tunitas logo 150 sim.gif (2734 bytes) 
 Perspectives on Information Technology  
for the Health Care Industry
Home | HIPAA | Health Care PKI | Internet | EDI | Email | Editorials | Contact Tunitas 

HIPAA Security and Electronic Signature Standard
Proposed Rule HCFA-0049-P
A Tunitas Group Executive Summary
August 17, 1998

Background

On August 12, HCFA published its proposed standard for the security of health information and the use of electronic signatures in the health care industry in the Federal Register.   This standard has been created to satisfy the directive for security provisions required by Subtitle F - Administrative Simplification of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The security standard will be finalized after an open comment period that ends October 13, 1998. The full NPRM (Notice of Proposed Rule Making) may be downloaded from the HIPAA Administrative Simplification website.

Scope

The proposed security and electronic signature standard has much broader applicability than the other articles under Administrative Simplification. Section 142.302 imposes a federal mandate that ALL health plans, clearinghouses and providers will make appropriate provision for the security of health information. The standard's applicability is not limited to the ten administrative transactions listed in the act, but to all health information pertaining to an individual that is electronically maintained or communicated. Applicability is not limited to communication between business partners,  it will also apply to internal communications. There is a clear intent to create a federal information security standard for all health information.

Requirements

The proposed standard mandates a framework for protecting the confidentiality, integrity and availability of health information. It describes a set of security requirements that must be implemented by all plans, clearinghouses and providers. Each organization is expected to satisfy the requirements in ways that are appropriate to its physical, business, and technological environment and which take into account the potential risks and vulnerabilities. There is no definition of appropriate security, only that the standard's requirements are the minimum for acceptability. The requirements are defined in the abstract and at a high level of generality. For example, the standard requires an organization to control authorization for health information access on a user or role basis, but does not state rules for authorization or how authorization control should be implemented.

The NPRM organizes the security requirements into four broad categories:

Administrative Procedures.  The standard requires that each health care organization create a formal security policy that documents the organization's security analysis and response procedures.  The security analysis must assess the criticality, sensitivity, and risk for data and applications.  The security policy must address a long list of issues including: certification of systems and business partners, contingencies, backup, disaster recovery, access control and authorization, audits, personnel security, training, testing, virus checking, exception reporting, and termination procedures. Most large organizations are probably now in compliance with this requirement. The greatest impact of these provisions will be on smaller provider organizations. The NPRM document expects small and rural provider organizations to rely on a combination of consultants, checklists and templates distributed by industry associations, and shrink-wrapped software from PMS vendors.

Physical Safeguards.  Organizations must develop, maintain and document procedures they will use to control physical access to systems, workstations and media. This portion of the standard requires that an individual be named to supervise the execution and use of the organization's security measures.

Local Safeguards (referred to as technical security services for health information resources maintained and stored by a health care organization). This category consolidates the requirements for implementing technical security solutions for: user authentication, access control (role or user based), authorization, audit and data authentication. The proposed standard requires a security solution that addresses each of the five security points. With the exception of data authentication, most organizations with an existing security policy are likely to have some aspects of the required services in place. Data authentication requires the fact of any change to the information be properly authorized and recorded. The data authentication  requirement will involve considerable meta-data  for each data element including elements such as: time and date, authorship and author's authorization for each data entry.

Network Safeguards (referred to as technical security mechanisms for health information communicated over a network).  The NPRM requires technical mechanisms to insure the integrity, authenticity and confidentiality of messages communicated over wide area networks. The standard explicitly allows the use of open networks including the Internet and dial-up public networks in addition to value-added networks. The standard mandates encryption of data when using open networks although nothing is said regarding the strength of that encryption. Presumably, this requirement would be satisfied by the "de facto" encryption standard as contained in current "domestic" versions of SSL and S/MIME. For most organizations, the most significant challenge contained in sections 3 and 4  is a requirement for unique individual authentication. This implies that any individual accessing health information over a network must be individually  identified and granted access either on the basis of an explicit privilege extended to that individual or on the basis of a role occupied by that individual.  The requirement precludes use of a PIN that is shared among provider staff.  This may require considerable re-engineering of current access control methods, especially for organizations supporting extranets.

The regulation sets criteria for an acceptable Electronic Signature.
In particular, the electronic signature must assure the identity of the signer (authentication), the unaltered transmission and receipt of the message (message integrity), and must prevent a signer from successfully denying the signature (nonrepudiation). The proposed standard explicitly notes that a digital signature is the only technology that satisfies these criteria. The proposed standard does not require that electronic signatures be used unless so specified by one of the HIPAA mandated transactions.  However, the standard will require any future use of electronic signatures be implemented using digital signatures.
Digital signatures employ digital certificates to bind user identity to a cryptography element called a public key pair.  The technology generally assumes that trusted third parties create these certificates, and in so doing, confirm the identity of a key holder.  The collection of certificates created by these trusted third parties is called a public key infrastructure (PKI).  There is a current effort to create an appropriate, scalable PKI for the health care industry.   To learn more about this project, contact Tunitas Group at 925-631-1244 or email to tunitas@earthlink.net.

 

Copyright © 1998 Tunitas Group.  All rights reserved.