HIPAA, Computer Security, and Domino/Notes Chuck Connell, .
23
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www. chc -3.com
-
Upload
esther-neall -
Category
Documents
-
view
214 -
download
0
Transcript of HIPAA, Computer Security, and Domino/Notes Chuck Connell, .
HIPAA, Computer Security, and Domino/Notes
Chuck Connell, www.chc-3.com
What is HIPAA?
Health Insurance Portability and Accountability Act of 1996.
Large far-reaching health-care law from federal government.
Five main sections, which take effect on different dates.
www.cms.hhs.gov/hipaa/
So What? (There are lots of big federal laws.) Healthcare is a $1.3T industry in the US,
covering 14% of GNP. It is one of the few growth sectors in the
economy lately. It is the only growth sector in the computer
business over the last couple years. It is likely that you or your business will be
affected by HIPAA in some way.– Who has run into this already?
Five Section of HIPAA
Title I, Insurance Reform (now) Title II, Administrative Simplification
– Privacy (April 03)– Transactions and Code Sets (Oct 03)– Identifiers (July 04)– Computer Security (April 05)
Small organizations have an extra year. (These dates are a summary.)
Insurance Reform
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
Largely eliminates problems with “pre-existing conditions”.
The greatest benefit of HIPAA for consumers.
Privacy Defines who can see your medical information and
how it can be used. In general, the rules make sense, and are what you
want. – Examples: Can always share information when medically
necessary. Cannot shout your diagnosis across the waiting room.
You received “privacy notices” from your doctors last spring – for compliance with this privacy reg.
But there are many gray areas.– Should a hospital tell a caller that you are there?– Should the hospital accept flowers if you are there?
Transactions and Code Sets There were many incompatible formats for the
transmission and coding of medical information.– Organizations could not communicate electronically,
because they could not agree on a file format.– A medical procedure might be known as A101 to one
insurance company, but 55b to another. HIPAA mandated standard medical codes, file
formats, and electronic processing. IT impact; all this is computerized. Deadline just occurred – 10/03
– Extended because the medical business was about to fall apart due to non-readiness.
Identifiers
A common standard for unambiguous identification of entities involved in healthcare.
Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but 12387624 to Tufts.
IT impact; much of this is computerized. Deadline next summer; July 2004. (Unique identification of individuals dropped due
to political pressure.)
Questions ?
Computer Security
Five sub-sections– Administrative– Physical– Organizational– Policies, Procedures, Documentation– Technical
April 2005 deadline
Security, Administrative
Risk analysis, risk management Identify responsible individual User authorization / termination procedures Virus protection Log-in monitoring, threat reporting Backup and disaster plan More…
Security, Physical
Building security plan Building access control and monitoring Physical safeguard of workstations Policy and procedures for workstation and
work areas Storage of backup media Re-use and disposal of media More…
Security, Organizational
Contracts between healthcare organization and its business partners must reflect these rules– Example: offsite backup company– But, who is a business partner (window
washer??)
Group health plan documents must show they are following HIPAA rules
Security, Policies & Docs
Documentation about the security policies Modification, retention, availability of these
documents
Security, Technical
1. Access Controls / Unique User IdentificationAssign a unique name and/ or number for identifying and tracking user identity.
2. Access Controls / Emergency AccessEstablish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
3. Access Controls / Automatic LogoffImplement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Security, Technical (2)
4. Access Controls / Data EncryptionImplement a mechanism to encrypt and decrypt electronic protected health information.
5. Audit ControlsImplement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
6. Data IntegrityImplement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Security, Technical (3)
7. Person and Entity AuthenticationImplement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
8. Transmission Security / IntegrityImplement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
9. Transmission Security / EncryptionImplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
General observations The HIPAA security rules give wide latitude for
implementation. – They never say S/MIME or two-factor or password
expiration.– This is by design, based on objections to early drafts.
Some items are required and some are addressable.– Definitions– You will hear a lot of talk about this
Domino/Notes can meet all of the HIPAA security rules.
HIPAA and Notes/Domino
1. Notes ID files and Internet accounts in the NAB provide unique identification of each person.
Do not assign shared generic IDs (such as AcctPayable)
2. Security rules should not get in the way of patient care.
Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??)
3. Auto logoff built into Notes security preferences.
HIPAA and Notes/Domino (2)
4. Data encryption via encrypted fields or database encryption.
5. Audit trails via server log, web log, database user activity, transaction logging, event records, 3rd party products.
6. Encryption (and other methods) achieve data integrity.
HIPAA and Notes/Domino (3)
7. Notes IDs and Domino web accounts ensure positive identification of each user.
Of course, no method is perfect and must be implemented correctly.
8. SSL and Notes port encryption.
9. SSL and Notes port encryption.
HIPAA Audit Database
Tool I created, for free distribution Posted on my Downloads page Demonstration
Questions ?
Contact info:– Chuck Connell– chc-3.com– 781-939-0505
