The most recent round of HIPAA standards protecting the privacy of individually identifiable health information took effect on April 14, 2003. Compliance is a top priority, but many organizations are having particular trouble securing e-mail and unstructured documents. Help might be on the way from an unexpected source.
Still a long way to go on privacy
Individually identifiable health information (IIHI) is regarded as such if the data in question:
- Explicitly identifies an individual, or you can reasonable infer the identity from the data.
- Concerns the physical or mental health of the individual, or the information concerns the provision of or payment for healthcare to the individual.
For more specific information on the new regulation, see an earlier Tech Republic article or the standards for Privacy of Individually Identifiable Health Information Regulation Text.
While the regulation isn't really news anymore, it still leaves CIOs and IT teams with an impressive agenda to ensure compliance for their organizations. The multitiered goal of achieving business initiatives, protecting electronic data in storage, protecting electronic data in transmission, and securing physical access to data, while building a structure that will reliably and securely allow "real-world" interaction with said data, is impressive, to say the least.
Of course, it's made that much more difficult when you consider that even employees within your own organization will often be working against you. Not that an individual will be purposely short-circuiting your best efforts, of course, but bear in mind that the general system user can't be expected to learn entirely new paradigms of interaction with applications and hardware to ensure compliance.
One of the surest signs of this can probably be discovered in a careful examination of your organization's e-mail transmissions. Unless you're head and shoulders above the rest when it comes to technology-related policy compliance, chances are that someone in your organization has sent text in, or a file attached to, an unencrypted e-mail that would qualify as protected health information (PHI) in the last month. In fact, a recent Zix Corp. study showed that 35 percent of the country's top 60 health insurers and over 50 percent of a pool of 100 U.S. healthcare chains have sent plain-text e-mails containing PHI since April 14th (see this Insurance and Technology Online article for further information).
Of course, HIPAA compliance is an organization-wide commitment, requiring as much work in the training of employees as in implementing technology to achieve compliance. However, there are compelling new standards-based products available that can help get your organization one step closer to achieving HIPAA compliance.
New rules, old tools
Some of the technologies being used to address HIPAA-related concerns might surprise you; not because they're so new you haven't heard of them, but because they've been around for quite a while. The biggest challenge presented by HIPAA is to accurately and consistently protect individuals' privacy without crippling your business. That being the case, the best technologies available would be those that allowed you to share exactly the right information (and only that information) with both individuals within your organization and the other entities with whom your organization does business. Much of this functionality is actually built into most enterprise data management systems and enabling it is usually straightforward, if time consuming. "Offline" content, though, requires a more creative approach.
Enter WebDav (Web-based Distributed Authoring and Versioning) and SSL. Not very exciting or new technologies, to be sure, but both are proven and standardized means for sharing data without sacrificing security. These two technologies will not address all your HIPAA-related data access needs. However, using WebDav and secure HTTP connections, you can begin to clean up a lot of the holes in your existing practices without a huge investment. Specifically, you can tighten up e-mail, FTP, and local file copies with creative use of these two technologies.
WebDav is a protocol for collaborative file editing via HTTP. It actually consists of extensions to the HTTP 1.1 specification so it's based on highly proven, and relatively simple, technology. Although many of the versioning features of the protocol are still in development, several APIs already exist to begin approaching the task of document management outside the context of your transactional systems. In addition, since WebDav is essentially an extension of HTTP, any data that is transferred to a remote location can be easily protected.
What this boils down to is that your network file server can now become a secure Web-based server and, with some tweaking, you can use the WebDav protocol to create multiple permission levels and track access to all of your centrally located documents. This essentially eliminates the need for your employees to have any local copies of sensitive documents and it provides a viable alternative to FTP, which shouldn't even be considered where PHI is concerned.
Jumpstart your move to WebDav
If you were reading carefully, you noticed a couple of potential "gotchas" in the last few paragraphs. I mentioned that WebDav would need some tweaking to really be up to par in a HIPAA-influenced environment, due mainly to existing limitations in its versioning system. However, at least one vendor has worked out a way to make a WebDav/SSL system viable as a means of replacing local files and FTP, as well as helping to secure e-mail.
Xythos Software, Inc. has applied its WebFile Server (WFS) to the problem of HIPAA compliance regarding remote access to unstructured documents. The WFS is essentially a content management system that acts as a middleware client to your existing network file system. WFS also provides secure remote access to the files without the extra burden of a VPN or dial-up system.
It does this, in fact, through a combination of WebDav and SSL. The concept is fairly simple. Users are given permission-based access to documents, which can be accessed normally or via WFS when users are on the network and via a browser, through WFS, when they're not. WFS will solve WebDav versioning problems and add the ability to track all views and changes to a particular document. The system also offers several enhancements over these basic abilities.
One of the truly appealing aspects of the Xythos product is its ability to integrate into many popular desktop applications. You can open, edit, and save files remotely from within the familiar context of Word, Excel, etc. In addition, you can make and share file changes via e-mail through HTTPS links to the files. (Read an excerpt from the company's white paper on the subject.)
The future is in WebDav
The ubiquitous nature of HTTP and SSL make them an easy choice for remotely accessing documents securely. With the addition of the WebDav protocol, a remote document management system can become a reality. This will be an interesting space to watch as vendors catch on to the potential markets for these standard technologies.