Getting Ready for HIPAA
Paying Attention to Security

August 30, 2000
By Randy Hersom, VP of Software Development, Habilitation Software Inc.

I'd like to point out a few things that we would like to see all of our customers do to get ready for the new privacy and security regulations written by the Health Care Financing Administration (HCFA). By the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress ordered HCFA to create regulations unless Congress had already passed such regulations into law. Congress didn't, so HCFA is doing so.

This isn't a checklist that's supposed to cover all the bases, just some important things to start doing now. The regulations will go into effect sometime in 2002, but anyone who delays finding out about it until then will almost certainly have insurmountable problems in meeting the regulations. Successful compliance involves changes to daily routines. The time to start building good habits is now.

The first thing to consider is how you will limit access to your data. The draft regulation says you must implement either access controls or encryption. Access controls can be physical (computers behind locked doors, no windows with a view of the screen, only authorized persons have keys) or electronic (all users have identities verified before being issued a password, users take care not to leave logged-in terminals accessible to unauthorized parties, users never share passwords). If you're considering the physical route, you may want to start to consider moving computers and purchasing locks. You should set a date when all computer room door locks and passwords are changed. A staff member should check picture ID's and professional credentials before issuing keys and passwords, and you should consider having that staff member certified as a Notary Public.

You must keep the frame of mind that an Internet connection at the server or any workstation may be permitted only once it is known to be secure from intruders. Very small agencies may want to keep a separate, off network, computer for Internet access and E-Mail. The Internet connection should be disconnected if a security breach is discovered, or security flaws have been discovered in any of your software. Repair the security flaws before reconnecting.

You will need someone who will be responsible for regularly assessing security of your computers. Some recommended activities are:

1) List people who have logged into the network, and viewed client information. Make sure each is properly authorized for the client charts they have viewed. Show each person's list to them and ask them if all listed logins and chart openings are ones they actually did. List all network users and scan for unfamiliar names. Ask if passwords or keys have been shared. Like the airport employees who have to ask about your bags, your security chief must keep asking even after the question becomes boring.
2) Larger agencies may choose to devote a half position, full position or more to network security. Smaller ones may be able to get by with less time. Nobody will get by without dedication to keeping a safe place in which to store important data about consumers. Some of the threats to security you may face haven't even been invented yet. Info World, eWeek, Information Week and others have free E-mail newsletters that often are the first place you can find out about newly discovered security hazards. Whoever you select to be responsible for your security must continue to read and learn.
3) Develop clear and concise materials that will communicate your privacy policies to your employees. Get each staff member to read them, question them to assure understanding, then get them to sign an agreement to abide by them. Do the same thing with any outside consultants or software vendors who may need access to your network or data in order to provide needed services.
4) Finally, strongly emphasize the importance of data security and consumer privacy to upper management. It may help to point out the penalties. Non-conformance to HIPPA regulations can result in a $25,000 fine. Intentional misuse may result in a $250,000 fine and imprisonment of not more than 10 years.
Remember to act supportively rather than in a threatening fashion with your employees as you are educating them about HIPAA. In a climate of fear, truth is often the first casualty.