The United States Congress introduced the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to address the need for security standards and to protect the confidentiality and integrity of private health information. HIPAA affects health care organizations by requiring mechanisms to be put in place to control the privacy and security of sensitive patient data stored and exchanged electronically. HIPAA also affects health care organizations by encouraging the conversion of traditional paper based health care information systems to electronic health care information systems through a standardization of all shared electronic information to make healthcare more effective and efficient. HIPAA also mandates that the design and implementation of these electronic health care information systems protect the privacy and security of individuals’ health information. HIPAA X12 standards, version 5010, is a new standard that regulates the electronic transmission of specific health transactions. Entities that need to conform to HIPAA are health plans, health care clearinghouses and any health care providers that transmit health information in electronic form. The compliance date for use of these new HIPAA X12, version 5010, standards is January 1, 2012. The HIPPA Act of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop rules known as the HIPAA Privacy Rule and the HIPAA Security Rule. Within the U.S. Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) is responsible for implementing and enforcing the privacy and security rules.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes a set of national standards to protect medical records and sensitive health information. This rule addresses the use and disclosure of individuals’ protected health information (PHI) by organizations subject to the privacy rule. An increasing number of organizations are utilizing new forms of health information technologies (HIT) which usually involves the transition of PHI from paper to electronic form. A major purpose of the privacy rule is to define and limit how organizations can use or disclose PHI. Under the privacy rule, organizations must develop and implement policies and procedures that restrict and limit access of health information based on specific roles of members of the organization’s workforce and they must limit uses and disclosures of the information to the minimum necessary to accomplish their intended purpose. Many health care providers are adopting electronic health records (EHRs) to enhance the effectiveness and efficiency of the health care they deliver. The privacy rule became effective on April 14, 2001 and most health plans and health care providers had to comply with its requirements by April 2003.
HIPAA Security Rule
The HIPAA Security Rule is a set of national standards that protects medical records and sensitive health information that is held or transferred in electronic form. One of the major goals of the security rule is to protect the privacy of health information of individuals while allowing organizations covered in HIPAA to adapt to new technologies to improve the quality and efficiency of health care. The security rule requires covered entities to maintain appropriate administrative, technical and physical safeguards for protecting electronic protected health information (e-PHI). Under the security rule, organizations must ensure the confidentiality, integrity and availability of all e-PHI that they create, receive, maintain and transmit. Organizations must be able to identify and protect against anticipated threats to the security of the information and also protect against impermissible uses or disclosures of this information. Organizations must also ensure sure that e-PHI is not able to be accessed by unauthorized persons and that their workforce ensures compliance. Identifying and protecting against anticipated threats and uses is also a requirement by the security rule that organizations must follow. The security rule became effective on February 20, 2003 and most health plans and health care providers had until April 2005 to comply with its requirements.
Out of Band Authentication Technology
By leveraging an out of band authentication platform, members of an organization’s workforce can authenticate themselves before accessing protected health information and preventing unauthorized users from accessing it. An organization can also limit access of these members by assigning limitations depending on their roles within the organization and it will prevent unauthorized users from accessing the information.
Traditional methods of accessing health care data remotely such as using a login and password can be easily compromised by phishing attacks, malware and man in the middle attacks (MITM). Health care organizations can combat these attacks by utilizing two factor authentication, also called strong authentication, along with out of band authentication to authenticate users and block unauthorized users trying to access this health information. By combining login credentials along with an out of band authentication platform, organizations can add another layer of security to protect against attacks and data breaches. A user is authenticated by entering in their login credentials within an online portal and through a secure centralized server on a separate channel, in which an OTP is generated and sent to the user’s mobile device which is a true method of two factor authentication. By using two factors to authenticate a user, something that a user knows (login credentials) and something that a user has (mobile device), chances of health information accessed by unauthorized persons is much less likely and organizations can confidently store their health information in electronic form and access the information remotely and securely.HIPAA Solution
Two-factor authentication is an effective way for health care organizations to protect their health information and prevent attacks because even if one layer of security (login and password) is compromised by an attacker, the second layer of security (OTP sent to mobile device) would stop the authentication process and prevent access to the information. Organizations that are converting from paper based health care information systems to electronic health care information systems need to make sure that their electronic health records information remain safe and that there are safeguards in place to control access to this information.
Using an out-of-band authentication platform meets and exceeds the requirements of HIPAA by incorporating two-factor authentication while utilizing out of band authentication in a cost efficient way. Out-of-band authentication is an effective layered security process that controls security access and is easy to use. By using a mobile device as an authentication device, such as a mobile phone which the majority of the organization’s workforce already has, users can utilize two-factor authentication without needing to carry additional hardware tokens to authenticate themselves and organizations can save on costs to implement security devices. Users do not need to download any additional applications on the mobile devices since a one time password platform uses the SMS system to send the one time password and is a “zero footprint solution.” Out-of-band authentication is the preferred, cost effective two factor authentication solution that can ensure that organizations comply with HIPAA standards while also protecting sensitive health information.