The "technology neutral" HIPAA standards allow health care organizations flexibility in choosing compliance solutions that fit their needs.
Rather than indicating specific information technologies for compliance, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides health care organizations guidelines to safeguard electronically maintained patient health information from misuse. These guidelines include controlling access to data on computer systems, establishing audit controls, authenticating data the organization sends and receives and authenticating system users.
Access/Authorization Control
Each organization must develop procedures or implement technologies to grant access among its workforce to the health care organization's computer systems. The regulation requires documented procedures for access based upon the employee's role or rank. Some network components a health care organization may employ to control interoffice access include Intranet systems, which are private computer networks, and hardware or software that establishes a firewall to block unauthorized access.
Audit Controls
Security officers at health care organizations can implement technologies to create audit trails or logs that record each attempt to access information. Technology-based audit controls can record operational irregularities, such as repeated unsuccessful attempts to enter the network. Health care organizations can utilize a combination of administrative and network policies, hardware and software to record and respond to unauthorized information access.
Data Authentication
Some health care organizations may decide to implement encryption technologies to ensure the security of data transmitted between the organization and its business partners. Data encryption renders a message unreadable to anyone other than a recipient with a key to decrypt the data. In addition to communicating with business associates, health care organizations may implement encryption to transmit clinical data and lab results or to communicate with patients. An organization also may consider implementing digital signature technology and anti-virus software to authenticate data and protect computer systems from hackers.
Entity Authentication
The HIPAA security rule requires health care organizations to provide each employee with a "unique user identifier" to log-in to computer systems, and implement automatic log-off features at workstations. The regulation recommends user authentication technologies that range from passwords and personal information numbers ( PINs) to biometric identification systems, such as thumbprint and iris scanning, and smart cards to verify users authorized to access physical spaces, terminals or data stored on computer systems.
Tags: care organizations, computer systems, health care, health care organizations, health care, audit controls, care organization
