Security and Privacy An Introduction to HIPAA This Paper was developed by the Joint NEMA COCIR JIRA Security and Privacy Committee The Paper has been approved by NEMA National Electrical Manufacturers Association Medical Imaging Informatics Section http www nema org index nema cfm 704 February 14 2001 Security and Privacy An Introduction to HIPAA 1 Introduction to the Health Insurance Portability and Accountability Act 3 2 How HIPAA Affects the Health Care Sector 3 3 Privacy and Security Concepts of HIPAA 6 4 3 1 Confidentiality 6 3 2 Integrity 7 3 3 Availability 8 Security Measures Required by HIPAA 8 4 1 Authentication 8 4 2 Authorization 9 4 3 Accountability 9 4 4 Integrity Proofing 9 4 5 Secure Transfer 10 4 6 Secure Storage 11 4 7 Key Management 11 5 Privacy Legislations in Other Parts of the World 12 6 Conclusions 12 2 Security and Privacy An Introduction to HIPAA 1 Introduction to the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 HIPAA was signed by President Clinton on July 21 1996 and has the general objectives to Guarantee health insurance coverage of employees Reduce health care fraud and abuse Introduce implement administrative simplifications in order to augment effectiveness and efficiency of the health care system in the United States Protect the health information of individuals against access without consent or authorization Within HIPAA there are Administrative Simplification regulations that in early 2001 are in work The HIPAA Security and Electronic Signature Standards Notice of Proposed Rule Making defines security measures to be implemented in healthcare This white paper gives an explanation of how this rule and the final rule about privacy of individually identifiable health information that became law on December 28 2000 impact the medical imaging world This document is intended for educational purposes It does not contain concise definitions nor mandatory guidelines but instead outlines the main components of HIPAA that affect medical imaging equipment 2 How HIPAA Affects the Health Care Sector Covered Entities CEs as defined by HIPAA are health plans health care clearinghouses and health care providers who transmit any health information in electronic form in connection with certain standard transactions These CEs need to support many different data formats and protocols Having only a single set of data formats and protocols will simplify administration HIPAA defines standards for a set of transactions conducted in electronic form while still allowing any non standardized paper form for these transactions The proposed security standard would apply to all health information that is electronically maintained or electronically transmitted The approved privacy standard applies to individually identifiable health information transmitted or maintained in any form oral written or electronic called Protected Health Information PHI There are other regulations pending that deal with National Provider ID and National Employer ID additional regulations will be proposed on National Health Plan ID Claims Attachments and National Individual Identifiers We should think of HIPAA as an ongoing process to standardize the digitalization of health care information within the United States The United States government realized that by mandating patient records be sent over digital networks there would be fear that patient privacy could be compromised To address this fear the Department of Health and Human Services developed a standard set of security and privacy regulations to which the above mentioned CEs must adhere As of this writing in February 2001 the latest published HIPAA regulation covers privacy of patient healthcare data The privacy 3 Security and Privacy An Introduction to HIPAA regulation gives patients specific privacy rights and defines specific rules e g for health care providers on how these rights must be protected In order for a healthcare facility to protect privacy a set of security measures must be put into effect In general the healthcare industry has not focused on providing security and privacy features in their products Health care providers health care clearinghouses health plans and insurance companies and medical equipment and medical system vendors have all directed their efforts to treating the patient Ethical considerations whether codified in law or mandated by tradition have governed the sharing of patient data So what does this mean to healthcare and the vendors that serve it It means that formal security and privacy practices and technologies will now need to be a part of the way these entities act and the products they develop CEs are required to become HIPAA compliant HIPAA compliance is not simply purchasing new HIPAA compliant systems Becoming HIPAA compliant means to combine the security functionality that technology can provide with appropriate policies and procedures as illustrated in Figure 1 Organizations must now assess risks and develop document implement and maintain appropriate security measures to keep risk at an acceptable level These security requirements will include a combination of administrative and technical measures covering four broad categories administrative procedures physical safeguards technical security services and technical security mechanisms A good example of a technical security mechanism is user identification A system that has strong security measures built into it and that allows implementation and management of user passwords is not necessarily HIPAA compliant unless strong policies and procedures are also in place to govern their use No amount of technology can prevent a helpdesk operator from granting unauthorized access to a network by resetting a password if an outsider can simply call in masquerading as an employee that has forgotten its password Likewise people that commonly write Risk Mitigation Minimum Policy Procedure Policy Singular Account Removal Technology Biometric Finger Print Access Control to CT Scanner Policy Singular Account Removal and Audit Usage Technology Centralized User Login Policy Removal of Account at Each CT Technology Local User Login into CT Video Surveillance Policy Retrieve Physical Key and Manual Records of Key Ownership Technology Lock CT Room Maximum Minimum Maximum Technology Figure 1 As This Example of an Employee Termination Process Illustrates HIPAA Compliance is a Combination of Processes and