HIPAA, Computer Security, and Domino - CHC

Download Report

Transcript HIPAA, Computer Security, and Domino - CHC 

HIPAA, Computer Security,
and Domino/Notes
Chuck Connell, www.chc-3.com
What is HIPAA?
 Health Insurance Portability and
Accountability Act of 1996.
 Large far-reaching health-care law from
federal government.
 Five main sections, which take effect on
different dates.
 www.cms.hhs.gov/hipaa/
So What? (There are lots of big
federal laws.)
 Healthcare is a $1.3T industry in the US,
covering 14% of GNP.
 It is one of the few growth sectors in the
economy lately.
 It is the only growth sector in the computer
business over the last couple years.
 It is likely that you or your business will be
affected by HIPAA in some way.
– Who has run into this already?
Five Section of HIPAA
 Title I, Insurance Reform (now)
 Title II, Administrative Simplification
– Privacy (April 03)
– Transactions and Code Sets (Oct 03)
– Identifiers (July 04)
– Computer Security (April 05)
 Small organizations have an extra year.
 (These dates are a summary.)
Insurance Reform
 Title I of HIPAA protects health insurance
coverage for workers and their families
when they change or lose their jobs.
 Largely eliminates problems with “preexisting conditions”.
 The greatest benefit of HIPAA for
consumers.
Privacy
 Defines who can see your medical information
and how it can be used.
 In general, the rules make sense, and are what you
want.
– Examples: Can always share information when
medically necessary. Cannot shout your diagnosis
across the waiting room.
 You received “privacy notices” from your doctors
last spring – for compliance with this privacy reg.
 But there are many gray areas.
– Should a hospital tell a caller that you are there?
– Should the hospital accept flowers if you are there?
Transactions and Code Sets
 There were many incompatible formats for the
transmission and coding of medical information.
– Organizations could not communicate electronically,
because they could not agree on a file format.
– A medical procedure might be known as A101 to one
insurance company, but 55b to another.
 HIPAA mandated standard medical codes, file
formats, and electronic processing.
 IT impact; all this is computerized.
 Deadline just occurred – 10/03
– Extended because the medical business was about to
fall apart due to non-readiness.
Identifiers
 A common standard for unambiguous
identification of entities involved in healthcare.
 Solves problem of Dr. Feelgood being known as
provider XC-546-T3 to Blue Cross, but 12387624
to Tufts.
 IT impact; much of this is computerized.
 Deadline next summer; July 2004.
 (Unique identification of individuals dropped due
to political pressure.)
Questions ?
Computer Security
 Five sub-sections
– Administrative
– Physical
– Organizational
– Policies, Procedures, Documentation
– Technical
 April 2005 deadline
Security, Administrative
 Risk analysis, risk management
 Identify responsible individual
 User authorization / termination procedures
 Virus protection
 Log-in monitoring, threat reporting
 Backup and disaster plan
 More…
Security, Physical
 Building security plan
 Building access control and monitoring
 Physical safeguard of workstations
 Policy and procedures for workstation and
work areas
 Storage of backup media
 Re-use and disposal of media
 More…
Security, Organizational
 Contracts between healthcare organization
and its business partners must reflect these
rules
– Example: offsite backup company
– But, who is a business partner (window
washer??)
 Group health plan documents must show
they are following HIPAA rules
Security, Policies & Docs
 Documentation about the security policies
 Modification, retention, availability of these
documents
Security, Technical
1.
Access Controls / Unique User Identification
Assign a unique name and/ or number for identifying
and tracking user identity.
2.
Access Controls / Emergency Access
Establish (and implement as needed) procedures for
obtaining necessary electronic protected health
information during an emergency.
3.
Access Controls / Automatic Logoff
Implement electronic procedures that terminate an
electronic session after a predetermined time of
inactivity.
Security, Technical (2)
4.
Access Controls / Data Encryption
Implement a mechanism to encrypt and decrypt
electronic protected health information.
5.
Audit Controls
Implement hardware, software, and/or procedural
mechanisms that record and examine activity in
information systems that contain or use electronic
protected health information.
6.
Data Integrity
Implement electronic mechanisms to corroborate that
electronic protected health information has not been
altered or destroyed in an unauthorized manner.
Security, Technical (3)
7.
Person and Entity Authentication
Implement procedures to verify that a person or entity
seeking access to electronic protected health
information is the one claimed.
8.
Transmission Security / Integrity
Implement security measures to ensure that
electronically transmitted electronic protected health
information is not improperly modified without
detection until disposed of.
9.
Transmission Security / Encryption
Implement a mechanism to encrypt electronic
protected health information whenever deemed
appropriate.
General observations
 The HIPAA security rules give wide latitude for
implementation.
– They never say S/MIME or two-factor or password
expiration.
– This is by design, based on objections to early drafts.
 Some items are required and some are
addressable.
– Definitions
– You will hear a lot of talk about this
 Domino/Notes can meet all of the HIPAA security
rules.
HIPAA and Notes/Domino
1.
Notes ID files and Internet accounts in the NAB
provide unique identification of each person.
Do not assign shared generic IDs (such as
AcctPayable)
2.
Security rules should not get in the way of
patient care.
Need way to get around security restrictions, for good
medical care. Domino/Notes can accomplish this in
several ways. (Ideas??)
3.
Auto logoff built into Notes security
preferences.
HIPAA and Notes/Domino (2)
4. Data encryption via encrypted fields or
database encryption.
5. Audit trails via server log, web log,
database user activity, transaction logging,
event records, 3rd party products.
6. Encryption (and other methods) achieve
data integrity.
HIPAA and Notes/Domino (3)
7. Notes IDs and Domino web accounts
ensure positive identification of each user.
Of course, no method is perfect and must be
implemented correctly.
8. SSL and Notes port encryption.
9. SSL and Notes port encryption.
HIPAA Audit Database
 Tool I created, for free distribution
 Posted on my Downloads page
 Demonstration
Questions ?
 Contact info:
– Chuck Connell
– chc-3.com
– 781-939-0505