In the 5th century BC, what was either seen or heard in the course of medical treatment was considered a secret. Today, these secrets are called IIHI, for individually identifiable health information, but the idea remains the same. HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the 21st-century equivalent of the Hippocratic oath-but with a consumer twist. Patients now have the right to control the circumstances under which they disclose their own IIHI. Patient privacy is one of four parts covered in HIPAA’s Administrative Simplification provision, which addresses various informatics standards to protect IIHI. (For an excellent overview of HIPAA, see Solomon Appavu’s article in the Spring 2001 issue of Decisions in Axis Imaging News.)
The aim of Administrative Simplification is to streamline the exchange of information between (1) health care plans, (2) health care providers, and (3) health care clearinghouses. These three groups are called covered entities under HIPAA-all must ensure the privacy and security of an individual’s health information. Broadly speaking, HIPAA Security refers to the technical means by which entities protect health care information; HIPAA Privacy refers to the patient’s right to protect the disclosure of his or her health care information, including all paper, oral, and electronic communications.
The changes mandated under HIPAA were designed to improve the efficiency of the US health care system, reduce costs, and protect privacy. Although HIPAA Privacy became a final rule earlier this year, HIPAA Security has yet to be finalized. In general, most covered entities have about two years to comply with a final ruling. HIPAA Privacy will become effective for most covered entities in mid 2003.
Under HIPAA, vendors are covered indirectly as business associates-entities that receive transmitted information to assist or perform activities or services for the covered entity, such as a hospital or imaging center. Amazingly, some large covered entities are projected to have in excess of 500 business associates. Business associates will convey HIPAA compliance to covered entities through a chain-of-trust agreement, which is a written contract between vendor and customer. The agreement demonstrates how the vendor will provide adequate protection and limitations on the use and disclosure of IIHI, as well as the technical means to ensure its security. Although covered entities and some business associates must comply with all Administrative Simplification provisions, we will focus on how HIPAA Security and HIPAA Privacy standards are affecting vendors today.
Incidentally, civil monetary and criminal penalties have been set forth within the act for violation of standards and for knowing misuse of IIHI, including fines of up to $250,000 and/or imprisonment of not more than 10 years.
NO Security, No Privacy
Consider this scenario: You write a love letter at work and put it in your back pocket to mail from home the next day. As you leave the office, your letter drops on the ground in the parking lot without your knowledge. Of course, by the time you retrace your steps it is long gone. The next day, everyone in your office knows you are an unabashed romantic, which may or may not be important to you. What is important is that the transport of your letter was not very secure, and as a result your boss now wants to have a chat with you. When someone else discovered your letter and read it to your coworkers, your privacy was compromised. With adequate security, your privacy is safeguarded. So it is with HIPAA.
Many say that HIPAA compliance is 75% administrative and 25% technical. Privacy concerns are mostly administrative and are addressed through documents such as consent forms and patients’ rights statements. The administrative remainder involves auditing overall compliance, both within your facility and between business associates.
The technical part is where most vendors are focused. HIPAA’s technical security requirements are designed to create what some have called “secure enclaves” or “trusted computing environments” built on three key elements: confidentiality, integrity and availability. Fortunately, HIPAA-compliant products are emerging to meet these key technical challenges.
Is Your Vendor Ready?
Like many health care organizations, vendors are beginning to awaken to upcoming HIPAA deadlines. If a product you use needs to comply with the final rules for transaction standards and code sets, you have about 1 year before that compliance is mandatory. Similarly, HIPAA Privacy will become effective mid 2003. Note that HIPAA Security is still in draft form, although a final ruling is expected later this year.
At this time, most vendors will be caught off guard if you ask the following questions:
1.?Do you have an alliance or partnership with an experienced security services company?
2. Can your security partner assist with my security program?
3. Have you conducted a gap
analysis on your products?
?a.?Where are you in your
?b.?When do you expect to achieve
?c.?How do you plan to show
4. Do you have a chain-of-trust agreement?
?a.?Does it explain how you will
??maintain the privacy of IIHI
??under our control?
The idea is not to embarrass your vendors (too much), but to help them realize the importance of developing solutions that are HIPAA-compliant now.
A Closer Look at HIPAA
The Administration Simplification provisions have four sections that cover various informatics standards:
n Standard Code Sets and Electronic Transaction-provide for standards governing the electronic transmission of specified administrative and financial transactions
n Unique Identifiers-refer to standards for national unique identifiers of health plans, health care providers, employers, payors, and individuals (at a later date)
n Security and Electronic Signature Standards-ensure the confidentiality, integrity, and availability of electronically transmitted and maintained health care information
n Privacy Standards-ensure the confidentiality of health care information through rules governing how the information can be used and disclosed.
Some vendors (primarily radiology information system vendors) are concerned with standard code sets and unique identifiers, as they generate much of the information used downstream by other applications. Other vendors are primarily concerned with the technical means by which they ensure the privacy of their customer’s IIHI.
Within HIPAA Security there are categories that refer to administrative procedures, physical safeguards, and electronic signature standards. Administrative procedures and physical safeguards refer to activities such as user credentialing, chain-of-trust partner identification, contingency and disaster recovery, and training, as well as media and physical access controls. The use of electronic signatures is optional and may be combined with other Federal legislation. The implementation of these requirements is left as an exercise for the administrator or provider, although many security services firms have expertise to help with these areas.
By focusing on the areas of HIPAA Security most often addressed by vendors, the essence of HIPAA security can be distilled into four areas: Login Security, Access Security, Network Security, and Audit Security. As an example, the distribution of images and related information from a hospital to an Internet-based Web browser will help us understand the potential impact of HIPAA security on health care organizations. (Note that the final rule for HIPAA Security has not been announced-this information is based on draft security recommendations.)
1. Login Security. The HIPAA term for this is “entity authentication,” which is designed to prevent the improper identification of a person who is accessing IIHI. The minimum requirement is unique username/password identification-gone are the days when everyone logged on with the same user name and the password was written on a sticky note tacked to the monitor.
2. Access Security. HIPAA calls this “authorization and access control,” which refers to restrictions in the use and disclosure of information to the “minimum necessary” to perform your job function. At eMed, we use role-based access to control information access-other forms are possible. eMed also creates a powerful “patient-physician association” by automatically limiting the distribution of information to “interested parties” defined within the system.
3. Network Security. HIPAA’s terms are “data encryption, authentication, and integrity,” which refer to the requirement to use encryption when sending IIHI over public networks. Authentication refers to the trust relationship established between the Web client and Web server, and integrity ensures that IIHI was not tampered with during transmission.
4. Audit Security. HIPAA calls this “transaction reporting and logging,” which refers to system logs that track who looked at what, and what was looked at by whom. In case of a breach, a comprehensive log is important to determine appropriate corrective actions.
Building a Program
HIPAA outlines a methodology by which organizations must document their compliance activities. Health care organizations must justify their decisions and selections through adequate documentation-audits will be conducted against this documentation to determine an organization’s degree of compliance.
Roughly speaking, the three necessary steps to achieve compliance in security and privacy are: baseline assessment, gap analysis, and implementation. To develop appropriate security measures, use privacy terms to drive your security requirements.
1. Baseline assessment. Identify where you are. At this point, you are chiefly concerned with identifying policies, procedures, and systems that contain IIHI. You determine vulnerabilities and assign risk. You also need a vision of where you want to be: While HIPAA mandates minimum necessary standards, each organization must decide if the minimum is good enough. Your privacy vision forms the basis of your revised consent form and patients’ rights document.
2. Gap analysis. Next, you need to map the differences in current practices against the vision you previously described. You begin to plan for process changes that will occur in the next phase.
3. Implementation. Create the plan to get there. Here is where you develop information security practices that align with your privacy vision. A tactical plan is next, showing a timeline with project sponsors and deliverables. Developing the tactical plan includes a risk analysis to identify problem areas, as well as a cost/benefit analysis to mitigate identified risks. For example, the probability that a tank will storm into the emergency department is low, but the probability that a data center in the Midwest may be hit by a tornado is higher. Create a recovery plan for your data center.
For radiology practice groups, organizations like the Radiology Business Management Association and Healthcare Information Management and Systems Society have resources to help you develop HIPAA-compliant security and privacy programs. Larger organizations should consider hiring a security services firm to assist with HIPAA compliance planning or auditing. Guardent, a digital security services firm in Waltham, Mass, helped eMed with its HIPAA compliance issues. Even if you develop and audit your own compliance programs, a second opinion is always helpful.
The HIPAA Security and Privacy standards set the minimum level of security for individually identifiable health information maintained in or transmitted by health care organizations. The security standards do not break new ground, and implement what can be found in existing standards of good practice. Implementing HIPAA requires time, management attention, and resources as it affects all facets of business from policies and procedures to operations, products and services, human resources, legal, physical security, business partners, and risk management. Selecting HIPAA-savvy vendors that have adopted best security and privacy practices in their products will help you meet your HIPAA compliance goals, ultimately enhancing the trust relationship between health care providers and patients.
Appavu S. Navigating HIPAA challenges. Decisions in Axis Imaging News. 2001;14(3)23,47-48.
Kelly Pickard is director, strategic technology, and chief security officer, eMed Technologies, Lexington, Mass.