Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Congress and signed by President Bill Clinton in 1996. The Act consists of five Titles that govern different aspects of the health ecosystem. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, regulates the use and disclosure of protected health information (PHI), and related security standards required to protect the data.
Technical safeguards defined by HIPAA aim to control access to computer systems and protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. For example, systems housing PHI must be protected from intrusion; when information flows over open networks, some form of encryption must be utilized; parties to the communication must be properly authenticated; PHI data must be protected from unauthorized modifications; data corroboration, including the use of a checksum, double-keying, message authentication, and digital signature may be used to ensure data integrity; etc.
A HIPAA-compliant server is a server that implements technical safeguards that satisfy HIPAA requirements. According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Who does HIPAA apply to?
HIPAA covered entities are:
1) Health care providers, including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, but only if they transmit PHI in an electronic form.
2) Health plans, including health insurance companies, HMOs, company health plans and government programs that pay for health care (i.e. Medicaid and Medicare).
3) Health care clearinghouses that process nonstandard health information they receive from another entity into a standard information
HIPAA treats person or entity authentication the same.
HIPAA requirements for implementing access control are: (i) assigning a unique user name or number for identifying and tracking user identity, and (ii) establishing procedures for gaining access to electronic health information in the case of an emergency, (iii) implement automatic logoff procedures that will terminate a login session after a predetermined period of inactivity, and (iv) use of encryption as a means of providing access control.
Person or entity authentication regulations call for covered entities and business associates to implement procedures that verify that a person or entity seeking access to electronic protected health information is the one claimed. This means that a system must provide a means of identity verification and corroborate the identity of the person or entity that is attempting to access protected data.
HIPAA provides only a general requirement and does not call require specific methods to ensure compliance. This means that covered entities and business associates can choose their preferred authentication methods, so long as it provides appropriate safeguards.
Covered entities often use multiple systems requiring multiple sets of credentials. Memorizing multiple sets of passwords and usernames, or carrying multiple authentication devices, is very onerous on users and costly to manage for covered entities.
Security Standards for the Protection of Electronic Protected Health Information defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”