hipaa computer security and domino notes n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA, Computer Security, and Domino/Notes PowerPoint Presentation
Download Presentation
HIPAA, Computer Security, and Domino/Notes

Loading in 2 Seconds...

play fullscreen
1 / 23

HIPAA, Computer Security, and Domino/Notes - PowerPoint PPT Presentation

  • Uploaded on

HIPAA, Computer Security, and Domino/Notes. Chuck Connell, www.chc-3.com. What is HIPAA?. Health Insurance Portability and Accountability Act of 1996. Large far-reaching health-care law from federal government. Five main sections, which take effect on different dates. www.cms.hhs.gov/hipaa/.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA, Computer Security, and Domino/Notes' - ata

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa computer security and domino notes

HIPAA, Computer Security, and Domino/Notes

Chuck Connell, www.chc-3.com

what is hipaa
What is HIPAA?
  • Health Insurance Portability and Accountability Act of 1996.
  • Large far-reaching health-care law from federal government.
  • Five main sections, which take effect on different dates.
  • www.cms.hhs.gov/hipaa/
so what there are lots of big federal laws
So What? (There are lots of big federal laws.)
  • Healthcare is a $1.3T industry in the US, covering 14% of GNP.
  • It is one of the few growth sectors in the economy lately.
  • It is the only growth sector in the computer business over the last couple years.
  • It is likely that you or your business will be affected by HIPAA in some way.
    • Who has run into this already?
five section of hipaa
Five Section of HIPAA
  • Title I, Insurance Reform (now)
  • Title II, Administrative Simplification
    • Privacy (April 03)
    • Transactions and Code Sets (Oct 03)
    • Identifiers (July 04)
    • Computer Security (April 05)
  • Small organizations have an extra year.
  • (These dates are a summary.)
insurance reform
Insurance Reform
  • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
  • Largely eliminates problems with “pre-existing conditions”.
  • The greatest benefit of HIPAA for consumers.
  • Defines who can see your medical information and how it can be used.
  • In general, the rules make sense, and are what you want.
    • Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room.
  • You received “privacy notices” from your doctors last spring – for compliance with this privacy reg.
  • But there are many gray areas.
    • Should a hospital tell a caller that you are there?
    • Should the hospital accept flowers if you are there?
transactions and code sets
Transactions and Code Sets
  • There were many incompatible formats for the transmission and coding of medical information.
    • Organizations could not communicate electronically, because they could not agree on a file format.
    • A medical procedure might be known as A101 to one insurance company, but 55b to another.
  • HIPAA mandated standard medical codes, file formats, and electronic processing.
  • IT impact; all this is computerized.
  • Deadline just occurred – 10/03
    • Extended because the medical business was about to fall apart due to non-readiness.
  • A common standard for unambiguous identification of entities involved in healthcare.
  • Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but 12387624 to Tufts.
  • IT impact; much of this is computerized.
  • Deadline next summer; July 2004.
  • (Unique identification of individuals dropped due to political pressure.)
computer security
Computer Security
  • Five sub-sections
    • Administrative
    • Physical
    • Organizational
    • Policies, Procedures, Documentation
    • Technical
  • April 2005 deadline
security administrative
Security, Administrative
  • Risk analysis, risk management
  • Identify responsible individual
  • User authorization / termination procedures
  • Virus protection
  • Log-in monitoring, threat reporting
  • Backup and disaster plan
  • More…
security physical
Security, Physical
  • Building security plan
  • Building access control and monitoring
  • Physical safeguard of workstations
  • Policy and procedures for workstation and work areas
  • Storage of backup media
  • Re-use and disposal of media
  • More…
security organizational
Security, Organizational
  • Contracts between healthcare organization and its business partners must reflect these rules
    • Example: offsite backup company
    • But, who is a business partner (window washer??)
  • Group health plan documents must show they are following HIPAA rules
security policies docs
Security, Policies & Docs
  • Documentation about the security policies
  • Modification, retention, availability of these documents
security technical
Security, Technical
  • Access Controls / Unique User Identification

Assign a unique name and/ or number for identifying and tracking user identity.

  • Access Controls / Emergency Access

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

  • Access Controls / Automatic Logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

security technical 2
Security, Technical (2)
  • Access Controls / Data Encryption

Implement a mechanism to encrypt and decrypt electronic protected health information.

  • Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  • Data Integrity

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

security technical 3
Security, Technical (3)
  • Person and Entity Authentication

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  • Transmission Security / Integrity

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

  • Transmission Security / Encryption

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

general observations
General observations
  • The HIPAA security rules give wide latitude for implementation.
    • They never say S/MIME or two-factor or password expiration.
    • This is by design, based on objections to early drafts.
  • Some items are required and some are addressable.
    • Definitions
    • You will hear a lot of talk about this
  • Domino/Notes can meet all of the HIPAA security rules.
hipaa and notes domino
HIPAA and Notes/Domino
  • Notes ID files and Internet accounts in the NAB provide unique identification of each person.

Do not assign shared generic IDs (such as AcctPayable)

  • Security rules should not get in the way of patient care.

Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??)

  • Auto logoff built into Notes security preferences.
hipaa and notes domino 2
HIPAA and Notes/Domino (2)
  • Data encryption via encrypted fields or database encryption.
  • Audit trails via server log, web log, database user activity, transaction logging, event records, 3rd party products.
  • Encryption (and other methods) achieve data integrity.
hipaa and notes domino 3
HIPAA and Notes/Domino (3)
  • Notes IDs and Domino web accounts ensure positive identification of each user.

Of course, no method is perfect and must be implemented correctly.

  • SSL and Notes port encryption.
  • SSL and Notes port encryption.
hipaa audit database
HIPAA Audit Database
  • Tool I created, for free distribution
  • Posted on my Downloads page
  • Demonstration
Questions ?
  • Contact info:
    • Chuck Connell
    • chc-3.com
    • 781-939-0505