Products     Downloads     Purchase     News     Security Education     Support     About     Sitemap

hipaa, hippa, health insurance portability act, security, compliance, privacy

 

 

HIPAA (Health Insurance Portability & Accountability Act)


Background on HIPAA

The HIPAA Privacy Rule (effective April 14, 2003) and the HIPAA Security Rule (full compliance required by April 21, 2005) are federal law, and anyone not in compliance can face up to $250,000 in fines and jail time of up to 10 years.  

The HIPAA Privacy Rule applies to protected health information (PHI) in all forms (oral, written, and electronic) and addresses the use and disclosure of an individual's health information. It's aim is to assure individual's health information is properly protected and for individuals to understand and control how their health information is used (ie. ensuring the privacy of patient's health information). A summary of the HIPAA Privacy rule can be found at http://www.hhs.gov/ocr/privacysummary.pdf

The HIPAA Security Rule applies to PHI only in electronic form - essentially, patient's medical records and other personal health care information.  It mandates that electronically stored or transmitted personal health information be kept confidential and protected against unauthorized users and any threats to its security or integrity (ie. safeguarding patients health information from unauthorized disclosure).  The Rule is intended to set a minimum level or "floor" of security. Organizations may choose to implement safeguards that exceed the HIPAA standards - and, in fact, may find that their business strategies require stronger protections.  The final HIPAA Security rule can be viewed here


Who does HIPAA affect?

It affects companies that store and transmit protected health information in electronic form, which includes (but is not limited to) health plans, health care clearinghouses and health care providers. These organizations are referred to as 'covered entities'.

It also applies to companies servicing customers in the health care industry and mandates that these "business associates" implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic personal health information that they access on behalf of the covered entity.  Business associates may include lawyers, debt collection agencies, transcription agencies, laboratories and so on.


Why is there so much confusion surrounding HIPAA and compliance?

HIPAA is not legislation that sets standards for computer applications functional capabilities.  Like the international standard BS ISO/IEC 17799 Code of Practice for Information Security Management (which may have answers to most of the problems), it sets standards of behavior and requires the use of best practice.  What you need to spend is related to what you can afford and the damage that might occur if it goes wrong.

Such an approach seems to have struck fear in the hearts of many security practitioners.  It seems that they are incapable of buying HIPAA compliant products without a fixed specification.  So there is no HIPAA compliant software or HIPAA providers or HIPAA EDI or HIPAA firewall or any other (HIPAA) security term which you can put the characters HIPAA in front of.  The issue is applying adequate security to your processes and treating patient data according to HIPAA privacy regulation.

HIPAA compliance, medical information security, patient data security and data protection should all be the same thing.  They are in Europe, where personal data is protected regardless of the sector processing it.

So the HIPAA requirement for a health care information system is whether medical record privacy is adequately protected.  Put simply, it means unauthorized eyes can’t see it, it doesn’t get misused, and those using it can be identified.


How can I adequately protect health care information in accordance with the HIPAA?

Possibly the most difficult part of the HIPAA security regulation is showing accountability.  One of the requirements HIPAA imposes is integrity of data (knowing if it has been altered).  Audit Trails could be used but how do you know the audit trail itself has not been modified?  The most secure answer is to deploy digital signature technology and PKI to protect information integrity.

For some time now PKI has been hailed as the only way to comply with the HIPAA standard and to achieve health information privacy.  However full-scale PKI has so far proved too complex as an information security system, even for the largest HMO’s.

To help simplify HIPAA implementation, ArticSoft products are PKI enabled, but without having to implement the complexity.  Identity and privacy keys can be generated internally for small practices, and imported from PKI where that has been implemented.  Identity (for HIPAA privacy) can be controlled by internal administration without the system failing to be HIPAA compliant.  ArticSoft products also provide means for checking who protected the information that was made available to so that auditors can check the privacy of medical records without being able to see those records themselves.


What products does ArticSoft recommend?

For the transmission of medical records we recommend you use FileAssurity.  FileAssurity enables you to encrypt and digitally sign your files to Government standards ensuring the upmost security.

For the storage of medical records we recommend DiskAssurity.  This provides transparent encryption and decryption of your files with no user intervention.  A simple key plugs into the drive to make the data available.  Switch off, remove the key and the data is protected against any attacker.


Who uses ArticSoft products for HIPAA compliance?

State agencies, health care practises (eyecare specialists, chiropractors, etc.), transcription services, lawyers, health management organizations (HMOs), medical universities, psychiatric facilities, government agencies, dentists and veterinary practices.  A select list of customers is available for reference purposes.  Please email sales@articsoft.com.

Michigan Public Health Institute recommend us to all their business associates as their protection product of choice.  Steve Pierce of MPHI says "This is finally a product that was simple enough that our users could not get it wrong".


If full compliance is not necessary to 2005 why should I comply now?

2005 is the absolute cut-off date.  By that time you need to make sure that you have all the necessary safeguards in place.  If you do not take these precautions now you may be open to litigation.

"The best way to mitigate legal exposure is to be proactive about putting in place measurable and auditable security processes", said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif.

HIPAA readiness can be achieved without enormous cost before the HIPAA requirements come into full force.  ArticSoft products are low price, FileAssurity is $39, and do not require major new administrative burdens to be effective. The privacy of medical records in storage or over the Internet / across cable services can be easily achieved.hipaa, hippa, health insurance portability act, hipaa security, hipaa compliance, hipaa implementation, hippa security, hippa compliance, hipaa privacy, hippa privacy, patient data security, hipaa security requirements 

 


© Copyright 2001-2003 ArticSoft Limited.  All rights reserved.  Page updated 09 July 2003.