HIPAA, Computer Security, and Domino/Notes Chuck Connell,
What is HIPAA? Health Insurance Portability and Accountability Act of Large far-reaching health-care law from federal government. Five main sections, which take effect on different dates.
So What? (There are lots of big federal laws.) Healthcare is a $1.3T industry in the US, covering 14% of GNP. It is one of the few growth sectors in the economy lately. It is the only growth sector in the computer business over the last couple years. It is likely that you or your business will be affected by HIPAA in some way. –Who has run into this already?
Five Section of HIPAA Title I, Insurance Reform (now) Title II, Administrative Simplification –Privacy (April 03) –Transactions and Code Sets (Oct 03) –Identifiers (July 04) –Computer Security (April 05) Small organizations have an extra year. (These dates are a summary.)
Insurance Reform Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Largely eliminates problems with “pre- existing conditions”. The greatest benefit of HIPAA for consumers.
Privacy Defines who can see your medical information and how it can be used. In general, the rules make sense, and are what you want. –Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room. You received “privacy notices” from your doctors last spring – for compliance with this privacy reg. But there are many gray areas. –Should a hospital tell a caller that you are there? –Should the hospital accept flowers if you are there?
Transactions and Code Sets There were many incompatible formats for the transmission and coding of medical information. –Organizations could not communicate electronically, because they could not agree on a file format. –A medical procedure might be known as A101 to one insurance company, but 55b to another. HIPAA mandated standard medical codes, file formats, and electronic processing. IT impact; all this is computerized. Deadline just occurred – 10/03 –Extended because the medical business was about to fall apart due to non-readiness.
Identifiers A common standard for unambiguous identification of entities involved in healthcare. Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but to Tufts. IT impact; much of this is computerized. Deadline next summer; July (Unique identification of individuals dropped due to political pressure.)
Questions ?
Computer Security Five sub-sections –Administrative –Physical –Organizational –Policies, Procedures, Documentation –Technical April 2005 deadline
Security, Administrative Risk analysis, risk management Identify responsible individual User authorization / termination procedures Virus protection Log-in monitoring, threat reporting Backup and disaster plan More…
Security, Physical Building security plan Building access control and monitoring Physical safeguard of workstations Policy and procedures for workstation and work areas Storage of backup media Re-use and disposal of media More…
Security, Organizational Contracts between healthcare organization and its business partners must reflect these rules –Example: offsite backup company –But, who is a business partner (window washer??) Group health plan documents must show they are following HIPAA rules
Security, Policies & Docs Documentation about the security policies Modification, retention, availability of these documents
Security, Technical 1. Access Controls / Unique User Identification Assign a unique name and/ or number for identifying and tracking user identity. 2. Access Controls / Emergency Access Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. 3. Access Controls / Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Security, Technical (2) 4. Access Controls / Data Encryption Implement a mechanism to encrypt and decrypt electronic protected health information. 5. Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 6. Data Integrity Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Security, Technical (3) 7. Person and Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. 8. Transmission Security / Integrity Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. 9. Transmission Security / Encryption Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
General observations The HIPAA security rules give wide latitude for implementation. –They never say S/MIME or two-factor or password expiration. –This is by design, based on objections to early drafts. Some items are required and some are addressable. –Definitions –You will hear a lot of talk about this Domino/Notes can meet all of the HIPAA security rules.
HIPAA and Notes/Domino 1. Notes ID files and Internet accounts in the NAB provide unique identification of each person. Do not assign shared generic IDs (such as AcctPayable) 2. Security rules should not get in the way of patient care. Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??) 3. Auto logoff built into Notes security preferences.
HIPAA and Notes/Domino (2) 4. Data encryption via encrypted fields or database encryption. 5. Audit trails via server log, web log, database user activity, transaction logging, event records, 3 rd party products. 6. Encryption (and other methods) achieve data integrity.
HIPAA and Notes/Domino (3) 7. Notes IDs and Domino web accounts ensure positive identification of each user. Of course, no method is perfect and must be implemented correctly. 8. SSL and Notes port encryption. 9. SSL and Notes port encryption.
HIPAA Audit Database Tool I created, for free distribution Posted on my Downloads pageDownloads Demonstration
Questions ? Contact info: –Chuck Connell –chc-3.comchc-3.com –