Controls / Data Encryption
a mechanism to encrypt and decrypt electronic protected health information.
¨ Audit Controls
hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health
¨ Data Integrity
electronic mechanisms to corroborate that electronic protected health
information has not been altered or destroyed in an unauthorized manner.
Security, Technical (3)
¨ Person and Entity Authentication
procedures to verify that a person or entity seeking access to electronic
protected health information is the one claimed.
¨ Transmission Security / Integrity
security measures to ensure that electronically transmitted electronic protected
health information is not improperly modified without detection until disposed
¨ Transmission Security / Encryption
a mechanism to encrypt electronic protected health information whenever deemed
¨ The HIPAA security rules give wide latitude for
They never say S/MIME
or two-factor or password expiration.
This is by design, based
on objections to early drafts.
¨ Some items are required and some are addressable.
You will hear a lot of
talk about this
¨ Domino/Notes can meet all of the HIPAA security rules.
HIPAA and Notes/Domino
¨ Notes ID files and Internet accounts in the NAB
provide unique identification of each person.
not assign shared generic IDs (such as AcctPayable)
¨ Security rules should not get in the way of patient
way to get around security restrictions, for good medical care. Domino/Notes
can accomplish this in several ways. (Ideas??)
¨ Auto logoff built into Notes security preferences.
HIPAA and Notes/Domino (2)
encryption via encrypted fields or database encryption.
trails via server log, web log, database user activity, transaction logging,
event records, 3rd party products.
(and other methods) achieve data integrity.
HIPAA and Notes/Domino (3)
¨ Notes IDs
and Domino web accounts ensure positive identification of each user.
Of course, no method is perfect and
must be implemented correctly.
¨ SSL and
Notes port encryption.
¨ SSL and
Notes port encryption.
HIPAA Audit Database
¨ Tool I
created, for free distribution
¨ Posted on
my Downloads page