In a companion article What is HIPAA?, I present a summary of the new federal law called HIPAA that affects the healthcare industry. My particular interest in this law, along with many readers, is obviously the portion of the rules that apply to computer security. All healthcare organizations will be reviewing and changing their computer systems over the next two years, to meet the HIPAA security deadline of April 2005. (Smaller organizations have until April 2006.)
Reading the security rules is quite a nightmare however. The paragraphs, subparagraphs, and bullet points are nested at least five levels deep. To help you get started, this article provides a brief summary of the security rules, with some pointers about how they apply specifically to Domino and Notes. Also, I include a link to a HIPAA audit tool I developed as a Notes database.
The HIPAA security rules are divided into three main sections, along with two other paperwork requirements.
- Administrative – management activities related to security, such as risk analysis, identifying a security officer, and employee termination procedures.
- Physical – securing rooms and media, including items such as door locks and re-use of backup media.
- Technical – areas that are thought of as core "computer security" such as user IDs, encryption, and automatic logoff.
- Organizational – contracts with business partners, to make sure the contracts address security concerns.
- Policies, Procedures, and Documentation – management of the documentation related to the security rules.
Some parts of the security rules particularly relate to Domino and Notes, and are made easy by features of these products.
- Under the Administrative section, there is an item that calls for "procedures for terminating access to electronic protected health information when the employment of a workforce member ends." With Domino, this is a simple matter of implementing a Terminations group in the NAB, and then adding ex-employees to this group.
- Also in the Administrative section, there is a line item that requires "procedures for monitoring log-in attempts and reporting discrepancies." Easy to do in Domino, since this information is automatically saved in the server log file.
- The Technical section asks for "unique user identification." Of course, this feature has existed in Domino and Notes for many years in the form of Notes ID files.
- An interesting requirement is to "establish procedures for obtaining necessary electronic protected health information during an emergency." In other words, healthcare staff should be able to "break the glass" and get information they need to save someone's life, even if they don't normally have the proper access. The system should document any actual emergency access for later review. This requirement can be met in Domino with special a user ID that has unlimited access, and a documented procedure for getting this ID.
- The Technical rules call for "procedures that terminate an electronic session after a predetermined time of inactivity." Again, this feature is built into the Notes client and is simple to implement.
- As a final example, HIPAA asks for "technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network." Domino meets this rule with its support for SSL over the Internet, and Notes includes port encryption for native Notes traffic on a LAN.
An important point to understand about the security rules is that each line item is marked as either "required" or "addressable." Required means what you think: you must do it. Addressable means that you are not required to do the item. But if you do not, you must carefully document why not and what your alternative plan is to meet the same overall security goals. Many people misinterpret addressable as "optional." It does not mean optional.
Below is a link to the HIPAA security audit tool I created as a Notes database. Each detailed item of the security rules is a separate document in the database. Within each document are fields for: a summary of the item, full details of the item rules, the audit status of that item (not started, passed, failed), a flag to indicate if the item is required or addressable, and detailed results information.http://www.chc-3.com/downloads/hipaa_security_audit.zip
This is the first public release of this tool, so it is not perfect. Feel free to improve the database and, if you want, send it back to me. I will add the best changes to the public copy.
This was first published in May 2003