|
INTRODUCTION
As with all other businesses, healthcare organizations have, or are, moving rapidly toward transmission of information over the Internet to take advantages of the associated flexibility, speed, and inherent cost-savings. However, with the benefits of electronic information transfer come the regulations and liabilities associated with privacy and unauthorized access of data, most notably in the form of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
A major component of HIPAA addresses administrative simplification of how healthcare information is handled. Specifically, HIPAA and the related proposed Standards for Security and Electronic Signatures (SES) aim to standardize how electronic patient data is accessed as well as transmitted between organizations.
SES mandates requirements in five broad areas:
- Administrative Requirements ? covering certification, policies, controls and auditing
- Physical Security Requirements ? governing and auditing physical access to systems and media
- Technical Security Services ? systems and software used to protect electronic data
- Technical Security Mechanisms ? including network access controls, alarms, auditing and reporting
- Electronic Signature Standards ? auditing and non-repudiation of electronic transactions
With the entry of HIPAA into the Federal Register on 28 December 2000, healthcare organizations of all sizes must move to comply with its mandates ? by April 14, 2003 for large organizations - and April 14, 2004 for small organizations. Never in US history has such a sweeping set of electronic security standards been enacted, and the affected organizations are now researching solutions in earnest. An article in Health Management Data Magazine refers to the security and privacy provisions of HIPAA as the most challenging federal information security requirements facing healthcare organizations [Joseph Godert, "The Dawn of HIPAA", Health Data Management Magazine, April 2000]. Also affected are the myriad organizations outside the healthcare industry that must handle individual patient data as part of their business - including legal, financial, insurance and outsourced IT infrastructure organizations (e.g. ASPs).
Existing players in the electronic security industry are positioning their current product lines as 'HIPAA solutions', bringing to bear large-scale deployments of complex technologies such as Public Key Infrastructure (PKI). Without exception these approaches are expensive, resource intensive to install and maintain, difficult and constraining to use, and not suited for mixed communication with organizations and individuals.
For healthcare providers and insurers who need to ensure their organizations are fully HIPAA compliant, Sigaba? offers an email security solution that ensures the security of their communication and mitigates potential legal exposure. Unlike existing products, Sigaba installs in about a half a day and features simple, highly automated administration.
Sigaba's solutions are almost completely transparent to end-users and require little or no end-user training. Sigaba upholds comprehensive interoperability with its standards-based software that works with all leading email platforms, email servers and clients, authentication approaches and techniques, fully leveraging existing IT investments. The solutions offer complete policy control that enables system administrators to enforce security policies and provide rigorous, end-to-end security based on the Federal Advanced Encryption Standard, AES.
This document details the mandated and proposed rules generally referred to as the 'HIPAA requirements' and how they affect healthcare organizations and their business partners transmit medical information electronically. The document then describes how technical solutions from Sigaba map to those requirements (both in detail and summarized tabular form).
After reading this document you should have a solid overview of the HIPAA requirements, as well as an understanding of Sigaba's capability to meet those requirements.
OPPORTUNITY
According to the VHA and Deloitte & Touche Health Care 2000 study approximately 33.5 million Americans received healthcare information online in 2000. With projected population growth, general availability of Internet access, increasing mobility, and a wider variety of healthcare options available to Americans, demand will only increase for electronic transfer of patient information. Private data that will primarily be delivered electronically includes portable, universal health records and history, web and email-based test results, online appointment scheduling and reminders, and electronic dialogue with physicians and other healthcare providers.
Electronic information can be exchanged in many formats (email, documents, instant messages, web pages, EDI) to a variety of recipient environments, such as email, browser, PDA, wireless phone, pager, or text-to-voice. In a digital world, reproducing information is essentially free, copies can be as authentic as the original, and information is easily disseminated.
|
