HIPAA, Computer Security, and DominoNotes

1
HIPAA, Computer Security, and Domino/Notes

• Chuck Connell, www.chc-3.com

2
What is HIPAA?

• Health Insurance Portability and Accountability
  Act of 1996.
• Large far-reaching health-care law from federal
  government.
• Five main sections, which take effect on
  different dates.
• www.cms.hhs.gov/hipaa/

3
So What? (There are lots of big federal laws.)

• Healthcare is a 1.3T industry in the US,
  covering 14 of GNP.
• It is one of the few growth sectors in the
  economy lately.
• It is the only growth sector in the computer
  business over the last couple years.
• It is likely that you or your business will be
  affected by HIPAA in some way.
• Who has run into this already?

4
Five Section of HIPAA

• Title I, Insurance Reform (now)
• Title II, Administrative Simplification
• Privacy (April 03)
• Transactions and Code Sets (Oct 03)
• Identifiers (July 04)
• Computer Security (April 05)
• Small organizations have an extra year.
• (These dates are a summary.)

5
Insurance Reform

• Title I of HIPAA protects health insurance
  coverage for workers and their families when they
  change or lose their jobs.
• Largely eliminates problems with pre-existing
  conditions.
• The greatest benefit of HIPAA for consumers.

6
Privacy

• Defines who can see your medical information and
  how it can be used.
• In general, the rules make sense, and are what
  you want.
• Examples Can always share information when
  medically necessary. Cannot shout your diagnosis
  across the waiting room.
• You received privacy notices from your doctors
  last spring for compliance with this privacy
  reg.
• But there are many gray areas.
• Should a hospital tell a caller that you are
  there?
• Should the hospital accept flowers if you are
  there?

7
Transactions and Code Sets

• There were many incompatible formats for the
  transmission and coding of medical information.
• Organizations could not communicate
  electronically, because they could not agree on a
  file format.
• A medical procedure might be known as A101 to one
  insurance company, but 55b to another.
• HIPAA mandated standard medical codes, file
  formats, and electronic processing.
• IT impact all this is computerized.
• Deadline just occurred 10/03
• Extended because the medical business was about
  to fall apart due to non-readiness.

8
Identifiers

• A common standard for unambiguous identification
  of entities involved in healthcare.
• Solves problem of Dr. Feelgood being known as
  provider XC-546-T3 to Blue Cross, but 12387624 to
  Tufts.
• IT impact much of this is computerized.
• Deadline next summer July 2004.
• (Unique identification of individuals dropped due
  to political pressure.)

9
Questions ?
10
Computer Security

• Five sub-sections
• Administrative
• Physical
• Organizational
• Policies, Procedures, Documentation
• Technical
• April 2005 deadline

11
Security, Administrative

• Risk analysis, risk management
• Identify responsible individual
• User authorization / termination procedures
• Virus protection
• Log-in monitoring, threat reporting
• Backup and disaster plan
• More

12
Security, Physical

• Building security plan
• Building access control and monitoring
• Physical safeguard of workstations
• Policy and procedures for workstation and work
  areas
• Storage of backup media
• Re-use and disposal of media
• More

13
Security, Organizational

• Contracts between healthcare organization and its
  business partners must reflect these rules
• Example offsite backup company
• But, who is a business partner (window washer??)
• Group health plan documents must show they are
  following HIPAA rules

14
Security, Policies Docs

• Documentation about the security policies
• Modification, retention, availability of these
  documents

15
Security, Technical

• Access Controls / Unique User Identification
• Assign a unique name and/ or number for
  identifying and tracking user identity.
• Access Controls / Emergency Access
• Establish (and implement as needed) procedures
  for obtaining necessary electronic protected
  health information during an emergency.
• Access Controls / Automatic Logoff
• Implement electronic procedures that terminate
  an electronic session after a predetermined time
  of inactivity.

16
Security, Technical (2)

• Access Controls / Data Encryption
• Implement a mechanism to encrypt and decrypt
  electronic protected health information.
• Audit Controls
• Implement hardware, software, and/or procedural
  mechanisms that record and examine activity in
  information systems that contain or use
  electronic protected health information.
• Data Integrity
• Implement electronic mechanisms to corroborate
  that electronic protected health information has
  not been altered or destroyed in an unauthorized
  manner.

17
Security, Technical (3)

• Person and Entity Authentication
• Implement procedures to verify that a person or
  entity seeking access to electronic protected
  health information is the one claimed.
• Transmission Security / Integrity
• Implement security measures to ensure that
  electronically transmitted electronic protected
  health information is not improperly modified
  without detection until disposed of.
• Transmission Security / Encryption
• Implement a mechanism to encrypt electronic
  protected health information whenever deemed
  appropriate.

18
General observations

• The HIPAA security rules give wide latitude for
  implementation.
• They never say S/MIME or two-factor or password
  expiration.
• This is by design, based on objections to early
  drafts.
• Some items are required and some are addressable.
• Definitions
• You will hear a lot of talk about this
• Domino/Notes can meet all of the HIPAA security
  rules.

19
HIPAA and Notes/Domino

• Notes ID files and Internet accounts in the NAB
  provide unique identification of each person.
• Do not assign shared generic IDs (such as
  AcctPayable)
• Security rules should not get in the way of
  patient care.
• Need way to get around security restrictions,
  for good medical care. Domino/Notes can
  accomplish this in several ways. (Ideas??)
• Auto logoff built into Notes security
  preferences.

20
HIPAA and Notes/Domino (2)

• Data encryption via encrypted fields or database
  encryption.
• Audit trails via server log, web log, database
  user activity, transaction logging, event
  records, 3rd party products.
• Encryption (and other methods) achieve data
  integrity.

21
HIPAA and Notes/Domino (3)

• Notes IDs and Domino web accounts ensure positive
  identification of each user.
• Of course, no method is perfect and must be
  implemented correctly.
• SSL and Notes port encryption.
• SSL and Notes port encryption.

22
HIPAA Audit Database

• Tool I created, for free distribution
• Posted on my Downloads page
• Demonstration

23
Questions ?

• Contact info
• Chuck Connell
• chc-3.com
• 781-939-0505