HIPAA Implementation: Are You Ready

1
HIPAA ImplementationAre You Ready?

• Kepa Zubeldia, M.D.
• NAHDO 15th Anniversary Meeting
• Washington DC, December 5, 2000

2
HIPAA Provisions

• HHS must adopt national standards for
• the efficient, electronic exchange of
  administrative and financial data, and
• the security and privacy of health information.
• Covered entities are required by federal law to
  implement adopted standards -
• All health plans, all clearinghouses, providers

3
Security Standards

• Goals
• Comprehensive framework of security requirements.
• Scalable requirements to meet small to large
  business needs at reasonable cost.
• Technology neutral implementation features.

4
Proposed Rule Categories

• Administrative procedures
• Physical safeguards
• Technical security services
• Technical security mechanisms
• For data transmitted over a communications
  network (e.g. the Internet).

5
Security Issues

• Different scope than other HIPAA regs.
• Entire enterprise, not just EDI.
• Covers data at rest as well as transmitted
  data.
• Involves policies, procedures contracts with
  business partners.

6
Change

• For most security technology to work, behavioral
  safeguards must also be established and enforced.
• Requires global enterprise changes
• Management commitment
• Responsibility at every level.
• Change is painful !

7
HIPAA Security Rule Making

• Most comments supportive
• No substantial changes
• Perceived high cost of implementation
• Electronic signature rule postponed
• Coverage of non-electronic media ?
• Conflicts with Privacy rule ?
• Certifying/enforcing mechanisms ?
• Enforcement NPRM in 2001 ?

8
Expectations for Final Rule

• More freedom of implementation features required
  to meet requirements
• Harmonized with Privacy definitions, scope, and
  requirements
• Final Security Rule in 1Q01 ?
• Without Electronic Signature component
• Rules to be refined over time
• New security NPRM for non-electronic media likely
  in the future

9
HCFAs Old Internet Policy

• Thou Shall
• Not Use
• The Internet

10
HCFAs New Internet Policy

• Released 11/24/98. (HCFA contractors asked to
  not implement until further notice.)
• Data to be Protected over the Internet
• 1. HCFA Privacy Act - protected data
• 2. Other sensitive HCFA information
• Mandatory Requirements
• 1. Adequate encryption
• 2. Authentication / Identification
• (in-band / out-of-band)
• 3. Effective Password/Key management
• 4. Notify HCFA of intent to use the Internet

11
Adequate Encryption

• Symmetric 112, 128 bits or more
• Asymmetric 1024 bits
• Hardware link encryptors (VPN ?)
• Software encryption SSL, S/MIME, PGP

12
Authentication (in-band) options

• Digital Certificates
• Self authentication as in shared symmetric secret
  key
• Tokens or smart cards for in-band authentication

13
Identification (Out of band) options

• Direct Password exchange and identity
  verification by
• phone
• certified mail (USPS)
• bonded courier
• personal presence
• Token or smart card exchange and verification
  off-line

14
Other HCFA requirements

• Meet all requirements of the Medicare Program
  concerning data protection
• Protection of data behind the firewall.
• Firewalls and access barriers in place.
• Notify HCFA of intent to use the Internet.

15
So...

• What exactly do I need to do ?
• HIPAA Security Rule
• HCFA Internet Policy
• How can I tell for sure that I am in compliance ?
• What if I dont comply ?
• HIPAA Fines
• Medicare suspension

16
AFEHCT-WEDI Internet Encryption Interoperability
Pilot

• Batch file transfer
• Real Time
• Web Browser
• E-mail
• Virtual Private Network
• Certification Authority
• Final Report

17
Final Report Contents

• Executive Summary
• Batch file transfer workgroup
• Web browser workgroup
• E-mail workgroup
• Real Time applications workgroup
• Certification Authority workgroup
• Virtual Private Network workgroup
• Reporting workgroup
• Accomplishments, Next Steps, Recommendations

18
Final Report Contents (cont.)

• The working proposals
• Certificate Policies
• Certificate Profiles
• Directory Profile
• HCFA Internet Policy
• HCFA - Pilot understandings
• Glossary
• Reports from participants
• CA Master Document

19
Pilot Information

• Final report
• http//www.edisec.org/report.html
• WEDI
• http//www.wedi.org/
• AFEHCT
• http//www.afehct.org/

20
The first step

• To start using the Internet today
• Apply HCFAs Policy as the guide
• Use the best boundary protection you can get
• Firewall(s) tested periodically
• Intrusion detection with alarms
• Virus checking up to date
• Encryption of at least 128 bits
• Strong authentication method

21
In the next two years

• Perform security risk assessment
• Establish Policies and Procedures
• Establish Security Officer, Audits
• Revise your contracts for chain of trust
• Must provide for sanctions
• Educate all healthcare personnel
• Include management
• Repeat periodically

22
In the next two years (cont.)

• Physical Safeguards
• Physical access control mechanisms
• Media controls (magnetic and paper)
• Secure workstations, disaster recovery
• Technical Security Services
• Logical access control, user authentication
• Log analysis and audits
• Data integrity and authentication

23
In the next two years (cont.)

• Network Protection
• Internet Similar to HCFA Internet Policy
• Access control, audit trail, authentication of
  end users, event reporting, alarms, integrity
  controls, encryption, message authentication.
• Protect other private networks and WANs

24
The years after the first two

• A family of bedouins are in a caravan in the
  dessert.
• The little son asks his dad Are we there yet ?
• The dad says For crying out loud WE ARE NOMADS
  !!
• So is HIPAA.

25
Questions

• ?