HIPAA

HIPAA (HIPAA(Health Insurance Portability and Accountability Act) could be considered a work in progress. Here is a brief history of how the regulations were developed by the Department of Health and Human Services (DHHS)

• November 3, 1999 HIPAA Standards for Privacy published in the Federal Register.
• December 20, 2000 Final HIPAA privacy regulations are issued in a 1500+.page document.
• February 28, 2001 HIPAA rules reopen for public comment. Compliance date is pushed back.
• July 8, 2001 DHHS releases the first HIPAA privacy guidance statements.
• February 20, 2002 DHHS releases further information about delay in implementation of HIPAA guidelines to April 2003 and to 2004 for smaller organizations.

Summary of HIPAA Administrative Procedures

• Security certification, Independent mechanisms for security compliance
• Chain of trust, Agreements establishing equal security and integrity protection between trading partners
• Contingency plan, Covers standard business continuity plans
• Processing records mechanism, Describes how information is manipulated
• Information access control, Describes access authorization, establishment, and modification
• Internal audit, Establishes how an organization will internally monitor compliance on a regular basis

One important behavior of doctors is that they tend to be highly mobile. Doctors perform patient rounds in a hospital or travel from their offices to clinics or other hospitals. As a result, any solution must incorporate the mobility they require. Along with this mobility comes the challenge of being able to interface with various devices and systems. Given that hospitals, clinics, offices, and other places where doctors will need access to information will all have different systems, a solution for security must incorporate the factor of a homogenous system base.

Another aspect of doctor interactions is that many administrative tasks, such as claims processing and billing, are not directly managed by the doctor, but rather delegated to a trusted administrative assistant. As a result, issues of confidentiality and non repudiation must take into account that a patient's information will be handled by numerous individuals whom the doctor trusts to keep it confidential.

Biometrics is the field in which devices are created that can identify individuals based on physiological or behavioral characteristics, or both. In theory it is easy to forge digital authentication such as user names and passwords, but it is very difficult to forge biometrically identifiable components, such as fingerprints. The advantage of modern biometric technology is that it is very convenient and provides for higher security than most other forms of authentication. Traditionally, these security techniques were used only in highly secure facilities; however, due to reduced costs in manufacturing and other advances, it is now affordable to bring biometrics to the corporation (and even to the mass market for some methods).

Biometrics have become interesting for the healthcare industry because they solve the key problems for security and privacy: cheap, mobile, and (relatively) very secure. To meet the requirements of HIPAA, organizations have begun to look at biometrics as a possible component. Biometrics by themselves won't solve HIPAA compliance issues. Additionally, healthcare organizations still have to create a method for nonrepudiation for digitally signed transactions. This, of course, can happen only through the use of digital certificates. By combining the access to the terminal or digital certificate with a biometric device, we have achieved good security practices and HIPAA compliance for many healthcare organizations' tasks.