Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act, or the abbreviation 'HIPAA' by which it is more commonly referred to, contains a section dealing with Administrative Simplification. The Administrative Simplification section deals with standardization of electronic patient data and securing the data to ensure patient privacy and confidentiality.

The HIPAA Administrative Simplification section has four parts:

I. Electronic Health Transactions Standards
Details: Proposed Rules I & II
Rule Published: August 17, 2000
Compliance: October 16, 2002

II. Unique Identifiers for Providers, Employers, Health Plans and Patients
Details: Proposed Rules I & II
Rule Published: August 17, 2000
Compliance: October 16, 2002

III. Security And Electronic Signature Standards
Details: Proposed Rule
Rule Published: Expected Oct - Dec, 2002
Compliance: Expected to be 24 months from effective final rule date

IV. Privacy And Confidentiality Standards
Details: Proposed Rule
Amended Final Rule
Rule Published: December 28, 2000
Amendment: August 14, 2002
Compliance: April 14, 2003

Parts III & IV are relevant to information security and will be covered in more detail below.

Security & Electronic Signature Standards
This rule proposes a standard for security of health information. The rule will establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted.

The Congress mandated a separate standard for electronic signature, therefore, this proposed security standard also addresses the selected standard for electronic signature. The proposed security standard does not require the use of an electronic signature, but specifies the standard for an electronic signature that must be followed if such a signature is used. If an entity elects to use an electronic signature, it must comply with the electronic signature standard. Click here for the Electronic Signature Requirements/Implementation Matrix

Security of health information is especially important when health information can be directly linked to an individual. Confidentiality is threatened not only by the risk of improper access to electronically stored information, but also by the risk of interception during electronic transmission of the information.

ANSI's Healthcare Informatics Standards Board (HISB) noted in their report to the Office of the Secretary of the Department of Health and Human Services:

"Comprehensive adoption of security standards in health care, not piecemeal implementation, is advocated to provide security to data that is exchanged between health care entities. By definition, if a system or communications between two systems, were implemented with technology(s) meeting standards in a general system security framework (Identification and Authentication; Authorization and Access Control; Accountability; Integrity and Availability; Security of Communication; and Security Administration.) that system would be essentially secure."

The proposed standard requires that each health care entity engaged in electronic maintenance or transmission of health information assess potential risks and vulnerabilities to the individual health data in its possession in electronic form, and develop, implement, and maintain appropriate security measures. Most importantly, these measures must be documented and kept current. The proposed security standard consists of the requirements that a health care entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data. It also describes the implementation features that must be present in order to satisfy each requirement.

The proposed security requirements have been divided into the following four categories:

  • Administrative procedures to guard data integrity, confidentiality, and availability-these are documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data.
    Click here for the Requirements/Implementation Matrix
  • Physical safeguards to guard data integrity, confidentiality, and availability-these relate to the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.
    Click here for the Requirements/Implementation Matrix
  • Technical security services to guard data integrity, confidentiality, and availability-these include the processes that are put in place to protect and to control and monitor information access, and
    Click here for the Requirements/Implementation Matrix
  • Technical security mechanisms- these include the processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network.
    Click here for the Requirements/Implementation Matrix

IV. PRIVACY AND CONFIDENTIALITY
Individuals who provide information to health care providers and health plans increasingly are concerned about how their information is used within the health care system. Patients want to know that their sensitive information will be protected not only during the course of their treatment but also in the future as that information is maintained and/or transmitted within and outside of the health care system.

Efforts to provide legal protection against the inappropriate use of individually identifiable health information were undertaken primarily by the States. States adopted a number of laws designed to protect patients against the inappropriate use of health information. HIPAA only creates a floor for these regulations it does not supercede them. For a summary of regulations by state see the Health Privacy Network's 1999 report "The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes)"

HIPAA Privacy regulations address the following:

  • Allow for the smooth flow of identifiable health information for treatment, payment, and related operations, and for specified additional purposes related to health care that are in the public interest.
  • Prohibit the flow of identifiable information for any additional purposes, unless specifically and voluntarily authorized by the subject of the information.
  • Put in place a set of fair information practices that allow individuals to know who is using their health information, and how it is being used.
  • Establish fair information practices that allow individuals to obtain access to their records and request amendment of inaccurate information.
  • Require persons who hold identifiable health information to safeguard that information from inappropriate use or disclosure.
  • Hold those who use individually identifiable health information accountable for their handling of this information, and to provide legal recourse to persons harmed by misuse.

All healthcare organizations are affected by HIPAA. This includes public health authorities, health plans, life insurers, health care clearinghouses, service organizations, all - even single physician offices - health care providers, employers, schools and universities. Penalties for noncompliance are severe and include:

  • fines up to $25K for multiple violations of the same standard in a calendar year
  • fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

Additional Information
Further HIPAA related information can be found in the independent analyst reports and white papers listed below:



Security Matrixes
Matrixes for four categories of the proposed security rule:

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Requirement Implementation
Certification .
Chain of trust partner agreement .
Contingency plan
(all listed implementation features must be implemented).
Applications and data criticality analysis.
Data backup plan.
Disaster recovery plan.
Emergency mode operation plan.
Testing and revision.
Formal mechanism for processing records .
Information access control
(all listed implementation features must be implemented).
Access authorization.
Access establishment.
Access modification.
Internal audit .
Personnel security
(all listed implementation features must be implemented).
Assure supervision of maintenance personnel by authorized, knowledgeable person.
Maintenance of record of access authorizations.
Operating, and in some cases, maintenance personnel have proper access authorization.
Personnel clearance procedure.
Personnel security policy/procedure.
System users, including maintenance personnel, trained in security.
Security configuration mgmt.
(all listed implementation features must be implemented).
Documentation.
Hardware/software installation & maintenance review and testing for security features.
Inventory.
Security Testing.
Virus checking.
Security incident procedures
(all listed implementation features must be implemented).
Report procedures.
Response procedures.
Security management process
(all listed implementation features must be implemented).
Risk analysis.
Risk management.
Sanction policy.
Security policy.
Termination procedures
(all listed implementation features must be implemented).
Combination locks changed.
Removal from access lists.
Removal of user account(s).
Turn in keys, token or cards that allow access.
Training
(all listed implementation features must be implemented) ........
Awareness training for all personnel (including mgmt)
Periodic security reminders.
User education concerning virus protection.
User education in importance of monitoring log in success/failure, and how to report discrepancies.
User education in password management


PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Requirement Implementation
Assigned security responsibility .
Media controls
(all listed implementation features must be implemented).
Access control.
Accountability (tracking mechanism).
Data backup.
Data storage.
Disposal.
Physical access controls (limited access)
(all listed implementation features must be implemented).
Disaster recovery.
Emergency mode operation.
Equipment control (into and out of site).
Facility security plan.
Procedures for verifying access authorizations prior to physical access.
Maintenance records.
Need-to-know procedures for personnel access.
Sign-in for visitors and escort, if appropriate.
Testing and revision.
Policy/guideline on work station use .
Secure work station location .
Security awareness training. .


TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
Requirement Implementation
Access control
(The following implementation feature must be implemented:Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented:Context-based access, Role-based access, User-based access. The use of Encryption is optional).
Context-based access.
Encryption.
Procedure for emergency access.
Role-based access.
User-based access.
Audit controls .
Authorization control
(At least one of the listed implementation features must be implemented).
Role-based access.
User-based access.
Data Authentication .
Entity authentication
(The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented).
Automatic logoff.
Biometric.
Password.
PIN.
Telephone callback.
Token.
Unique user identification.


TECHNICAL SECURITY MECHANISMS TO GUARD AGAINST UNAUTHORIZED ACCESS TO DATA THAT IS TRANSMITTED OVER A COMMUNICATIONS NETWORK
Requirement Implementation
Communications/network controls
(If communications or networking is employed, the following implementation features must be implemented: Integrity controls, Message authentication. In addition, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trail, Entity authentication, Event reporting).
Access controls.
Alarm.
Audit trail.
Encryption.
Entity authentication.
Event reporting.
Integrity controls.
Message authentication.


Electronic Signature
Matrix for implementing Electronic Signature standard:

ELECTRONIC SIGNATURE
Requirement Implementation
Digital signature
(If digital signature is employed, the following three implementation features must be implemented: Message integrity, Nonrepudiation, User authentication. Other implementation features are optional).
Ability to add attributes.
Continuity of signature capability.
Countersignatures.
Independent verifiability.
Interoperability.
Message integrity.
Multiple Signatures.
Nonrepudiation.
Transportability.
User authentication.
 

Gramm Leach Bliley Act - GLBA Compliance PDF

Health Insurance Portability and Accountability Act - HIPAA

Insurance