Last month, I presented summaries of the federal HIPAA healthcare law ( What Is HIPAA) and the portion of the law related to computer security ( Conducting a HIPAA Security Audit). I also mentioned some of the ways the security rules overlap with Domino/Notes and I included a downloadable tool to perform HIPAA security audits. The tool is a Notes database that contains each line item of the HIPAA security rules. If you expect to have any involvement with the healthcare industry over the next two years, I encourage you to skim the default view of this database.
This month, I drill down within the security rules to examine them in more detail, with further discussion about implementing them in Domino/Notes systems. (And I promise that next month's tip won't be about HIPAA!)
As I mentioned before, the HIPAA security regulations are divided into five sections:
Four of these sections are independent of the computer system being discussed. In other words, the rules don't care if we are talking about a VisualBasic application running on WinXP or Domino running on Linux. The Administrative rules discuss management activities such as naming a security officer, performing risk analysis, and various personnel procedures. The Physical rules are concerned with where computers are located, how they are locked, and how backup media is handled. Organizational rules discuss contracts and relationships with business partners, and Policy rules govern documentation and retention of securit
To continue reading for free, register below or login
To read more you must become a member of SearchDomino.com
y procedures.
Only the Technical section of the HIPAA security rules actually addresses what is normally thought of as "computer security." The detailed line items of this section, with the actual language from the law, are:
The first thing to notice about the technical security rules is that they say nothing about how any of these items should be implemented. For example, there is no requirement that an organization use SSL (supported by Domino) to satisfy #9, or a public/private key ID system (such as Notes) for #7. On the other hand, the Domino/Notes solutions to these line items are perfectly acceptable, since they meet the stated requirements. This lack of specificity is one of the major changes from the draft version of the rules to their final wording.
Also important for SearchDomino readers is the fact that Domino and/or Notes contain built-in mechanisms to easily meet each of the technical security line items. Here is a look at each one:
In summary, Domino and Notes have no inherent problem meeting the HIPAA security requirements. Of course, like any tool, Domino/Notes must be used correctly in order to achieve the HIPAA goals. And an organization must also meet the other (significant) non-technical security requirements.
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes. He also helps healthcare organizations meet the HIPAA security rules through his web site HipaaSecurityExperts.com.
