HIPAAnotes Volume One, Numbers 1-5

No. 1 (10/30/00): HIPAAterms: NPRM vs. Final Rule?

Most of the “proposed” HIPAA standards have been published. These are called NPRMs -- Notice of Proposed Rule Making. Once NPRMs are published in the Federal Register, there is a 60 day public comment period. Comments are reviewed by the Department of Health and Human Services and revisions made. Then the Final Rule is published in the Federal Register.

Similarly, 60 days after publication of final rules, Congress may review and take action if deemed appropriate. But at this point, it's unlikely that new changes will be made. Once this 60 day comment period ends, the Final Rule officially becomes effective. Compliance is required in 24 months for most organizations (small plans have 36 months).

View the tentative HIPAA rules publication schedule at: http://www.hipaadvisory.com/news/compliancecal.htm

No. 2 (11/6/00): HIPAAdetail: Paper and Electronic

The proposed HIPAA SECURITY reg covers only electronic forms of data. The proposed PRIVACY reg covers both electronic forms of data and any paper printouts of that info. For example, info from the admission record is now printed on the face sheet of the patient's record.

If your health-related organization has a PC and printer, you will have to comply with BOTH the security and privacy regs for that PC and printer. So if, say, you print out lab values, the paper hard copy will have to comply with the privacy reg.

DHHS has said that the final privacy reg is likely to tighten standards of the proposed rule -- to include covering all paper, not just the paper "progeny" of an electronic system. If so, the complete paper patient record will have to comply with the privacy reg.

Even if the final privacy reg doesn't go this far, most organizations may still choose to protect both paper and electronic records with the same standards. Many will, after all, want to ensure that all individual health information is kept equally private and secure -- and prevent the potential confusion of complying with two different sets of standards.

No. 3 (11/13/00): TechTerm: Firewall

A firewall is anything that performs the function of a firewall, if you like your reasoning circular. So, as you probably guessed, a firewall isn't a wall of fire. It can be a piece of hardware or a piece of software. A software firewall is a program installed on your network machines(s). A hardware firewall is a physical box attached to the network.

Whatever kind you use, it will filter everything coming into your network and leaving your network. All traffic to and from the protected network (i.e., your hospital's LAN) passes through this gateway. You will need to decide what will be allowed through the filter and what will be stopped.

Simply having a firewall is not a security policy. Rather, it will help implement your security policy. The firewall can be configured to execute your policy.

To learn more about firewalls and other security technology, go to: http://www.hipaadvisory.com/tech/

No. 4 (11/20/00): HIPAAterm: What is a "Business Associate?

Do you know who your associates are? Under HIPAA, a Business Associate is "a person who performs a function or activity regulated by this subchapter on behalf of a covered entity." Examples are lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms and billing firms. Your business associate can be a covered entity in her own right, but cannot be part of your workforce. So, another hospital might be a Business Associate, but members of your staff are not Business Associates.

You must require a business associate to comply with the regs. You must also ensure any agent or subcontractor of theirs will comply. These rules are meant to keep data private even when it is sent outside of a "covered entity."

The proposed privacy reg used the term "Business Partner." The final Transactions and Code Sets reg uses "Business Associate."

For more definitions of HIPAAterms, go to: http://www.hipaadvisory.com/action/faqs/glossary.htm

No. 5 (11/28/00): TechTerm: Digital Signature

The terms e-signature, electronic signature and digital signature are often used interchangeably. This is because the industry uses the term "digital" and the recently signed law used "electronic." And we all love "e-" anything. "Electronic" is actually a broader term, and digital signatures are a form of electronic signatures. A digital signature is not, as you might imagine, a scanned image of your written signature.

A digital signature typically does two things. It identifies the sender and confirms that the contents of the message weren't altered during transmission.

To create a digital signature you must have special software. This software computes a digest of the text of your message. The digest is then encrypted and sent with the text message as the "signature." The recipient decrypts the signature and recomputes the digest from the received text. If the digests match, the message is authenticated and proved intact from the sender.

To learn more about digital signatures and other security technology, go to: http://www.hipaadvisory.com/tech/