Healthcare Industry (HIPAA) and Data Security
ArticSoft Products provide you with the following benefits for health data security:
- Complete client confidentiality
- Medical record privacy / security
- Removes potential liability for disclosure
- Certainty information came from you
- Compliance with current privacy legislation
- Prevents viruses and hacking attacks
- Proof of source of documents
Background on HIPAA
The HIPAA Privacy Rule (effective April 14, 2003) and the HIPAA Security Rule (full compliance required by April 21, 2005) are federal law, and anyone not in compliance can face up to $250,000 in fines and jail time of up to 10 years.
The HIPAA Privacy Rule applies to protected health information (PHI) in all forms (oral, written, and electronic) and addresses the use and disclosure of an individual's health information. It's aim is to assure individual's health information is properly protected and for individuals to understand and control how their health information is used (ie. ensuring the privacy of patient's health information). A summary of the HIPAA Privacy rule can be viewed here.
The HIPAA Security Rule applies to PHI only in electronic form - essentially, patient's medical records and other personal health care information. It mandates that electronically stored or transmitted personal health information be kept confidential and protected against unauthorized users and any threats to its security or integrity (ie. safeguarding patients health information from unauthorized disclosure). The Rule is intended to set a minimum level or "floor" of security. Organizations may choose to implement safeguards that exceed the HIPAA standards - and, in fact, may find that their business strategies require stronger protections. The final HIPAA Security rule can be viewed here.
Who does HIPAA affect?
It affects companies that store and transmit protected health information in electronic form, which includes (but is not limited to) health plans, health care clearinghouses and health care providers. These organizations are referred to as 'covered entities'.
It also applies to companies servicing customers in the health care industry and mandates that these "business associates" implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic personal health information that they access on behalf of the covered entity. Business associates may include lawyers, debt collection agencies, transcription agencies, laboratories and so on.
Why is there so much confusion surrounding HIPAA and compliance?
HIPAA is not legislation that sets standards for computer applications functional capabilities. Like the international standard BS ISO/IEC 17799 Code of Practice for Information Security Management (which may have answers to most of the problems), it sets standards of behavior and requires the use of best practice. What you need to spend is related to what you can afford and the damage that might occur if it goes wrong.
Such an approach seems to have struck fear in the hearts of many security practitioners. It seems that they are incapable of buying HIPAA compliant products without a fixed specification. So there is no HIPAA compliant software or HIPAA providers or HIPAA EDI or HIPAA firewall or any other (HIPAA) security term which you can put the characters HIPAA in front of. The issue is applying adequate security to your processes and treating patient data according to HIPAA privacy regulation.
HIPAA compliance, medical information security, patient data security and data protection should all be the same thing. They are in Europe, where personal data is protected regardless of the sector processing it.
So the HIPAA requirement for a health care information system is whether medical record privacy is adequately protected. Put simply, it means unauthorized eyes can't see it, it doesn't get misused, and those using it can be identified.
How can I adequately protect health care information in accordance with the HIPAA?
Possibly the most difficult part of the HIPAA security regulation is showing accountability. One of the requirements HIPAA imposes is integrity of data (knowing if it has been altered). Audit Trails could be used but how do you know the audit trail itself has not been modified? The most secure answer is to deploy digital signature technology and PKI to protect information integrity.
For some time now PKI has been hailed as the only way to comply with the HIPAA standard and to achieve health information privacy. However full-scale PKI has so far proved too complex as an information security system, even for the largest HMO's.
To help simplify HIPAA implementation, ArticSoft products are PKI enabled, but without having to implement the complexity. Identity and privacy keys can be generated internally for small practices, and imported from PKI where that has been implemented. Identity (for HIPAA privacy) can be controlled by internal administration without the system failing to be HIPAA compliant. ArticSoft Open PGP products also provide means for checking who protected the information that was made available to so that auditors can check the privacy of medical records without being able to see those records themselves.
What products does ArticSoft recommend for health data security?
For the transmission of medical records we recommend you use FileAssurity Open PGP Security, or for complete automation (no user intervention involved) FileAssurity Open PGP Command Line. Both Open PGP products enable you to encrypt and digitally sign your files to Government standards ensuring the upmost security and to securely delete files that are past their retention date.
"The best way to mitigate legal exposure is to be proactive about putting in place measurable and auditable security processes", said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, California.
HIPAA readiness can be achieved without enormous cost. ArticSoft PGP compatible products are low price, and do not require major new administrative burdens to be effective. The privacy of medical records in storage or over the Internet / across cable services can be easily achieved.
Who uses ArticSoft Open PGP products for HIPAA compliance?
State agencies, health care practises (eyecare specialists, chiropractors, etc.), transcription services, lawyers, health management organizations (HMOs), medical universities, psychiatric facilities, government agencies, dentists and veterinary practices. Here are just some of our customers and customer testimonials.
Michigan Public Health Institute recommend us to all their business associates as their protection product of choice. Steve Pierce, Privacy Officer of MPHI says "This is finally a product that was simple enough that our users could not get it wrong". See MPHI Case Study.
Preferred Medical Marketing Corporation (PMMC) uses FileAssurity OpenPGP Command Line to free up valuable staff resources, prevent user error and forgetfulness and ensure that sensitive medical information is processed in accordance with the HIPAA. See PMMC Case Study