HIPAA will mandate new
requirements in three key areas:
- Standardization of electronic patient
health, administrative and financial data
- Unique health identifiers for individuals,
employers, health plans and health care providers
- Security standards protecting the
confidentiality and integrity of "individually identifiable health
information," past, present or future
By October 2002,
health systems will have to be in compliance with the Transactions Rules. A
recent amendment does
allow for a health system to file for a one-year
extension based on having a concrete HIPAA action plan in place.
By April
14, 2003, compliance is required on the Privacy Rule. In less
than two years, thousands of health systems and physician
practices
will have to be HIPAA-compliant. Some are saying that the preparation, expense
and deployment time will be
greater than Y2K.
Until recently, patient record and other security issues
have prevented widespread use of the Internet in health
care
applications. But new guidelines published by the Health Care
Financing Administration (HCFA) establish the first
set of definitive
security standards covering sensitive health care information. HIPAA
builds on. HCFA's ground
breaking work with proposed security standards that
will bring the full benefits and cost-saving advantages of
Internet technology
to the health care industry.
 HCFA’s Internet Security Policy
The HCFA guidelines are more explicit than those cited in
HIPAA security proposals. HCFA's policy
outlines specific requirements
in three areas: encryption, authentication and identification.:
Encryption specifications
permit three alternatives or their equivalents:
- Triple DES (defined as 112-bit
equivalent) for symmetric encryption,
- 1024-bit algorithms for asymmetric
encryption, or
- 160-bit elliptical curve forms of
encryption.
Authentication, which must
occur at the beginning of each session, is permitted using one of four
methods:
- locally-managed digital
certificates, providing all parties are covered,
- use of third-party certificate
authorities,
- self-authentication as an internal
control of private keys, or
- tokens or smart cards.
Identification of users, which may involve
exchange of passwords, is a one-time task that occurs when users
establish the internet account.
HCFA states that technologies
that allow users to prove they are who they say they are [proof of identity]
(authentication or identification) and the organized scrambling of data
[privacy of information] (encryption) to
avoid inappropriate disclosure
or modification must be used to insure that data travels safely over the
Internet
and is only disclosed to authorized parties. HCFA
specifications conform to the three P’s of VPN security:
- Protection of Resources
- Proof of Identity
- Privacy of Information
"It is permissible to use the Internet for
transmission of HCFA Privacy Act-protected and/or other sensitive
HCFA
information, as long as an acceptable method of encryption is utilized to
provide for confidentiality
and integrity of this data, and that
authentication or identification procedures are employed to assure that
both the sender and recipient of the data are known to each other and
are authorized to receive and
decrypt such information." -- HCFA Internet
Security Policy
Changes to the business associate (i.e. a transcription
company) requirements are designed to ease some of the
administrative
and financial burdens associated with re-negotiating existing agreements.
The modifications add a
new transition period to the Privacy Rule
that effectively extends the deadline for complying with the business
associate contract requirements. Under the modified rule, certain
existing vendor contracts would be deemed to
comply with
the requirements for business associate contracts for up to one
additional year beyond the Privacy
Rule's April 14, 2003 compliance
date (the "Compliance Date"). Under the modified rule, covered
entities may take
advantage of the transition period with respect to
those of its vendor contracts which:
(a) are in existence prior to the effective date of the
modified rule, and
(b) do not expire or are not modified or amended prior to
the Compliance Date.
The proposed Security Rule required a "chain of trust
partner agreement" between parties exchanging data electronically.
In
keeping with the goal of aligning Privacy and Security requirements, Section
164.314 of the final Security Rule requires
a Business Associate
agreement, which is already required by the Privacy Rule. Forrelationships
where a third party is
used to create, receive, maintain or transmit EPHI
(Electronic Protected Health Information) on the covered entity's
behalf,
the Security Rule requires the business associate to:
- Implement administrative, physical
and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity and availability of the covered entity's EPHI;
- Ensure that its agents and
subcontractors to whom it provides EPHI meet the same standard;
- Report to the covered entity any
security incident of which it becomes aware; and
- Ensure that the contract authorizes
termination if the business associate has violated a material term.
The Security Rule adopts the Privacy Rule's exceptions to
the agreement requirement for disclosures to providers for
treatment,
exchanges of information between government entities, and exchanges between
group health plans and
their sponsors. However, it does not adopt the
Privacy Rule's exception for covered entities participating in an
organized
health care arrangement (OHCA). This section also applies the
Security Rule provisions to affiliated entities, hybrid
entities and
group health plans, again increasing the new Rule's compatibility with Privacy
Rule provisions for these entities.
For more information on HIPAA compliance, go to: http://www.hipaacomply.com/
For more information on HIPAA, please go to http://www.cms.hhs.gov/hipaa/ , The
Centers for Medicare and Medicaid
Services:
|
