What is HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA mandates the privacy and security
of protected health information (PHI).
The HIPAA security rule was published in May 2003 and subject to enforcement for all covered entities starting in April 2005. Given the productivity gains for healthcare professionals to communicate with patients and other doctors and health professionals via email, healthcare organizations need to leverage real-time electronic communications, but do so securely.
HIPAA places a number of requirements on the health care industry’s information handling practices, and has direct impact on the operation of messaging systems.
Who is impacted by HIPAA?
Covered entities consist of healthcare providers, health plans (insurance, etc.) and healthcare
clearinghouses (claims and transaction processors). Service personnel (accountants, lawyers, etc.) working on behalf of the covered entities are also subject to HIPAA requirements.
HIPAA IT Security Requirements
HIPAA dictates that organizations must ensure that:
Email messages containing protected health information are secured, even when transmitted via
unencrypted links.
Senders and recipients are properly verified via person or entity authentication
Email servers and the messages they contain are protected.
NIST (National Institute of Science and Technology) has published an information security guide that many believe will meet the requirements of HIPAA. This guide (An Introduction to Computer Security: The NIST Handbook) provides the specifics an organization needs to understand the scope of their compliance efforts.
http://csrc.nist.gov/publications/nistpubs/800‐12/handbook.pdf
To better understand at a high level the outcomes that HIPAA requires, covered entities must:
Have a documented process to protect PHI and detect/correct security violations
Allow only authorized personnel have access to PHI
Develop a process to respond in the event of a security breach
Periodically evaluate the organization’s ability to protect PHI
From a technology standpoint, strong cases can be made for organizations to implement:
Access controls: to ensure the wrong people do not get access to information
Detailed auditing of mail traffic: to track who is accessing data (and more importantly, prove it to the examiners)
Encryption: to authenticate sender and recipient, provide protection of the message contents and
ensure a message hasn’t been tampered with.
While HIPAA does not specify particular technologies that should be used to implement these rules, the regulation can be seen as an attempt to mandate best practices for information security, and, for the purposes of this paper, messaging security.
Penalties Associated With Non-Compliance to HIPAA
The general penalty for failure to comply with HIPAA regulations is:
Each violation: $100
Maximum penalty for all violations of an identical requirement: may not exceed $25,000
Penalties for Wrongful Disclosure of INDIVIDUALLY Identifiable Health Information include:
Wrongful disclosure offense: $50,000, imprisonment of not more than one year or both
Offense under false pretenses: $100,000, imprisonment of not more than five years, or both
Offense with intent to sell information: $250,000, imprisonment of not more than ten years, or both.
