When the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) of 1996, among the law's many provisions was the establishment of formal regulations designed to protect the confidentiality and security of patient information. In addition to mandating new policies and procedures, the HIPAA security regulations require mechanisms for controlling access to patient data on healthcare providers' information technology (IT) systems.
The Value of Enterprise SSO
to HIPAA Compliance
A resource guide compiled and edited by:Gregg LaRocheDirector of Product Management, Healthcare Division,Imprivata, Inc.
May, 2005
TABLE OF CONTENTS
Executive Summary....................................................................................................................... 2
Ways in Which the Right ESSO Solutions Satisfies HIPAA Security Requirements.................. 3
HIPAA Security Standards............................................................................................................. 3
Other Advantages ESSO Should Deliver to Healthcare Providers............................................. 5
Imprivata OneSign's Advantages for HIPAA Compliance........................................................... 5
How OneSign Works...................................................................................................................... 6
The Advantages of OneSign Over Other ESSO Solutions.......................................................... 7
Beyond HIPPA Compliance............................................................................................................. 82 The Value of Enterprise SSO to HIPPA Compliance
Executive Summary
When the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) of1996, among the law's many provisions was the establishment of formal regulations designed to protect the confidentiality and security of patient information. Congress set a series of deadlines for healthcare institutions to comply with the new regulations, including an April 2005 deadline for the security requirements.
In addition to mandating new policies and procedures, the HIPAA security regulations require mechanisms for controlling access to patient data on healthcare providers' information technology(IT) systems. As the April 2005 deadline draws closer, meeting these IT security and access manage-ment requirements is proving to be a challenge for many institutions, for a number of reasons,including: . Complex IT environments: Most hospitals' IT environments include a diverse assortment of legacy, PC and Web applications, both internal and external. Any access control methods they employ must address all applications and platforms in their environments.. Complex legacy applications: Many healthcare institutions still rely heavily on legacy systems for which the software code has grown increasingly complex over time. In many cases, institutions lack the resources to modify application code written years or decades earlier.. Unchartered Territory: While the government body responsible for enforcing the HIPAA regulations, the Office of Civil Rights in the U.S. Department of Health and Human Services, has published the requirements for HIPAA compliance, it has left it to the discretion of healthcare providers to determine how best to meet those requirements.. Overburdened IT departments and help desks: As the number of internal and external applications grows, so does the number of passwords that employees must remember. Every time an employee forgets a password, IT departments and help desks, already strained from budget cuts and reduced staffing, must devote time and resources to resolving the problem. At the same time, user frustration intensifies, and productivity drops.. Cost: Many healthcare IT organizations lack the funding to undertake any HIPAA-related projects that would require large capital outlays. . Time: Development and deployment of enterprise-wide access control mechanisms can often require months or years of effort, thus precluding the possibility of organizations meeting the April 2005 compliance deadline.. User cooperation: Many access control methods, such as strong password policies, can put much of the burden of compliance on application users by requiring them to memorize multiple complex passwords and change them frequently. Institutions are likely to encounter increased help desk calls regarding forgotten passwords, as well as resistance from physicians and hospital staff if the user requirements of HIPAA compliance are perceived as too onerous.
Copyright ® 2005 Imprivata, Inc.The Value of Enterprise SSO to HIPPA Compliance 3
To compound these challenges, a number of vendors have made false or exaggerated claims thattheir software solutions are "HIPAA-c... [download for more]
