The Technological Feasibility ofHIPAA RequirementsAdam CushnerWhite PaperDecember 2003IntroductionThe Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a law designed “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access tolong-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”1 HIPAA mandates that covered entities must employ technological means to ensure the privacy of sensitive information. This white paper intends to study the requirements put forth by HIPAA by examining what is technically necessary for them to be implemented, the technological feasibility of this, and what commercial, off-the-shelf systems are currently available to implement these requirements.HIPAA OverviewOn July 21, 1996, Bill Clinton signed HIPAA into law. It was passed partly because of the failure of congress to pass comprehensive health insurance legislation earlier in the decade. The general goals of HIPAA are to: Increase number of employees who have health insurance; Reduce health care fraud and abuse; Introduce/implement administrative simplifications in order to augment effectiveness of health care in the US; Protect the health information of individuals against access without consent or 1 Public Law 104-191 (HIPAA)authorization; Give patients more rights over their private data; Set better boundaries for the use of medical information; Hold people accountable for misuse; Encourage administrative simplification (in the form of digitalization of information) to help reduce costs. HIPAA affects covered entities which are defined as:– Health plans;– Health care clearinghouses;– Health care providers who transmit health information in electronic form for certain standard transactions.Even though HIPAA was singed into law over seven years ago, its effects are mostly being felt now. This is because of its schedule of compliance: 10/16/2002 - Transactions and code sets 4/14/2003 – Privacy Rule 4/14/2003 – Business Associates 4/20/2005 – Security RuleThis delay stems from a provision in the original act stating that if Congress did not specify certain regulations by the end of 1999, the Department of Health and Human Services (HHS) had to do it. Congress did not meet its deadline, so HHS had to write up the regulations and give companies a chance to implement them. The main parts of HIPAA covered in this paper are its Security Regulations andits Privacy Rule. Each of these directly involves certain technological changes that must be made in order to reach its goals. To simplify and standardize information exchange, Electronic Data Interchange (EDI) is adopted.Privacy RuleThe Privacy rule sets forth definitions for different types of information and allows certain things to be done with each of the types of information. There are:– Protected Health Information (PHI);– Individually Identifiable Health Information (IIHI);– De-identified Health Information;– Limited Data Sets.Protected Health Information (PHI)PHI is information that must be kept private unless patients sign detailed and specific patient authorizations that allow data to be used by other parties. The treatment of PHI is analogous to the treatment of human tissue with regard to privacy. Perhaps the best way to keep Protected Health Information protected is through the use of Digital Rights Management (DRM). DRM provides a wrapper for a file that restricts its uses to certain things. Sometimes, especially in the case of media files downloaded from the web, DRM will store a unique ID of the computer on which it is allowed to be played. If another computer attempts to run the file, it will not work. Similar things could be done to make sure that only a certain set of computers has access to data. Certain aspects of DRM can be employed today.Individually Identifiable Health Information (IIHI)IIHI is defined as any subset of health information, including demographic information collected from an individual, that identifies the individual or is cause for a reasonable basis to believe that the information could be used to identify an individual.2In order to make it possible to distribute health information without causing the identification of individuals, HIPAA defines De-identified Health Information.De-identified Health InformationHealth information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 17 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify the subject of the information. Identifiers include:3(1) names;(2) geographic subdivisions smaller than a state, including street address, city, county,precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code to 000;(3) all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89;(4) telephone numbers;(5) fax numbers; (6) electronic mail addresses;(7) Social Security numbers;(8) medical record numbers; (9) health plan beneficiary numbers;2 Public Law 104-191 (HIPAA)3 Public Law 104-191 (HIPAA)(10) account numbers;(11) certificate/license numbers;(12) vehicle identifiers and serial numbers, including license plate numbers;(13) device identifiers and serial numbers;(14) Web Universal Resource Locator (URL);(15) biometric identifiers, including finger or voice prints;(16) full face photographic images and any comparable images;(17) Internet Protocol address numbers;(18) any other unique identifying number characteristic or code.The technological implementation that would enable this already exists in good database systems. In a database, views allow users to examine only parts of tables insteadof the whole thing. In order to guarantee that information was de-identified, the database designer (or maintainer) could create a view that would allow users who did not have access to PHI or IIHI to see medical information stripped of the