How To

HIPAA-cratic Oath

Lew Wagner, CISO at the University of Texas M.D. Anderson Cancer Center, answers readers' questions about HIPAA

November 08, 2002 — CSO — Q: Is it true that at some point the Health Insurance Portability and Accountability Act (HIPAA) will disallow the use of Social Security numbers to identify individuals?

A: The use of Social Security numbers, in general from a security perspective, is bad karma. Too many identity theft criminals use that data as a jumping-off point to steal your personal information, ruin your credit and illegally acquire goods, services and products.

The identification numbering system proposed by HIPAA regulations is an effort to reach a more robust level of patient, provider, payer identification as well as streamline reporting of such information across disparate private, state and federal reporting systems and networks.

I highly recommend that if your organization is using Social Security numbers, you should discontinue that as soon as possible.

Q: How are health-care organizations addressing the overlap between the final privacy regulations and the proposed security regulations?

A: There are many crossover points between the privacy and security regulations under HIPAA. Many of the administrative and policy stipulations under privacy require a technological component to enhance the compliance requirement. The fact that the security regulations' final implementation by Health and Human Services has been delayed numerous times since 2000, and will most likely be delayed again, doesn't change the fact that privacy regulations must be complied with.

A close coordinated effort needs to be accomplished between security and privacy groups within health-care organizations so that security efforts don't waste money or result in stovepiped duplicate efforts.

Q: In an environment that manages medical records, can we maintain HIPAA compliance when we are forced to grant rights to an untrusted third party by giving it access to our system?

A: No, you will be in noncompliance. However, by employing administrative and technological procedures, you can sequester such information from third parties that don't need to know versus those that provide an application service provider service (like electronic medical records). Contractual and service level agreements can be created to protect your institution by obligating the third party to abide by patient health-care information protection requirements.

If the third party is untrusted, I question why you would give it information in the first place, but many legacy holes of this type exist. I have often heard health-care admins or nontechnical folks blindly accept a vendor statement like, "You have to do it our way." That can't be further from the truth. The organization I work at has compiled an extensive set of security requirements that we provide to prospective and current vendors.