1 / 23

HIPAA, Computer Security, and Domino/Notes

HIPAA, Computer Security, and Domino/Notes. Chuck Connell, www.chc-3.com. What is HIPAA?. Health Insurance Portability and Accountability Act of 1996. Large far-reaching health-care law from federal government. Five main sections, which take effect on different dates. www.cms.hhs.gov/hipaa/.

ata
Download Presentation

HIPAA, Computer Security, and Domino/Notes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.com

  2. What is HIPAA? • Health Insurance Portability and Accountability Act of 1996. • Large far-reaching health-care law from federal government. • Five main sections, which take effect on different dates. • www.cms.hhs.gov/hipaa/

  3. So What? (There are lots of big federal laws.) • Healthcare is a $1.3T industry in the US, covering 14% of GNP. • It is one of the few growth sectors in the economy lately. • It is the only growth sector in the computer business over the last couple years. • It is likely that you or your business will be affected by HIPAA in some way. • Who has run into this already?

  4. Five Section of HIPAA • Title I, Insurance Reform (now) • Title II, Administrative Simplification • Privacy (April 03) • Transactions and Code Sets (Oct 03) • Identifiers (July 04) • Computer Security (April 05) • Small organizations have an extra year. • (These dates are a summary.)

  5. Insurance Reform • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. • Largely eliminates problems with “pre-existing conditions”. • The greatest benefit of HIPAA for consumers.

  6. Privacy • Defines who can see your medical information and how it can be used. • In general, the rules make sense, and are what you want. • Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room. • You received “privacy notices” from your doctors last spring – for compliance with this privacy reg. • But there are many gray areas. • Should a hospital tell a caller that you are there? • Should the hospital accept flowers if you are there?

  7. Transactions and Code Sets • There were many incompatible formats for the transmission and coding of medical information. • Organizations could not communicate electronically, because they could not agree on a file format. • A medical procedure might be known as A101 to one insurance company, but 55b to another. • HIPAA mandated standard medical codes, file formats, and electronic processing. • IT impact; all this is computerized. • Deadline just occurred – 10/03 • Extended because the medical business was about to fall apart due to non-readiness.

  8. Identifiers • A common standard for unambiguous identification of entities involved in healthcare. • Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but 12387624 to Tufts. • IT impact; much of this is computerized. • Deadline next summer; July 2004. • (Unique identification of individuals dropped due to political pressure.)

  9. Questions ?

  10. Computer Security • Five sub-sections • Administrative • Physical • Organizational • Policies, Procedures, Documentation • Technical • April 2005 deadline

  11. Security, Administrative • Risk analysis, risk management • Identify responsible individual • User authorization / termination procedures • Virus protection • Log-in monitoring, threat reporting • Backup and disaster plan • More…

  12. Security, Physical • Building security plan • Building access control and monitoring • Physical safeguard of workstations • Policy and procedures for workstation and work areas • Storage of backup media • Re-use and disposal of media • More…

  13. Security, Organizational • Contracts between healthcare organization and its business partners must reflect these rules • Example: offsite backup company • But, who is a business partner (window washer??) • Group health plan documents must show they are following HIPAA rules

  14. Security, Policies & Docs • Documentation about the security policies • Modification, retention, availability of these documents

  15. Security, Technical • Access Controls / Unique User Identification Assign a unique name and/ or number for identifying and tracking user identity. • Access Controls / Emergency Access Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. • Access Controls / Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

  16. Security, Technical (2) • Access Controls / Data Encryption Implement a mechanism to encrypt and decrypt electronic protected health information. • Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. • Data Integrity Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

  17. Security, Technical (3) • Person and Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. • Transmission Security / Integrity Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. • Transmission Security / Encryption Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

  18. General observations • The HIPAA security rules give wide latitude for implementation. • They never say S/MIME or two-factor or password expiration. • This is by design, based on objections to early drafts. • Some items are required and some are addressable. • Definitions • You will hear a lot of talk about this • Domino/Notes can meet all of the HIPAA security rules.

  19. HIPAA and Notes/Domino • Notes ID files and Internet accounts in the NAB provide unique identification of each person. Do not assign shared generic IDs (such as AcctPayable) • Security rules should not get in the way of patient care. Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??) • Auto logoff built into Notes security preferences.

  20. HIPAA and Notes/Domino (2) • Data encryption via encrypted fields or database encryption. • Audit trails via server log, web log, database user activity, transaction logging, event records, 3rd party products. • Encryption (and other methods) achieve data integrity.

  21. HIPAA and Notes/Domino (3) • Notes IDs and Domino web accounts ensure positive identification of each user. Of course, no method is perfect and must be implemented correctly. • SSL and Notes port encryption. • SSL and Notes port encryption.

  22. HIPAA Audit Database • Tool I created, for free distribution • Posted on my Downloads page • Demonstration

  23. Questions ? • Contact info: • Chuck Connell • chc-3.com • 781-939-0505

More Related