By Ed Skoudis
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)—HIPAA—was enacted as part of a broad Congressional attempt at progressive healthcare reform. The "Administrative Simplification" aspect of the law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for the maintenance and transmission of health information pertaining to individual patients. These standards are designed to improve the efficiency and effectiveness of the healthcare system by standardizing the exchange of electronic data for administrative and financial transactions and to protect the security and confidentiality of electronic health information.
All healthcare organizations that maintain or transmit electronic health information must comply with HIPAA regulations. This includes health plans, healthcare clearinghouses, and healthcare providers ranging from large, integrated delivery networks to individual physician offices. Insurance and pharmaceutical companies are also affected. Once the final standards are adopted, small health plans have 36 months to comply. Others, including healthcare providers, must comply within 24 months.
Unlike Y2K, seen as primarily an information technology problem, HIPAA is an enterprisewide issue. There are legal, regulatory, process, security, and technology aspects to each proposed rule that must be carefully evaluated before companies can begin planning and implementing. HIPAA is rapidly becoming a major issue in healthcare because:
- Implementation time frames are short—most organizations must be in compliance 24 months after the regulations become final.
- Senior executives are clearly responsible for the security and confidentiality of patient health information, yet most organizations have done little in this area.
- There are significant criminal and civil penalties for noncompliance, as well as serious liability risks for unauthorized disclosure.
- There is no quick fix or easy solution to meet the requirements.
This overview provides an outline of the technical and procedural changes that HIPAA will require.
Beginning with information exchange and unique identifiers
To date, there have been no common standards for the transfer of information between healthcare providers and payers. As a result, providers have been required by payers to meet many different requirements. For providers who submit claims to hundreds of payers, programming computer systems to meet these requirements has been a difficult and expensive process. HIPAA will change all this. Payers will be required to accept transaction standards for Electronic Data Information.
Furthermore, healthcare providers and health plans are required to create privacy-conscious business practices, including a requirement that only the minimum amount of health information necessary about a patient is disclosed. These practices should ensure the internal protection of medical records, employee privacy training and education, creation of a mechanism for addressing patient privacy complaints, and designation of a privacy officer. Overall, covered entities are encouraged to use deidentifiable information whenever possible. Once information is in a deidentifiable form, it is no longer subject to the privacy regulation restrictions.
HIPAA mandates the use of unique identifiers for providers, health plans, employers, and patients. They are:
- The national provider identifier—Developed for use in the Medicare system. It will probably have 10 numeric positions with a check digit as the tenth digit. DHHS will most likely assign these identifiers, and the system may be Web based.
- The health plan identifier—Drafted to apply the work that Health Care Financing Administration did for a Medicare PayerID to all health plans nationwide. It is expected to have 10 numeric positions with a check digit in the tenth position.
- The employer identifier—Based on the Internal Revenue Service-assigned Employer Identification Number (EIN). The EIN has nine numeric positions.
- The patient identifier—On hold pending privacy legislation. However, industry experts speculate that the identifier will consist of approximately 10 numeric digits with a check digit.
Information security standards
There is no single standard for the security of health information that includes all of the components required by HIPAA. So DHHS developed a technology-neutral security standard with scalability for the size and complexity of healthcare organizations. At a minimum, all health plans, clearinghouses, and healthcare providers that transmit or maintain electronic health information must conduct a risk assessment and develop a security plan to protect this information. They must also document these measures, keep them current, and train their employees on appropriate security procedures.
The proposed security standard is divided into four categories:
- Administrative procedures are used to guard data integrity, confidentiality, and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
- Physical safeguards are used to guard data integrity, confidentiality, and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
- Technical data security services are used to guard data integrity, confidentiality, and availability. These include the processes used to protect, control, and monitor information access.
- Technical security mechanisms include processes used to prevent unauthorized access to data transmitted over a communications network.
Where to begin? Focus on the business
Successfully addressing HIPAA is a process, not a product. HMOs, PPOs, hospitals, pharmacies, and other providers of healthcare services must ensure that their technical solutions not only articulate their business goals but also comply with the law. However, merely focusing on the technical-compliance aspect of HIPAA can be costly and counterproductive to a company’s workflow as well as its bottom line. A clear understanding of the processes and procedures that meet the business goals is the place to begin.
Ed Skoudis is the vice president of the Global Integrity Information Security practice and chief security strategist at Predictive Systems. His background includes performing security assessments, designing secure network architectures, penetration testing, and incident response. Ed has focused on identifying and resolving security vulnerabilities on UNIX, Windows NT, firewall architectures, and Web applications.