HIPAA unique security requirements for Doctors

One important behavior of doctors is that they tend to be highly mobile. Doctors perform patient rounds in a hospital or travel from their offices to clinics or other hospitals. As a result, any solution must incorporate the mobility they require. Along with this mobility comes the challenge of being able to interface with various devices and systems. Given that hospitals, clinics, offices, and other places where doctors will need access to information will all have different systems, a solution for security must incorporate the factor of a homogenous system base.

Another aspect of doctor interactions is that many administrative tasks, such as claims processing and billing, are not directly managed by the doctor, but rather delegated to a trusted administrative assistant. As a result, issues of confidentiality and non repudiation must take into account that a patient's information will be handled by numerous individuals whom the doctor trusts to keep it confidential.

The last feature of doctor's requirements is that they often do not use dedicated terminals when going about their business. Most workstations are shared, sometimes among dozens of people (nurses, doctors, administrators, and others). As a result, doctors must be able to identify themselves at a shared terminal, with reasonably quick access time, and then terminate that access almost as quickly.

HIPAA guidelines stipulate the following additional criteria

1. Need for unique individual identification that identifies the specific person responsible for a transaction.

2. Need for persistent personal roles. This means that a role (for example, of a doctor) exists regardless of the managed care plans the doctor is a member of. This is critical in the case that a doctor's license status has changed. For example, if a doctor's medical license has been revoked, all relevant parties need to know this information. this is a change in a persistent role, regardless of the doctor's patients or managed care plan. In addition, healthcare organizations may apply general policies to a role. For example, all doctors in a particular managed care plan may be required to have a certain level of authentication, which may include a check on the doctor's medical license and a verification of personal information.

3. Need to support delegate, or proxy, roles. For example, many individuals in a healthcare organization, whether a hospital or a clinic, will delegate specific administrative duties to another, trusted individual. Doctors frequently delegate billing tasks to administrative staff; however, the billing tasks include references to diagnostic codes and other sensitive information.