Internet standards offer unexpected HIPAA compliance options

The most recent round of HIPAA standards protecting the privacy of individually identifiable health information took effect on April 14, 2003. Compliance is a top priority, but many organizations are having particular trouble securing e-mail and unstructured documents. Help might be on the way from an unexpected source.

Still a long way to go on privacy
Individually identifiable health information (IIHI) is regarded as such if the data in question:

• Explicitly identifies an individual, or you can reasonable infer the identity from the data.
• Concerns the physical or mental health of the individual, or the information concerns the provision of or payment for healthcare to the individual.

While the regulation isn't really news anymore, it still leaves CIOs and IT teams with an impressive agenda to ensure compliance for their organizations. The multitiered goal of achieving business initiatives, protecting electronic data in storage, protecting electronic data in transmission, and securing physical access to data, while building a structure that will reliably and securely allow "real-world" interaction with said data, is impressive, to say the least.

Of course, it's made that much more difficult when you consider that even employees within your own organization will often be working against you. Not that an individual will be purposely short-circuiting your best efforts, of course, but bear in mind that the general system user can't be expected to learn entirely new paradigms of interaction with applications and hardware to ensure compliance.

One of the surest signs of this can probably be discovered in a careful examination of your organization's e-mail transmissions. Unless you're head and shoulders above the rest when it comes to technology-related policy compliance, chances are that someone in your organization has sent text in, or a file attached to, an unencrypted e-mail that would qualify as protected health information (PHI) in the last month. In fact, a recent Zix Corp. study showed that 35 percent of the country's top 60 health insurers and over 50 percent of a pool of 100 U.S. healthcare chains have sent plain-text e-mails containing PHI since April 14th.

Of course, HIPAA compliance is an organization-wide commitment, requiring as much work in the training of employees as in implementing technology to achieve compliance. However, there are compelling new standards-based products available that can help get your organization one step closer to achieving HIPAA compliance.

New rules, old tools Some of the technologies being used to address HIPAA-related concerns might surprise you; not because they're so new you haven't heard of them, but because they've been around for quite a while. The biggest challenge presented by HIPAA is to accurately and consistently protect individuals' privacy without crippling your business. That being the case, the best technologies available would be those that allowed you to share exactly the right information (and only that information) with both individuals within your organization and the other entities with whom your organization does business. Much of this functionality is actually built into most enterprise data management systems and enabling it is usually straightforward, if time consuming. "Offline" content, though, requires a more creative approach.

Enter WebDav (Web-based Distributed Authoring and Versioning) and SSL. Not very exciting or new technologies, to be sure, but both are proven and standardized means for sharing data without sacrificing security. These two technologies will not address all your HIPAA-related data access needs. However, using WebDav and secure HTTP connections, you can begin to clean up a lot of the holes in your existing practices without a huge investment. Specifically, you can tighten up e-mail, FTP, and local file copies with creative use of these two technologies.