Health Care

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare organizations using electronic protected health information (ePHI), as well as some third-party vendors (business associates) that handle that information, to comply with federal regulations aimed at protecting the privacy of patient data.

We've updated our original "HIPAA risk calculator" from 2002 to reflect changes and updates to the HIPAA regulations. In particular, the Final Rule regarding Provider IDs was announced in January 2004 and applications became available in May 2005. The dates for compliance are May 2007 for large plans and May 2008 for small plans, but the time to start planning for the changes is now. Compliance officers and consultants can use the questionnaire in this spreadsheet to check the status of a firm's HIPAA compliance efforts.

Answers to the fifty (50) questions in this risk calculator help covered entities determine the status of compliance efforts in the areas of HIPAA Privacy, Standardization of Code Sets, Security, National Provider Identifier, and Monitoring.

Download Page

Perhaps the most complex aspect of the healthcare vertical is the payment systems. Generally, a subscriber to a managed care plan pays some deductible, with an employer of that patient paying the rest to the managed care plan. The doctors who are part of those plans bill the plan directly for services rendered.

There may be intermediary services to which doctors subscribe to determine the eligibility of the patient. Hospitals also may bill patients and/or managed plans and have doctors, who may also be part of those plans, whom they need to pay. As you can see, the payment aspect can be quite complicated. In the end, the question of who pays is perhaps best answered by asking who benefits from these security solutions. Beneficiaries can be examined in two categories: those parties who would benefit from more cost-efficient solutions enabled by security technology, and those parties who are required to adhere to specific compliance regulations.

HIPAA (HIPAA(Health Insurance Portability and Accountability Act) could be considered a work in progress. Here is a brief history of how the regulations were developed by the Department of Health and Human Services (DHHS)

• November 3, 1999 HIPAA Standards for Privacy published in the Federal Register.
• December 20, 2000 Final HIPAA privacy regulations are issued in a 1500+.page document.
• February 28, 2001 HIPAA rules reopen for public comment. Compliance date is pushed back.
• July 8, 2001 DHHS releases the first HIPAA privacy guidance statements.
• February 20, 2002 DHHS releases further information about delay in implementation of HIPAA guidelines to April 2003 and to 2004 for smaller organizations.

Summary of HIPAA Administrative Procedures

• Security certification, Independent mechanisms for security compliance
• Chain of trust, Agreements establishing equal security and integrity protection between trading partners
• Contingency plan, Covers standard business continuity plans
• Processing records mechanism, Describes how information is manipulated
• Information access control, Describes access authorization, establishment, and modification
• Internal audit, Establishes how an organization will internally monitor compliance on a regular basis

One important behavior of doctors is that they tend to be highly mobile. Doctors perform patient rounds in a hospital or travel from their offices to clinics or other hospitals. As a result, any solution must incorporate the mobility they require. Along with this mobility comes the challenge of being able to interface with various devices and systems. Given that hospitals, clinics, offices, and other places where doctors will need access to information will all have different systems, a solution for security must incorporate the factor of a homogenous system base.

Another aspect of doctor interactions is that many administrative tasks, such as claims processing and billing, are not directly managed by the doctor, but rather delegated to a trusted administrative assistant. As a result, issues of confidentiality and non repudiation must take into account that a patient's information will be handled by numerous individuals whom the doctor trusts to keep it confidential.

Biometrics is the field in which devices are created that can identify individuals based on physiological or behavioral characteristics, or both. In theory it is easy to forge digital authentication such as user names and passwords, but it is very difficult to forge biometrically identifiable components, such as fingerprints. The advantage of modern biometric technology is that it is very convenient and provides for higher security than most other forms of authentication. Traditionally, these security techniques were used only in highly secure facilities; however, due to reduced costs in manufacturing and other advances, it is now affordable to bring biometrics to the corporation (and even to the mass market for some methods).

Biometrics have become interesting for the healthcare industry because they solve the key problems for security and privacy: cheap, mobile, and (relatively) very secure. To meet the requirements of HIPAA, organizations have begun to look at biometrics as a possible component. Biometrics by themselves won't solve HIPAA compliance issues. Additionally, healthcare organizations still have to create a method for nonrepudiation for digitally signed transactions. This, of course, can happen only through the use of digital certificates. By combining the access to the terminal or digital certificate with a biometric device, we have achieved good security practices and HIPAA compliance for many healthcare organizations' tasks.