| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume One, August 2001No. 39 HIPAAreg: Identifying the PatientHow can you tell a record belongs to a person? When is the information "individually identifiable?" Since de-identified health information is not considered to be Protected Health Information under HIPAA, it's important to know how to properly de-identify PHI. HIPAA lists 18 elements that must be removed. Some of the elements are common sense, and include name, street address, a photo of the person's face, Social Security number. Others are more high-tech and include e-mail address, Web site URL, IP address. Some of the 18 elements pose a bit more of a challenge. Dates, such as birth date or admission date, must be removed, except for the year. The first three digits of a zip code can be retained, if the population of the area is large enough. Finally, other elements may need to be removed if it's reasonable following "generally accepted statistical and scientific principles" to use the information to identify the patient. These might include zip code and occupation, particularly in a small town. For example, the occupation of high school principal and the first three digits of the zip code could be used to identify the principal in a rural area. Under HIPAA, someone with the appropriate knowledge and experience will need to make such determinations. For more information and a list of all 18 elements, go to: No. 40 HIPAAtech: Biometrics -- Using You to Identify YouHow many different passwords do you have? We are now using passwords and PINs for everything from the garage door to our ATM card. It's inevitable that you'll forget at least one. What if who you are granted you access? Under the proposed HIPAA Security Standards, biometrics may be used to authenticate users, along with a user id. Fingerprints are the most common biometric and have been used successfully for a number of years. Scanners can be attached to computer keyboards to grant access. Sophisticated scanners can get a 3D scan and even scan for a pulse. Facial recognition, voice recognition, retina scans and iris scans are becoming more common, less expensive and more accepted. On the cutting edge of biometrics are thermal emission, body odor, ear shape and typing pattern recognition. For more information on HIPAA-related technology, go to: No. 41 HIPAAdetail – Security: One Size Does Not Fit AllTo become HIPAA-compliant, will your organization have to employ disaster recovery plan? Firewalls? Individual passwords? Biometrics? PKI? VPNs? The short answer is yes, yes, yes, no, no, no. The longer answer: DHHS and its healthcare security advisors decided early on that, to work, HIPAA security standards would have to be “scaleable.” The Security Rule’s standards are “technology-neutral” for at least two reasons:
So, the security standards do not “prescribe” specific technologies, procedures or practices such as PKI or biometric solutions. They set a minimum level or “floor” of security, not an optimal or “best practices” level. However the Security Rule does outline commonly accepted administrative, physical, and technical aspects of security that must be addressed – including disaster recovery and access controls such as firewall protection and workstation log-offs. Specific solutions within these required security areas are essentially up to the organization. However, solutions must be based on thorough assessments of the organization’s security risks and vulnerabilities, practicality and cost factors, and the investment necessary to become adequately protected. Then each covered organization may devise its own plan to implement security measures that are appropriate to its peculiar needs, capabilities and circumstances. For more information on security and technical issues, go to:
|
