A significant provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. The Affordable Care Act of 2010 will further these increases and include requirements that will be necessary to adopt. In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.
Given the above stipulations, we are going to explore the some issues pertaining to HIPAA computer and technology security.
One of the first steps is to understand why computer security in healthcare is so important. It seems rather rhetorical: the answer is because everyone cares about the privacy and integrity of their health information. In most cases, the point of computer security is to prevent personal health information from falling into the wrong hands or being inadvertently altered or destroyed.
The HIPAA security standards apply to protected health information (PHI) that is either stored or transmitted electronically. PHI is health information in any form that personally identifies a patient.
Computers have made the issue of identity much more problematic. People have always been able to use someone else’s identity for criminal purposes, but the problem is aggravated when we can’t use physical means to confirm their identity. How do you know the person whose name is attached to an electronic health record (EHR) entry really made it? It’s difficult. The bottom line is this: Computer security is needed to protect the privacy of those whose information that is stored and managed. It is also needed to protect an organization from the risk of penalty and legal liability if private information is used or released.
The HIPAA security standards require healthcare organizations to have written security policies and procedures, including those that cover personnel training and sanctions for security policy violations. Your office staff and colleagues must truly understand basic security logic and take their role in protecting patients’ privacy very seriously.
The HIPAA security standards require your practice to appoint someone as the security manager, so you might want to assign these tasks to that person. Furthermore, an organization must also understand what encryption will do and when it is necessary. Contrary to what many people are saying, the HIPAA security standards do not require e-mails, or any other transmission from a doctor’s office, to be encrypted. The standards do require your practice to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities.
Encryption is the transformation of a message from plain text into nonsensical cipher text before the message is sent. Anyone who steals the cipher text message will not be able to understand it. Only those who have the code used to encrypt the message can convert it back from cipher to plain text and reveal its meaning.
For several reasons, encryption is generally not employed for information stored on a computer’s hard disk or transferred within an office’s local area network. First, the risk of disclosure to unauthorized parties is small in the closed environment. Second, encrypting data is costly. Third, encryption generally slows down the movement of information within software applications and databases.
The HIPAA security standards require an organization to obtain assurances from business associates that they will implement the necessary safeguards to protect the confidentiality, integrity and availability of the electronic health information they create, maintain or transmit on behalf of the organization.
Remember that there is no one-size-fits-all approach for computer security. What counts is being “reasonable and appropriate” when matching security measures with the level of risk that pertains to an organization’s situation.