|
| |
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, or the
abbreviation 'HIPAA' by which it is more commonly referred to, contains a
section dealing with Administrative Simplification. The Administrative
Simplification section deals with standardization of electronic patient data and
securing the data to ensure patient privacy and confidentiality.
The HIPAA Administrative Simplification section has four parts:
|
I. |
Electronic Health Transactions Standards |
|
II. |
Unique Identifiers for Providers, Employers, Health Plans
and Patients |
|
III. |
Security And Electronic Signature Standards |
|
Details: |
Proposed
Rule |
|
Rule Published: |
Expected Oct - Dec, 2002 |
|
Compliance: |
Expected to be 24 months from effective final rule date |
|
IV. |
Privacy And Confidentiality Standards |
Parts III & IV are relevant to information security and will be covered in
more detail below.
Security & Electronic Signature Standards
This rule proposes a standard for security of health information. The rule will
establish that health plans, health care clearinghouses, and health care
providers must have the security standard in place to comply with the statutory
requirement that health care information and individually identifiable health
care information be protected to ensure privacy and confidentiality when health
information is electronically stored, maintained, or transmitted.
The Congress mandated a separate standard for electronic signature, therefore,
this proposed security standard also addresses the selected standard for
electronic signature. The proposed security standard does not require the use of
an electronic signature, but specifies the standard for an electronic signature
that must be followed if such a signature is used. If an entity elects to use an
electronic signature, it must comply with the electronic signature standard. Click
here for the Electronic Signature Requirements/Implementation Matrix
Security of health information is especially important when health information
can be directly linked to an individual. Confidentiality is threatened not only
by the risk of improper access to electronically stored information, but also by
the risk of interception during electronic transmission of the information.
ANSI's Healthcare Informatics Standards Board (HISB) noted in their report to
the Office of the Secretary of the Department of Health and Human Services:
"Comprehensive adoption of security standards in health care, not piecemeal
implementation, is advocated to provide security to data that is exchanged
between health care entities. By definition, if a system or communications
between two systems, were implemented with technology(s) meeting standards in a
general system security framework (Identification and Authentication;
Authorization and Access Control; Accountability; Integrity and Availability;
Security of Communication; and Security Administration.) that system would be
essentially secure."
The proposed standard requires that each health care entity engaged in
electronic maintenance or transmission of health information assess potential
risks and vulnerabilities to the individual health data in its possession in
electronic form, and develop, implement, and maintain appropriate security
measures. Most importantly, these measures must be documented and kept current.
The proposed security standard consists of the requirements that a health care
entity must address in order to safeguard the integrity, confidentiality, and
availability of its electronic data. It also describes the implementation
features that must be present in order to satisfy each requirement.
The proposed security requirements have been divided into the following four
categories:
- Administrative procedures to guard data integrity,
confidentiality, and availability-these are documented, formal practices to
manage the selection and execution of security measures to protect data and
the conduct of personnel in relation to the protection of data.
Click here for the Requirements/Implementation
Matrix
- Physical safeguards to guard data integrity,
confidentiality, and availability-these relate to the protection of physical
computer systems and related buildings and equipment from fire and other
natural and environmental hazards, as well as from intrusion. Physical
safeguards also cover the use of locks, keys, and administrative measures
used to control access to computer systems and facilities.
Click here for the Requirements/Implementation
Matrix
- Technical security services to guard data integrity,
confidentiality, and availability-these include the processes that are put
in place to protect and to control and monitor information access, and
Click here for the Requirements/Implementation
Matrix
- Technical security mechanisms- these include the processes
that are put in place to prevent unauthorized access to data that is
transmitted over a communications network.
Click here for the Requirements/Implementation
Matrix
IV. PRIVACY AND CONFIDENTIALITY
Individuals who provide information to health care providers and health plans
increasingly are concerned about how their information is used within the health
care system. Patients want to know that their sensitive information will be
protected not only during the course of their treatment but also in the future
as that information is maintained and/or transmitted within and outside of the
health care system.
Efforts to provide legal protection against the inappropriate use of
individually identifiable health information were undertaken primarily by the
States. States adopted a number of laws designed to protect patients against the
inappropriate use of health information. HIPAA only creates a floor for these
regulations it does not supercede them. For a summary of regulations by state
see the Health Privacy Network's 1999 report "The
State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State
Health Privacy Statutes)"
HIPAA Privacy regulations address the following:
- Allow for the smooth flow of identifiable health information
for treatment, payment, and related operations, and for specified additional
purposes related to health care that are in the public interest.
- Prohibit the flow of identifiable information for any
additional purposes, unless specifically and voluntarily authorized by the
subject of the information.
- Put in place a set of fair information practices that allow
individuals to know who is using their health information, and how it is
being used.
- Establish fair information practices that allow individuals
to obtain access to their records and request amendment of inaccurate
information.
- Require persons who hold identifiable health information to
safeguard that information from inappropriate use or disclosure.
- Hold those who use individually identifiable health
information accountable for their handling of this information, and to
provide legal recourse to persons harmed by misuse.
All healthcare organizations are affected by HIPAA. This
includes public health authorities, health plans, life insurers, health care
clearinghouses, service organizations, all - even single physician offices -
health care providers, employers, schools and universities. Penalties for
noncompliance are severe and include:
- fines up to $25K for multiple violations of the same
standard in a calendar year
- fines up to $250K and/or imprisonment up to 10 years for
knowing misuse of individually identifiable health information
Additional Information
Further HIPAA related information can be found in the independent analyst
reports and white papers listed below:
Security Matrixes
Matrixes for four categories of the proposed security rule:
ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY,
CONFIDENTIALITY, AND AVAILABILITY
| Requirement |
Implementation |
| Certification |
. |
| Chain of trust partner agreement |
. |
Contingency plan
(all listed implementation features must be implemented). |
Applications and data criticality analysis.
Data backup plan.
Disaster recovery plan.
Emergency mode operation plan.
Testing and revision. |
| Formal mechanism for processing records |
. |
Information access control
(all listed implementation features must be implemented). |
Access authorization.
Access establishment.
Access modification. |
| Internal audit |
. |
Personnel security
(all listed implementation features must be implemented). |
Assure supervision of maintenance personnel
by authorized, knowledgeable person.
Maintenance of record of access authorizations.
Operating, and in some cases, maintenance personnel have proper access
authorization.
Personnel clearance procedure.
Personnel security policy/procedure.
System users, including maintenance personnel, trained in security. |
Security configuration mgmt.
(all listed implementation features must be implemented). |
Documentation.
Hardware/software installation & maintenance review and testing for
security features.
Inventory.
Security Testing.
Virus checking. |
Security incident procedures
(all listed implementation features must be implemented). |
Report procedures.
Response procedures. |
Security management process
(all listed implementation features must be implemented). |
Risk analysis.
Risk management.
Sanction policy.
Security policy. |
Termination procedures
(all listed implementation features must be implemented). |
Combination locks changed.
Removal from access lists.
Removal of user account(s).
Turn in keys, token or cards that allow access. |
Training
(all listed implementation features must be implemented) ........ |
Awareness training for all personnel
(including mgmt)
Periodic security reminders.
User education concerning virus protection.
User education in importance of monitoring log in success/failure, and
how to report discrepancies.
User education in password management |
PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY,
CONFIDENTIALITY, AND AVAILABILITY
| Requirement |
Implementation |
| Assigned security responsibility |
. |
Media controls
(all listed implementation features must be implemented). |
Access control.
Accountability (tracking mechanism).
Data backup.
Data storage.
Disposal. |
Physical access controls (limited access)
(all listed implementation features must be implemented). |
Disaster recovery.
Emergency mode operation.
Equipment control (into and out of site).
Facility security plan.
Procedures for verifying access authorizations prior to physical access.
Maintenance records.
Need-to-know procedures for personnel access.
Sign-in for visitors and escort, if appropriate.
Testing and revision. |
| Policy/guideline on work station use |
. |
| Secure work station location |
. |
| Security awareness training. |
. |
TECHNICAL SECURITY SERVICES TO GUARD DATA
INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
| Requirement |
Implementation |
Access control
(The following implementation feature must be implemented:Procedure for
emergency access. In addition, at least one of the following three
implementation features must be implemented:Context-based access,
Role-based access, User-based access. The use of Encryption is
optional). |
Context-based access.
Encryption.
Procedure for emergency access.
Role-based access.
User-based access. |
| Audit controls |
. |
Authorization control
(At least one of the listed implementation features must be
implemented). |
Role-based access.
User-based access. |
| Data Authentication |
. |
Entity authentication
(The following implementation features must be implemented: Automatic
logoff, Unique user identification. In addition, at least one of the
other listed implementation features must be implemented). |
Automatic logoff.
Biometric.
Password.
PIN.
Telephone callback.
Token.
Unique user identification. |
TECHNICAL SECURITY MECHANISMS TO GUARD
AGAINST UNAUTHORIZED ACCESS TO DATA THAT IS TRANSMITTED OVER A COMMUNICATIONS
NETWORK
| Requirement |
Implementation |
Communications/network controls
(If communications or networking is employed, the following
implementation features must be implemented: Integrity controls, Message
authentication. In addition, one of the following implementation
features must be implemented: Access controls, Encryption. In addition,
if using a network, the following four implementation features must be
implemented: Alarm, Audit trail, Entity authentication, Event
reporting). |
Access controls.
Alarm.
Audit trail.
Encryption.
Entity authentication.
Event reporting.
Integrity controls.
Message authentication. |
Electronic Signature
Matrix for implementing Electronic Signature standard:
ELECTRONIC SIGNATURE
| Requirement |
Implementation |
Digital signature
(If digital signature is employed, the following three implementation
features must be implemented: Message integrity, Nonrepudiation, User
authentication. Other implementation features are optional). |
Ability to add attributes.
Continuity of signature capability.
Countersignatures.
Independent verifiability.
Interoperability.
Message integrity.
Multiple Signatures.
Nonrepudiation.
Transportability.
User authentication. |
Gramm Leach Bliley Act - GLBA
Compliance PDF
Health Insurance Portability and Accountability Act - HIPAA
Insurance
|