HIPAA Security
Requirements & Standards
A breach of confidentiality can occur and the privacy of an individual may be compromised if security fails.
HIPAA mandates a set of rules to be implemented by health providers, payers, and government benefit authorities as well as pharmacy benefit managers, claims processors, or other transaction clearinghouses. HIPAA security and privacy requirements may be separate standards but they are closely linked. Privacy concerns what information is covered, and security is the mechanism to protect it. The privacy standard and the proposed security standard of HIPAA apply to any individual health information whether it is oral or recorded in any form or medium. The information identifies the individual or can be used to identify the individual. This is a significant departure from the draft rules that covered only electronic information. This is much broader than the specific transactions defined in the law. As such it will require a significant change in the way health information is handled, disseminated, communicated, and accessed. The electronic signature standard applies only to the transactions adopted under HIPAA. However, none of the HIPAA-related transactions require electronic signatures at this time. The security standard was developed with the intent of remaining technologically neutral in order to facilitate adoption of the latest and most promising developments in evolving technology and to meet the needs of healthcare entities of different size and complexity. As of August, 2002, the final rule for privacy standards has been published but the security standards are still awaiting finalization (Final rule for Security standards should be released soon). The standard is a compendium of security requirements that must be satisfied. The solution will vary from provider to provider, but each provider must meet the basic requirements. The security standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. The standard also requires safeguards, such as encryption for Internet use as well as security mechanisms to guard against unauthorized access to data transmitted over a network.
There is often confusion about the difference between privacy, confidentiality and security. In the context of HIPAA, privacy determines who should have access, what constitutes the patient’s rights to confidentiality, and what constitutes inappropriate access to health records. Confidentiality establishes how the records (or the systems that hold those records) should be protected from inappropriate access. Security is the means by which you ensure privacy and confidentiality.
How to Achieve Security
An incident at the University of Washington Medical Center highlights the sensitivity as well as the vulnerability of health care data systems connected to the Internet to outside threats. A hacker called “Kane” managed to download admission records for four thousand heart patients in June/July 2000. The hospital would have faced stiff penalties if HIPAA had been enforced.
The risks to a healthcare provider of inadequate computer security include harm to a patient, liability of leaked information, loss of reputation and market share, and fostering public mistrust of the technology. Access to health information must be based on certain “roles” such as primary care physician, nurse, pharmacist or administrator.
Threats to health information security and privacy include:
· Intentional misuse from internal personnel
· Malicious or criminal misuse from internal personnel
· Unauthorized physical intrusion of the data system by an external person
· Unauthorized intrusion of the data system by an external person via information networks.
HIPAA provides a “common sense” approach to implementing recommended and required security procedures. But according to DHHS, it is a recommended technology-neutral “floor” of security procedures and controls, and it does not provide explicit security standards for Internet use. The list of tools and techniques to protect Web-applications include authentication, encryption, smart cards or secure identification cards, and digital signatures.
HIPAA requires the transmission of health-related information to include adequate encryption, authentication or identification of communication partners, and incorporate an effective password/key management system. Authentication is accomplished over the Internet and means proving who you are, which may involve one or more of the following factors: something you are; something you know; or something you have. Each health care organization is also required to designate someone as having the responsibility of ensuring that the company complies with the minimal level of security as outlined in the regulations.
HIPAA mandates that security standards must be applied to preserve health information confidentiality and privacy in four main areas:
Administrative Procedures:
- Certification
- Chain of trust Partner Agreements
- Contingency Plan
- Formal Mechanism for Processing Records
- Information Access Control
- Internal Audit
- Personnel Security
- Security Incident Procedures
- Security Management Process
- Termination Procedures
- Training
Physical Safeguards:
- Assigned Security Responsibility
- Media Controls
- Physical Access controls
- Policy / Guidelines on Workstation Use
- Secure Workstation Location
- Security Awareness Training
Technical Security Services:
- Access Controls
- Audit Controls
- Authorization Controls
- Data Authentication
- Entity Authentication
Technical Security Mechanism:
- Communication/Networking Controls
- Network Controls
Requirements for HIPAA Compliance
A due diligence is expected of any business sharing health information and especially using the Web as a communication medium. HIPAA requires that the policies be recorded and audited for compliance. Vendors or outsourcing companies will be required to sign a Chain of Trust or business partner agreement. It protects the health care organization by assuring the vendor or subcontractor is complying with the requirements of HIPAA.
We recommend a business impact analysis and an assessment to determine compliance with HIPAA.
1. Baseline Assessment: The baseline assessment inventories an organization’s current security environment with respect to policies, processes and technology. This should include a thorough assessment of information systems that store, transact or process patient data.
2. Gap Analysis: The goal of the Gap Analysis is to compare the current environment with the proposed regulatory one in terms of level of readiness and the determine whether and how large the “Gaps” are. This should include a detailed listing of HIPAA security requirements, and those areas the organization and their business partners meets or fails to meet.
3. Risk Assessment: The risk assessment should address the areas identified in the Gap analysis requiring remediation. A risk assessment should provide an analysis of both likely and unlikely scenarios in terms of probability of occurrence and their impact on the organization. It is impossible to foresee every possible scenario but you must provide contingency planning.
In Summary
No technology alone will insure HIPAA compliance. However HIPAA will certainly require even small provider organizations (e.g. medical groups, small hospitals, long-term care facilities, etc.) to utilize some measure of technology to comply with HIPAA.
Whether your organization’s current security infrastructure meets the minimum security standards or not, every organization covered by the standards will need to have the ability to demonstrate that effective management, operational, and technical controls are in place and that they comply with the minimum level.
Increased computerization of medical information requires increased surveillance of policies and procedures to protect the confidentiality of private medical data. Failure to develop, implement, audit, and document information security procedures could result in serious consequences, such as penalties and loss of reputation, and patient trust.