Current efforts aren’t enough. Healthcare organizations have been slow to adopt strong security practices because there haven’t been strong management or organizational incentives to do so. And, the need to assure access to information for patient care actually works against having strong access controls and other security mechanisms.

• Many hospitals allow physicians access to all patient records, not just the patients they’re treating, to be sure they have information needed in an emergency.
• Concerns about inconvenience of token-based authentication systems have led to reliance on more convenient (and less secure) log-in IDs and passwords.
• Many organizations don’t maintain audit logs of accesses to clinical data. Others have audit logs but haven’t developed tools or procedures for systematically reviewing those logs for patterns of abuse.
• Vendors haven’t put advanced security features on their systems because healthcare organizations haven’t demanded them. Instead, vendors have focused development efforts in functional areas.

If healthcare organizations are in compliance with Joint Commission standards, won’t that cover HIPAA compliance?

Current Joint Commission standards address information security, but not as specifically as HIPAA:

• IM.2.2: Systems are designed to allow timely and easy use of data without compromising security and confidentiality.
• IM.2.3: Information is protected against loss, destruction, tampering, and unauthorized use.
• RI.1.3: Hospital demonstrates respect for patient privacy and confidentiality.
• Accredited hospitals are required to comply with "state and federal law and regulation."

Executives at the Joint Commission don’t expect to make any major changes in the current standards for Information Management (IM). They may add HIPAA examples to the "Intent" statements or "Examples of Implementation" in the IM chapter.

The Joint Commission is comparing its current standards and survey process to HIPAA requirements. Accredited organizations can expect to see a more intense focus on information security in the survey process. However, the Joint Commission does not have capability or time to fully evaluate compliance with HIPAA standards during accreditation surveys, so it will not certify that organizations are in compliance with HIPAA.

Bottom line: Compliance with Joint Commission standards is a good start, but healthcare organizations still have a lot of work to do to be in full compliance with the information security standards outlined in the HIPAA regulations.

Most of the security requirements outlined in the proposed regulations are quite general, and the stated focus of the regulations is to be "technology neutral." For electronic signatures, though, the proposed requirement is a digital signature. What exactly does that mean, and how easy will it be for vendors and healthcare organizations to implement this?

HIPAA will not require the use of electronic signatures. If they are used, however, they must comply with the requirements that will be outlined in the final regulations. Currently, the Department of Health and Human Services proposes to adopt a cryptographically based digital signature as the standard.

The proposed electronic signature process has four critical elements:

• Authentication of the signer’s identity;
• A signature process according to system design and software instructions;
• Binding of the signature to the document; and
• Non-alterability after the signature has been affixed to the document.

How would a HIPAA-compliant digital signature work?

First, it requires use of public-key technology. In a public-key system, there are two keys: one that is public and can be disclosed and one that is private and must be known only to the individual and the certificate authority. The certificate authority (a trusted third party) issues public-private key pairs, authenticates the identity of the individual to whom the keys are assigned, and binds a public key by digitally signing a document that contains identifying information. A digital certificate is the complete package of a public key, a unique name, and the assurance by the certificate authority that the public key belongs to an individual.

A digital signature is formed by applying a mathematical function to the electronic document. This results in a unique bit string, referred to as a "message digest." Then, the digest is encrypted using the originator’s private key. The resulting bit stream is appended to the electronic document, and the document is transmitted over a communications network.

The person receiving the document decrypts the message digest with the originator’s public key, applies the same message hash function to the document, and then compares the resulting digest with the transmitted version. If they are the same, the recipient is assured that the message has not been altered in transmission and the identity of the signer is proven.

Since only the person who signed the original document can hold the private key used to digitally sign the document, the critical feature of non-repudiation is also enforced. Thus, the originator cannot deny signing a document that can be successfully decrypted with his public key.

While the process involved in digital signatures is straightforward, it is far more robust than the electronic signature programs currently used by most healthcare organizations. Cryptography-based technologies are available for inclusion in healthcare systems, but they are rarely used, except in a few commercial products and some academic settings.

A public-key management infrastructure, an essential requirement for digital signatures, is not yet available. Although preliminary efforts are underway to establish such infrastructures in the banking and Internet commerce communities, to date, similar efforts have not been seen in the healthcare industry. An effective public-key management infrastructure would be required to certify provider organizations, physicians, nurses, other allied health personnel, and patients themselves. Significant challenges remain to develop a key management capability that is usable for healthcare.

What should healthcare organizations be doing to get ready for HIPAA?

• Obtain copies of the proposed rules and read them carefully. As you do, make notes about how the requirements apply to your organization and any gaps between your current practices and proposed standards.
• Sign up for e-mail notification of publication of documents related to HIPAA standards to keep current on the latest developments.
• Add HIPAA compliance to your strategic plan, and identify key individuals in your organization to spearhead compliance efforts.
• Collect your organization’s current security policies and procedures (both organization-wide and departmental). Review the policies and procedures you receive. Do they reflect current practice? Are they consistent across the organization? Assign appropriate individuals to update existing policies and procedures and develop new ones that are needed.
• Make a comprehensive inventory of the individually identifiable electronic health information your organization maintains. Be sure to include information kept on personal computers and in research databases.
• Conduct a risk assessment to assess potential risks and vulnerabilities to individually identifiable electronic health information. Include the possibility of outside attacks if your systems have Internet access or dial-up access.
• Develop a work plan to address the identified risks, placing highest priority on the areas of greatest vulnerability.
• Review/revise existing vendor contracts to assure HIPAA compliance.
• Assess the accuracy of your master patient index (MPI) to see how many duplicates (patients assigned more than one number) and overlays (more than one patient assigned the same number) you currently have. Since most organizations lack the internal resources to efficiently perform an MPI clean-up project, obtain bids from reputable vendors and put this in your budget.
• Evaluate new information security technologies. Consider adopting biometric identifiers (such as fingerprints, voiceprints, or retinal scans) for secure authentication of users.
• Evaluate the audit trails on your existing information systems. To allow the best protection, audit trails must record every access (including read-only access) to patient information. Many current audit trails record only additions or deletions to electronic information. As you evaluate new systems, look for audit trail technologies that can analyze the large amount of information generated and flag suspicious patterns for further evaluation.

Remember there’s no such thing as absolute security. Keep your approach flexible, scalable, and reasonable. A flexible approach is important to take advantage of rapidly advancing security technology. Scaling your approach to the size and complexity of your organization will help to ensure economically feasible solutions. And, be sure the policies and procedures you develop are reasonable and that your organization can assure compliance. Documenting policies and procedures that are not followed consistently creates liability.