| HIPAA compliance requires special focus and | | | | HIPAA process must include clearly stated policy, |
| effort as failure to comply carries significant risk | | | | educational materials and events, clear |
| of damage and penalties. A practice with multiple | | | | enforcement means, a schedule for testing of |
| separate systems for patient scheduling, | | | | HIPAA compliance, and means for continued |
| electronic medical records, and billing, requires | | | | transparency about HIPAA compliance. Stated |
| multiple separate HIPAA management efforts. | | | | policy typically includes a statement of least |
| This article presents an integrated approach to | | | | privilege data access to complete the job, |
| HIPAA compliance and outlines key HIPAA | | | | definition of PHI and incident monitoring and |
| terminology, principles, and requirements to help | | | | reporting procedures. Educational materials may |
| the practice owner to ensure HIPAA compliance | | | | include case studies, control questions, and a |
| by medical billing service and software vendors. | | | | schedule of review seminars for personnel. |
| The last decade of the previous century | | | | Technology Requirements for HIPAA Compliance |
| witnessed accelerating proliferation of digital | | | | Technology implementation of HIPAA proceeds in |
| technology in health care, which, along with | | | | stages from logical data definition to physical data |
| reduced costs and greater service quality, | | | | center to network. |
| introduced new and greater risks for accidental | | | | 1. To assure physical data center security, the |
| disclosure of personal health information. | | | | manager must |
| The Health insurance Portability and Accountability | | | | 2. Lock data center |
| Act (HIPAA) was passed in 1996 by Congress to | | | | 3. Manage access list |
| establish national standards for privacy and | | | | 4. Track data center access with closed circuit |
| security of personal health data. The Privacy Rule, | | | | TV cameras to monitor both internal and external |
| written by the US Department of Health and | | | | building activities |
| Human Services took effect on April 14, 2003. | | | | 5. Protect access to data center with 24 x 7 |
| Failure to comply with HIPAA risks accreditation | | | | onsite security |
| and reputation damage, lawsuits by federal | | | | 6. Protect backup data |
| government, financial penalties, ranging from $100 | | | | 7. Test recovery procedure |
| to $250,000, and imprisonment, ranging from one | | | | For network security, the data center must have |
| year to ten years. | | | | special facilities for |
| Protected Health Information (PHI) | | | | 1. Secure networking - firewall protection, |
| The key term of HIPAA is Protected Health | | | | encrypted data transfer only |
| Information (PHI), which includes anything that can | | | | 2. Network access monitoring and report auditing |
| be used to identify an individual and any | | | | For data security, the manager must have |
| information shared with other health care | | | | 1. Individual authentication - individual logins and |
| providers or clearinghouses in any media (digital, | | | | passwords |
| verbal, recorded voice, faxed, printed, or written). | | | | 2. Role Based Access Control (see below) |
| Information that can be used to identify an | | | | 3. Audit trails - all access to all data fields tracked |
| individual includes: | | | | and recorded |
| | | | 4. Data discipline - Limited ability to download data |
| 1. Name | | | | Role Based Access Control (RBAC) |
| 2. Dates (except year) | | | | RBAC improves convenience and flexibility of |
| 3. Zip code of more than 3 digits, telephone and | | | | systems management. Greater convenience helps |
| fax numbers, email | | | | reducing the errors of commission and omission in |
| 4. Social security numbers | | | | granting access privileges to users. Greater |
| 5. Medical record numbers | | | | flexibility helps implement the policy of least |
| 6. Health plan numbers | | | | privilege, where the users are granted only as |
| 7. License numbers | | | | much privileges as required for completing their |
| 8. Photographs | | | | job. |
| Information shared with other healthcare | | | | RBAC promotes economies of scale, because the |
| providers or clearinghouses | | | | frequency of changes of role definition for a single |
| | | | user is higher than the frequency of changes of |
| 1. Nursing and physician notes | | | | role definitions across entire organization. Thus, to |
| 2. Billing and other treatment records | | | | make a massive change of privileges for a large |
| Principles of HIPAA | | | | number of users with same set of privileges, the |
| HIPAA intends to allow smooth flow of PHI for | | | | administrator only makes changes to the role |
| healthcare operations subject to patient's consent | | | | definition. |
| but prohibit any flow of unauthorized PHI for any | | | | Hierarchical RBAC further promotes economies of |
| other purposes. Healthcare operations include | | | | scale and reduces the likelihood of errors. It allows |
| treatment, payment, care quality assessment, | | | | redefining roles by inheriting privileges assigned to |
| competence review training, accreditation, | | | | roles in the higher hierarchical level. |
| insurance rating, auditing, and legal procedures. | | | | RBAC is based on establishing a set of user |
| HIPAA promotes fair information practices and | | | | profiles or roles according to responsibilities. Each |
| requires those with access to PHI to safeguard it. | | | | role has a predefined set of privileges. The user |
| Fair information practices means that a subject | | | | acquires privileges by receiving membership in the |
| must be allowed | | | | role or assignment of a profile by the |
| | | | administrator. |
| 1. Access to PHI, | | | | Every time when the definition of the role |
| 2. Correction for errors and completeness, and | | | | changes along with the set of privileges that is |
| 3. Knowledge of others who use PHI | | | | required to complete the job associated with the |
| Safeguarding of PHI means that the persons that | | | | role, the administrator needs only to redefine the |
| hold PHI must | | | | privileges of the role. The privileges of all of the |
| | | | users that have this role get redefined |
| 1. Be accountable for own use and disclosure | | | | automatically. |
| 2. Have a legal recourse to combat violations | | | | Similarly, if the role of a single user is changed, the |
| HIPAA Implementation Process | | | | only operation that needs to be performed is the |
| HIPAA implementation begins upon making | | | | reassignment of the user profile, which will |
| assumptions about PHI disclosure threat model. | | | | redefine user's access privileges automatically |
| The implementation includes both pre-emptive and | | | | according to the new profile. |
| retroactive controls and involves process, | | | | Summary |
| technology, and personnel aspects. | | | | HIPAA compliance requires special practice |
| A threat model helps understanding the purpose | | | | management attention. A practice with multiple |
| of HIPAA implementation process. It includes | | | | separate systems for scheduling, electronic |
| assumptions about | | | | medical records, and billing, requires multiple |
| | | | separate HIPAA management efforts. An |
| 1. Threat nature (Accidental disclosure by insiders? | | | | integrated system reduces the complexity of |
| Access for profit? ), | | | | HIPAA implementation. By outsourcing technology |
| 2. Source of threat (outsider or insider?), | | | | to a HIPAA-compliant vendor of vericle-like |
| 3. Means of potential threat (break in, physical | | | | technology solution on an ASP or SaaS basis, |
| intrusion, computer hack, virus?), | | | | HIPAA management overhead can be eliminated |
| 4. Specific kind of data at risk (patient | | | | (see companion papers on ASP and SaaS for |
| identification, financials, medical?), and | | | | medical billing). |
| 5. Scale (how many patient records threatened?). | | | | |