Hipaa computer security and domino notes
1 / 23

HIPAA, Computer Security, and Domino/Notes - PowerPoint PPT Presentation

  • Uploaded on

HIPAA, Computer Security, and Domino/Notes. Chuck Connell, www.chc-3.com. What is HIPAA?. Health Insurance Portability and Accountability Act of 1996. Large far-reaching health-care law from federal government. Five main sections, which take effect on different dates. www.cms.hhs.gov/hipaa/.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA, Computer Security, and Domino/Notes' - ata

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hipaa computer security and domino notes

HIPAA, Computer Security, and Domino/Notes

Chuck Connell, www.chc-3.com

What is hipaa
What is HIPAA?

  • Health Insurance Portability and Accountability Act of 1996.

  • Large far-reaching health-care law from federal government.

  • Five main sections, which take effect on different dates.

  • www.cms.hhs.gov/hipaa/

So what there are lots of big federal laws
So What? (There are lots of big federal laws.)

  • Healthcare is a $1.3T industry in the US, covering 14% of GNP.

  • It is one of the few growth sectors in the economy lately.

  • It is the only growth sector in the computer business over the last couple years.

  • It is likely that you or your business will be affected by HIPAA in some way.

    • Who has run into this already?

Five section of hipaa
Five Section of HIPAA

  • Title I, Insurance Reform (now)

  • Title II, Administrative Simplification

    • Privacy (April 03)

    • Transactions and Code Sets (Oct 03)

    • Identifiers (July 04)

    • Computer Security (April 05)

  • Small organizations have an extra year.

  • (These dates are a summary.)

Insurance reform
Insurance Reform

  • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

  • Largely eliminates problems with “pre-existing conditions”.

  • The greatest benefit of HIPAA for consumers.


  • Defines who can see your medical information and how it can be used.

  • In general, the rules make sense, and are what you want.

    • Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room.

  • You received “privacy notices” from your doctors last spring – for compliance with this privacy reg.

  • But there are many gray areas.

    • Should a hospital tell a caller that you are there?

    • Should the hospital accept flowers if you are there?

Transactions and code sets
Transactions and Code Sets

  • There were many incompatible formats for the transmission and coding of medical information.

    • Organizations could not communicate electronically, because they could not agree on a file format.

    • A medical procedure might be known as A101 to one insurance company, but 55b to another.

  • HIPAA mandated standard medical codes, file formats, and electronic processing.

  • IT impact; all this is computerized.

  • Deadline just occurred – 10/03

    • Extended because the medical business was about to fall apart due to non-readiness.


  • A common standard for unambiguous identification of entities involved in healthcare.

  • Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but 12387624 to Tufts.

  • IT impact; much of this is computerized.

  • Deadline next summer; July 2004.

  • (Unique identification of individuals dropped due to political pressure.)

Computer security
Computer Security

  • Five sub-sections

    • Administrative

    • Physical

    • Organizational

    • Policies, Procedures, Documentation

    • Technical

  • April 2005 deadline

Security administrative
Security, Administrative

  • Risk analysis, risk management

  • Identify responsible individual

  • User authorization / termination procedures

  • Virus protection

  • Log-in monitoring, threat reporting

  • Backup and disaster plan

  • More…

Security physical
Security, Physical

  • Building security plan

  • Building access control and monitoring

  • Physical safeguard of workstations

  • Policy and procedures for workstation and work areas

  • Storage of backup media

  • Re-use and disposal of media

  • More…

Security organizational
Security, Organizational

  • Contracts between healthcare organization and its business partners must reflect these rules

    • Example: offsite backup company

    • But, who is a business partner (window washer??)

  • Group health plan documents must show they are following HIPAA rules

Security policies docs
Security, Policies & Docs

  • Documentation about the security policies

  • Modification, retention, availability of these documents

Security technical
Security, Technical

  • Access Controls / Unique User Identification

    Assign a unique name and/ or number for identifying and tracking user identity.

  • Access Controls / Emergency Access

    Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

  • Access Controls / Automatic Logoff

    Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Security technical 2
Security, Technical (2)

  • Access Controls / Data Encryption

    Implement a mechanism to encrypt and decrypt electronic protected health information.

  • Audit Controls

    Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  • Data Integrity

    Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Security technical 3
Security, Technical (3)

  • Person and Entity Authentication

    Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  • Transmission Security / Integrity

    Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

  • Transmission Security / Encryption

    Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

General observations
General observations

  • The HIPAA security rules give wide latitude for implementation.

    • They never say S/MIME or two-factor or password expiration.

    • This is by design, based on objections to early drafts.

  • Some items are required and some are addressable.

    • Definitions

    • You will hear a lot of talk about this

  • Domino/Notes can meet all of the HIPAA security rules.

Hipaa and notes domino
HIPAA and Notes/Domino

  • Notes ID files and Internet accounts in the NAB provide unique identification of each person.

    Do not assign shared generic IDs (such as AcctPayable)

  • Security rules should not get in the way of patient care.

    Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??)

  • Auto logoff built into Notes security preferences.

Hipaa and notes domino 2
HIPAA and Notes/Domino (2)

  • Data encryption via encrypted fields or database encryption.

  • Audit trails via server log, web log, database user activity, transaction logging, event records, 3rd party products.

  • Encryption (and other methods) achieve data integrity.

Hipaa and notes domino 3
HIPAA and Notes/Domino (3)

  • Notes IDs and Domino web accounts ensure positive identification of each user.

    Of course, no method is perfect and must be implemented correctly.

  • SSL and Notes port encryption.

  • SSL and Notes port encryption.

Hipaa audit database
HIPAA Audit Database

  • Tool I created, for free distribution

  • Posted on my Downloads page

  • Demonstration

Questions ?

  • Contact info:

    • Chuck Connell

    • chc-3.com

    • 781-939-0505