Sharing private health information over the internet can be a risky business. Unfortunately, as people become accustomed to doing most if not all of their personal business online, the demand for accessing this information online will grow to the point that health care providers will have no choice but to either provide access to this private health information or lose their customers.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to assure the confidentiality of patient information. This requires that health care providers employ stringent measures to assure that information shared on the internet is protected from unauthorized access.
The HIPAA Act requires health-providing entities to:
• Assign responsibility for security to a person or organization.
• Assess security risks and determine the major threats to the security and privacy of protected health information.
• Establish a program to address physical security, personnel security, technical security controls, and security incident response and disaster recovery.
• Certify the effectiveness of security controls.
• Develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual’s status, change of status or termination.
• Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication
This law has serious implications for organizations that allow unauthorized access resulting in a breach in confidentiality.
Security is the key
Since the HIPAA law provides for both civil and criminal penalties for violations, data and access security is of the utmost importance. To assure HIPPA compliance, online document management on company intranets and extranets must include a number of security features:
• Secure web server – a server running secure socket layers is the minimum needed.
• Encrypted database – all data must be encrypted. Software is available that will encrypted all data sent between two computer over the internet.
• Secure access control — in addition to a traditional user id and password, it may be a good idea to use a strong password or smart card as additional security.
• Session timeout – this assures that confidential data is not left on an unattended screen.
• Server monitoring – the secure web server needs to be strictly monitored to detect break-in attempts.
• Regular security audits – regular audits are required to make sure all security precautions are working properly.
• Personnel – system maintenance should be in the hands of qualified personnel familiar with HIPPA requirements