tunitas logo 150 sim.gif (2734 bytes)
 Perspectives on Information Technology  
for the Health Care Industry
Home | HIPAA | Health Care PKI | Internet | EDI | Email | Editorials | Contact Tunitas

HCFA to Lift Internet Ban
Last October, the HCFA Region II director publicized HCFA's "long standing" ban on the use of the public Internet for communication of individually identifiable patient information.   After extensive investigation as to the origin of this ban, we determined that the ban was the result of HCFA Policy rather than any HCFA Rule.   Whereas federal rules are set after a period of public comment and scrutiny, federal policies may be set by the issuing agency with only internal review.   Thus, while agency's policies may then be formed without the benefit of critical outside review, they are relatively easy to change once the agency decides to do so.

HCFA has come to recognize that its ban on the use of the Internet is inconsistent with technology trends, economics and new Federal Policy and Rules.   Not the least of these are the forthcoming HIPAA mandated security regulations.   Therefore, HCFA has authored a new policy which provides HCFA contractors with guidelines for the appropriate use of the public Internet.  This "pro Internet" policy is available at the HCFA Internet site (www.hcfa.org); a  draft copy of the policy with our comments inline is available here.  

The basis of the HCFA ban was a determination that:  "acceptable encryption mechanisms are not currently available for the Internet to insure the degree of privacy that HCFA, plans, and contractors are required to maintain".   We believed that this position was wrong on the facts, and that lack of strong encryption was not a legitimate basis for excluding the use of Internet communication.   This is not to say that we believe that the mere use of the strong encryption, (such as that readily available in s/MIME and SSL products), is sufficient to insure the confidentiality and appropriate use of patient data.    Encryption will protect the confidentiality of messages while in-transit or stored at mail servers.  However, the significant issues of identification, authentication, and authorization of correspondents, clients and servers are not directly resolved by encryption.   We believe that resolution of these issues require construction of a healthcare appropriate, public key infrastructure.   The Tunitas group is involved with several efforts  to bring this infrastructure about in particular our Model Policy workshop and Directory Standards work.

Officially, this policy applies only the information protected by the Privacy Act of 1974 which is a mandate on federal agencies.  In the healthcare context the Act protects information about patients covered under MediCare, Medicaid and Federal Child Insurance  programs. However, HIPAA will, almost assuredly, increase the scope of this policy to apply to all patient information.  Some Tunitas Group clients have adopted the position that, with its publication, the HCFA policy is a practice standard to which they should immediately seek compliance.

The immediate and critical impact of this HCFA policy will be upon healthcare organizations' use of Internet mail.  Use of ordinary clear text SMTP mail is essentially banned for exchange of patient information; organizations wishing to communicate information about patients with Internet mail must use a secure mail protocol.  The Tunitas Group has completed a study of the impact of this policy on email use and has analyzed a number of strategies (and products)that healthcare organizations may adopt to achieve compliance.

We invite you to contact us directly to discuss the impact of the HCFA policy healthcare  IT infrastructure and use at 925.631.1244 or by email at tunitas@earthlink.net

Copyright ©