For Each Topic

The Technological Feasibility of HIPAA Requirements

Adam Cushner

White Paper

December 2003

Introduction

TheHealth Insurance Portability and Accountability Act of 1996, or HIPAA, is a law designed “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”[1] HIPAA mandates that covered entities must employ technological means to ensure the privacy of sensitive information. This white paper intends to study the requirements put forth by HIPAA by examining what is technically necessary for them to be implemented, the technological feasibility of this, and what commercial, off-the-shelf systems are currently available to implement these requirements.

HIPAA Overview

On July 21, 1996, Bill Clinton signed HIPAA into law. It was passed partly because of the failure of congress to pass comprehensive health insurance legislation earlier in the decade. The general goals of HIPAA are to:

Increase number of employees who have health insurance;

Reduce health care fraud and abuse;

Introduce/implement administrative simplifications in order to augment effectiveness of health care in the US;

Protect the health information of individuals against access without consent or authorization;

Give patients more rights over their private data;

Set better boundaries for the use of medical information;

Hold people accountable for misuse;

Encourage administrative simplification (in the form of digitalization of information) to help reduce costs.

HIPAA affects covered entities which are defined as:

–Health plans;

–Health care clearinghouses;

–Health care providers who transmit health information in electronic form for certain standard transactions.

Even though HIPAA was singedinto law over seven years ago, its effects are mostly being felt now. This is because of its schedule of compliance:

10/16/2002 - Transactions and code sets

4/14/2003 – Privacy Rule

4/14/2003 – Business Associates

4/20/2005 – Security Rule

This delay stems from a provision in the original act stating that if Congress did not specify certain regulations by the end of 1999, the Department of Health and Human Services (HHS) had to do it. Congress did not meet its deadline, so HHS had to write up the regulations and give companies a chance to implement them.

The main parts of HIPAA covered in this paper are its Security Regulations and its Privacy Rule. Each of these directly involves certain technological changes that must be made in order to reach its goals. To simplify and standardize information exchange, Electronic Data Interchange (EDI) is adopted.

Privacy Rule

The Privacy rule sets forth definitions for different types of information and allows certain things to be done with each of the types of information. There are:

–Protected Health Information (PHI);

–Individually Identifiable Health Information (IIHI);

–De-identified Health Information;

–Limited Data Sets.

Protected Health Information (PHI)

PHI is information that must be kept private unless patients sign detailed and specific patient authorizations that allow data to be used by other parties. The treatment of PHI is analogous to the treatment of human tissue with regard to privacy.

Perhaps the best way to keep Protected Health Information protected is through the use of Digital Rights Management (DRM). DRM provides a wrapper for a file that restricts its uses to certain things. Sometimes, especially in the case of media files downloaded from the web, DRM will store a unique ID of the computer on which it is allowed to be played. If another computer attempts to run the file, it will not work. Similar things could be done to make sure that only a certain set of computers has access to data. Certain aspects of DRM can be employed today.

Individually Identifiable Health Information (IIHI)

IIHI is defined as any subset of health information, including demographic information collected from an individual, that identifies the individual or is cause for a reasonable basis to believe that the information could be used to identify an individual.[2]

In order to make it possible to distribute health information without causing the identification of individuals, HIPAA defines De-identified Health Information.

De-identified Health Information

Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 17 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify the subject of the information. Identifiers include:[3]

(1)names;

(2)geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code to 000;

(3)all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89;

(4)telephone numbers;

(5)fax numbers;

(6)electronic mail addresses;

(7)Social Security numbers;

(8)medical record numbers;

(9)health plan beneficiary numbers;

(10)account numbers;

(11)certificate/license numbers;

(12)vehicle identifiers and serial numbers, including license plate numbers;

(13)device identifiers and serial numbers;

(14)Web Universal Resource Locator (URL);

(15)biometric identifiers, including finger or voice prints;

(16)full face photographic images and any comparable images;

(17)Internet Protocol address numbers;

(18)any other unique identifying number characteristic or code.

The technological implementation that would enable this already exists in good database systems. In a database, views allow users to examine only parts of tables instead of the whole thing. In order to guarantee that information was de-identified, the database designer (or maintainer) could create a view that would allow users who did not have access to PHI or IIHI to see medical information stripped of the 17 identifiers required for de-identified health information.

Limited Data Sets

In between IIHI and de-identified health information, there exists another type of information called limited data sets. Limited data sets are essentially a more informative, less restricted version of de-identified health information. These identifiers must be removed:

(1) name;

(2) address information (other than city, State, and zip code);

(3) telephone and fax numbers;

(4) e-mail address;

(5) Social Security number;

(6) certificate/license number;

(7) vehicle identifiers and serial numbers;

(8) URLs and IP addresses;

(9) full face photos and other comparableimages;

(10) medical record numbers, health plan beneficiary numbers, and other account numbers;

(11) device identifiers and serial numbers;

(12) biometric identifiers including finger and voice prints.

Whereas these identifiers are allowed to remain:

(1) admission, discharge and service dates;

(2) birth date;

(3) date of death;

(4) age (including age 90 or over);

(5) geographical subdivisions such as state, county, city, precinct and five digit zip code.

It is interesting to note the attention to technological detail (e.g. IP addresses) that these criteria have.

Limited data sets can be enforced the exact same way that de-identified health information is: by using views.

In summary the Privacy Rule:

Deals with Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI);

Provides, for the first time ever, Federal protections for the privacy of protected health information;

Sets only a lower bound on protection – stricter state laws would not be trumped by this, but weaker ones would;

Requires notification of information practices;

Gives patients more control over their information;

Sets boundaries on the release of information;

Holds violators accountable with civil and criminal penalties;

Allows for data to be released if it aides public health (e.g. statistics about a disease, de-identified patient data).

Security Regulations

The Security Regulations of HIPAA have four main requirements:

1)Contingency Plan

2)Access Control

3)Audit Control

4)Person or Entity Authentication

Contingency Plan

The section on a contingency plan simply states that databases storing health information must have a data backup plan, a disaster recovery plan, and an emergency mode operation plan (which says that in the event of an emergency, data still must be protected as well as when normal operations are occurring).

A data backup plan can be implemented very simply using current technology. For use in guaranteeing exact data backup, a mirrored disk RAID (level 1) system could be used. Perhaps a less expensive block-interleaved distributed parity RAID (level 5) system could instead be used, but it would be slightly more susceptible to failure. [4] Many commercial vendors are available today for helping to set up large database systems. Also, many Application Service Providers (ASPs) exist to rent out their services.

A disaster recovery plan is also easy to implement using current technology and the best way to be able to recover from a disaster is by using off-site backup/storage facilities. If a covered entity were to store all its information in one place and that place were to be destroyed (e.g. by some cataclysmic event), the data would be non-recoverable. Therefore, offsite backup/storage is essential. To ensurethat the privacy of health information is not compromised during transmission, a Virtual Private Network (VPN) would probably have to be employed.

An emergency mode operation plan could be implemented best by using available technologies and by prudent choice of privilege granting in the initial database design.

Access Control

The section on Access Control states that it is necessary to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.”[5] This problem is particularly technologically difficult for two main reasons:

1)Although many software vendors will claim that their programs are secure, there are almost always software bugs that can be exploited for malicious use. There are however, current database implementations that are very secure such as Oracle and IBM’s DB2.

2)Even if a database implementation is entirely secure, a flaw in the operating system on which it is running could possibly serve as means of unauthorized access into the database.[6]

Assuming that the database implementation used to store the PHI is secure, there are means already in place of granting privileges to different users and groups of users. Prudent choices in issuing access rights to users will ensure that, at the database level, access can be very well controlled.

Secure database systems are currently available, whereas secure operating systems are not. All current operating systems have security holes which can lead to malicious users controlling the machine (perhaps ultimately resulting in access to PHI). Microsoft’s Next-Generation Secure Computing Base (NGSCB), which is based on the Trusted Computing Module (TPM), has many of the technological features that will be necessary to ensure technological security of information.

NGSCB has many of the features that will help make the sort of computing demanded by HIPAA entirely technologically secure. It has two operating modes, standard mode and nexus mode. In standard mode, applications are executed as they are currently executed in, for example, Windows XP. In nexus mode, however, applications (called nexus computing agents or NCAs) operate in a secure and isolated environment.[7] They are allocated in a memory space that is protected from external access, even from the kernel.[8] This type of isolation would ensure that data is protected.

NGSCB provides functionality for “sealed storage,” or storage that can only be accessed by the authenticated application that stored it there.[9] In the hardware itself, secure paths are used to transfer data between different devices on the machine (e.g. keyboard and CPU).[10] These paths are secured using encryption which prevents users from being able to access data via a direct connection to a computer bus.

NGSCB is a good next step but, currently, there are not enough off-the-shelf commercially available products to make an entirely technologically secure system. This, however, is not a very large problem because a) despite certain small security holes, these systems can be made to be very secure, and b) many security holes are caused by users who improperly use the data to which they legitimately have access. No amount of technological regulation can prevent this, but it can help mitigate the problem.

Audit Control

The demands of the audit control system are that accesses (i.e. reads and writes) to the database must be logged with the information of who accessed what, when, and from where. All good database systems provide functionality for this type of logging. If the database is located off-site, a secure method, such as a VPN should be used to access it.

Person or Entity Authentication

Using current technologies, there are reasonably good ways of authenticating persons and entities. As it stands now, the security of these methods seems to be adequate to meet the demands of HIPAA. NGSCB, however, has a very good, built-in way of dealing with authentication: attestation.

Attestation is a “mechanism for authenticating a given software and hardware configuration, either locally or remotely.”[11] It uses hardware based encryption secrets as well as certain other attributes to determine if a user is who he says he is, and it is more secure than most authentication technologies currently employed.

Minimum Necessary

“When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”[12] This does not apply to health care providers, individuals concerning their own information, and certain legal needs.

This“minimum necessary” requirement could be enforceable through a policy-based software product. In general, companies would have limited interactions with each other. Each of the limited interactions could have its own setting indicating what amount of information should be released for the request. Because both companies would be using EDI, this could be fairly easy to implement. Only the most often used requests would be automated like this.

Problems, however, would arise if a non-standard transaction were to occur. In that case, human intervention would be necessary to solve the problem, because, in HIPAA, there is not a list of what constitutes the mandatory minimum for a certain type of request (because it would be impossible to enumerate all the different types of transactions that could ever occur between a covered entity and a business associate).

Current Technological Offerings

The most widely used technologies for HIPAA include ASPs (application service providers) VPNs (virtual private networks).

Application Service Providers (ASPs)

The demands that HIPAA places on covered entities is large. If each covered entity were to have to implement its own system to become HIPAA compliant, it would be next to impossible for the health care industry to be able to adopt it. Therefore, they rely on ASPs to provide HIPAA-compliant services.

ASPs provide the backend hardware and software for health care industry workers. Instead of licensing their software, they rent it out, usually on a monthly or yearly basis. As a result, they are responsible for upgrading and maintaining their systems.

Covered entities must be careful when choosing an ASP because it is their responsibility to ensure that they are entering into business with someone who is HIPAA compliant. Covered entities must also make sure that the ASPswith which they are working have scalable systems that will most likely be able to meet future needs they may have.

Virtual Private Networks (VPNs)

VPNs are private networks setup using the infrastructure of public networks. Before the surging popularity of the internet, companies that wanted WANs had to lease lines between various offices, which was very expensive. Using the internet and a bit of encryption, however, one can create a private network that is traveling through public lines.

The VPN is useful for helping with HIPAA because it is a cheap, effective way to link covered entities with their ASPs. Otherwise, the covered entities would have to lease private lines to communicate with the ASPs, which would be too expensive.

VPNs meet the requirements that even during transmission, information must be protected. Therefore, they are widely used.

The Importance of Human Security

The problem with the security of information is that technological restrictions can only do so much. Many of the problems with security stem from human errors, human oversight, and bad intentions. Someone with legitimate access to certain data could, if he wanted to, misuse that data (e.g. by selling it to someone who does not have a legal right to have the data). HIPAA outlines procedures to help minimize this problem through the use of employee training and federal punishments.