Complying to HIPAA regulations

[mcsolas]

http://www.hipaadvisory.com/

I have been assigned to design the plan to create a "HIPAA compliant" system. My question is mainly, what are the basic steps that I need to follow in order to make sure I am heading in the right direction.

So far, I am starting with "all forms submit through SSL"
After that, its been hard to find more specs .. well there is plenty (maybe too much) information out there on the subject.

I was curious if it dictates that passwords are stored in a database using hashes and not real text.

[davidjmedlock]

Quote:

Originally Posted by MCsolas

http://www.hipaadvisory.com/

I have been assigned to do 3 sites that are to be "HIPAA compliant". The trouble is that I am on these sites to help out and there is so much information on there and not much of it really revolves around web site related issues. My question is mainly, what are the basic steps that I need to follow in order to make sure I am going to be building hipaa compliant sites.

So far, the main one I see is that all forms need to submit through SSL. After that, its been hard to find more specs.

I was curious if it dictates that passwords are stored in a database using hashes and not real text.

Well, SSL encryption is a start. Yes, passwords will need to be stored using hashes.

Another thing to strongly consider is encrypting any Individually Identifiable Healthcare Information (IIHI). This would include first name, last name, SSN, etc.

Another part of it is access control. You have to make sure that as few people have access to any healthcare information as possible. This means creating a user authentication system that prevents unauthorized persons from getting to the information you're storing.

Yet another issue is physicial access. You want to make sure that yuor servers are kept under lock and key. You should investigate the security of your servers with your hosting company.

[mcsolas]

Quote:

Well, SSL encryption is a start. Yes, passwords will need to be stored using hashes.

Looks like I will be learning how to store and check hashed passwords. I guess an appropriate system will follow where they must request a password reset link, then come in through that to change it.

Quote:

Another thing to strongly consider is encrypting any Individually Identifiable Healthcare Information (IIHI). This would include first name, last name, SSN, etc.

Well, if thats part of it, I guess we dont have a choice. However, showing this information off in part ( the names ) is part of the design of our system, so maybe only the SSN need encrypting.

Quote:

Another part of it is access control. You have to make sure that as few people have access to any healthcare information as possible. This means creating a user authentication system that prevents unauthorized persons from getting to the information you're storing.

Sounds good. No information is to be shown to un authorized ( public ) visitors to this site, so I think we should be ok.

Quote:

Yet another issue is physicial access. You want to make sure that yuor servers are kept under lock and key. You should investigate the security of your servers with your hosting company.

www.crystaltech.com - new data ware house and in Arizona, the most geographically stable part of the US. I feel quite secure with this host after several happy years parking many domains there.

[davidjmedlock]

If you're using a shared server then that could very quickly put you into rough waters. Keeping patient information on a server with other web sites/clients could be a dangerous thing.

You can encrypt/decrypt information (name, SSN, etc.) using PGP. Then you can encrypt it when you store it and decrypt when you retrieve it. I can't say how all of that is exactly done because the systems I've used have it already built in, so I've not seen how the coding side of it works.

Might look into a book called HIPAA@IT Essentials and HIPAA@IT Reference. They're written by a doctor (forgot his name) who is very familiar with healthcare information systems.

[mcsolas]

Quote:

If you're using a shared server then that could very quickly put you into rough waters. Keeping patient information on a server with other web sites/clients could be a dangerous thing.

Well you pinpointed my situation. I am going to let the higher ups know its time to request a dedicated setup from our webhost.

As for the encryption / decryption stuff, hmm... likely you can just run it through a decryption function. Maybe its not too bad.

Man, this is getting me in over my head real quick. Actually I think I entered those waters some time ago. Thank you very much for the feedback! Going to check out those books.

[Corey Bryant]

Everything should be encrypted - definitely when it concerns HIPAA. There are some hosting companies that claim they are "HIPAA compliant", you might check into those as well.

In all honesty though, this is a totally separate field from web development almost. It is even a bigger pain than Visa and MasterCard rules an regulations becuase the US government runs it.

And technically, the SSN is not to be used when it comes to a patient and insurance companies. (Of course, adding a letter or character before / after the SSN, it is no longer an SSN.)

[mcsolas]

Well my application is written on the CFM platform. I have a really good host at crystaltech, I really want to stick with them, as long as we can be compliant on their server.

I was interested in the encryption. As long as its stored in the database encrypted, would they really worry about it? How do they actually 'review' us for this...

Regarding SSN's, we are really just using these internally to help verify doctors license information, so adding something here isn't really needed .. ( I think )

Much thanks for the knowledge here. I am off to buy a SSL cert and plead for my first dedicated server! : )

[davidjmedlock]

A dedicated server is a must. One company that claims HIPAA compliance is C I Host. They have reasonable rates as well. Haven't used them yet, but I plan on looking into it in the future.

As for encryption, you should learn about using PGP (Pretty Good Privacy). I believe that is the encryption method generally recommended/preferred for HIPAA compliance.

[Corey Bryant]

We used CI Host about five years ago & never again. There were times we were down for a week. Back then, I thought it was normal. Do a search probably on this one and WHT on CI Host and their customer service. The last time I checked (about a year ago) they were still providing horrific customer service

I did find the one though that I mentioned: omedix.com

[mcsolas]

Quoting omedix site:
MAR 2005 - Hosting a healthcare website? We'll help you manage security, HIPAA-compliance, and more with Omedix Healthcare Hosting!

Sounds like they are about to set this up but that hosting isn't really their gig. We are setting up dedicated servers on crystaltech. I will post and let you know how we are doing with the system construction there. Also, if your needing better support from your webhost .. well I would have a hard time thinking of how they could handle themselves better in that category. They are one heck of a partner to have in that dept.

Quote:

You can encrypt/decrypt information (name, SSN, etc.) using PGP. Then you can encrypt it when you store it and decrypt when you retrieve it. I can't say how all of that is exactly done because the systems I've used have it already built in, so I've not seen how the coding side of it works.

You mention the PGP part was 'already built in' .. that sounds nice. If you have any suggestions on where to look for someone on that level, I was going to start with guru.com if I didn't have any better direction.

Since this is on a CFM platform, the host seems pretty well suited for us. However I am not sure how to make use of CFM / PGP together. .. looks like its time to get better at web design once again. Fun fun fun. Thanks for the help so far .. you are helping a very positive idea get off the ground.

[davidjmedlock]

Well, by "built-in", I mean that a company I worked for had purchased CF-based software that handle the PGP encryption for us, so I never had to code it (unfortunately for me).

In order to use PGP, you will have to purchase PGP software to run on the server and then purchase a CFX custom tag to interface PGP with ColdFusion.

[DoubleDrive]

Good information here...

I have one question regarding HIPAA regulations and web servers. I have a client who uses our webserver to collect data from a form (which includes Name, Health Services Needed and other data, but no SSN). How can I encrypt the e-mail that is generated from our web form that is sent with the data to the client? Is there another, more secure way I could do this? I thought about having it go to a database and then he logs in via VPN to get the data, but I'm not sure that's going to be an easy task for either of us.

Second, and I think I know the answer to this. He stores data out on a WebDav share that I'm pretty sure has some HIPAA red flags on it. We are NOT using SSL (although I've suggested it to him that we do it, but he's not sure about the extra costs associated with doing that), is the SSL cert going to be enough to make HIPPA happy? Or am I going to have to switch to a dedicated server?

[davidjmedlock]

As far as email goes: Email is not secure. There are ways to secure it, but I'm not an expert on that matter. I would approach it like this:

An email is sent to a message box (a database table) on the site. A notificiation goes out that says "You have a new message. Log in to read it.". The user logs into an SSL protected site and reads the message. All the information is kept encrypted and no IIHI is ever sent via unsecure email. This is the way most doctor/patient email communications work these days.

As far as the WebDav share, I can't say I'm all too familiar, but it doesn't sound secure. My definite recommendation would be to go dedicated AND add SSL.

General Disclaimer/Warning:

Remember that HIPAA carries some very severe consequences, beginning with $50,000 minimum fines and going up to $250,000+ fines and prison time (for intentional breaches). Be very careful when dealing with it. If you think that you should go an extra step, then go it. If there is an extra step that you could take to secure your app and data, then take it. YOU CANNOT BE TOO CAREFUL!

Also, consider that any advice you receive on public message boards should be taken strictly as advice and nothing more and that it is ultimately YOU who are responsible for compliance with federal and state laws. (And, yes, some states have even more restrictions and regulations in the HIPAA arena, such as California.)

[davidjmedlock]

For more info about ColdFusion encryption, you might read this article:
http://sys-con.com/story/?storyid=46359&de=1

The encryption methods described here should be sufficient for HIPAA compliance.

[mcsolas]

Quote:

Also, consider that any advice you receive on public message boards should be taken strictly as advice and nothing more and that it is ultimately YOU who are responsible for compliance with federal and state laws. (And, yes, some states have even more restrictions and regulations in the HIPAA arena, such as California.)

Yes, but so far its been pretty good advice!
=-=-=-
That link looks like it has enough info to get started. The one part I dont understand is where to safely store the key to decrypt the strings. I mean, do you just declare your key in the app.cfm file or have it stored in the CFC.

If you encrypt the CFC that holds the password, I guess that would help. Would that work?

[davidjmedlock]

Quote:

Originally Posted by MCsolas

That link looks like it has enough info to get started. The one part I dont understand is where to safely store the key to decrypt the strings. I mean, do you just declare your key in the app.cfm file or have it stored in the CFC.

If you encrypt the CFC that holds the password, I guess that would help. Would that work?

That's a question I've not yet figured out the answer to myself. I'd love to hear how others have approached this problem, though. Encrypting the CFC isn't going to do much because it takes all of 2 minutes to find a decryptor and crack it open.

I'd be interested in how others have approched this problem, whether in CF or any other language.

You might be able to create a Java class and compile the private key into it that way...

[oneclicksolution]

Interesting topic.

First off, MCsolas, I hope that these sites are yours (I.e. Not Contracted) and you "own" the connections that they will be placed on, otherwise you might be in some grey area. Secondly, I'm not lawyer, so use this opinion as your own risk however I have spent the past two years working intimately with a mid-sized healthcare company (~250,000 members) to meet compliance in HIPAA Privacy and Security. I'm going to reference quite a bit of this conversion, so be prepared for some reading.

Are you a Covered Entity (CE)? If so, then you will have to comply with the HIPAA Security Ruling by April 21. If not, then your CE should be compliant or workings towards compliance, and their Business Associate Agreement (BA) with you will have directives, policies, standards, and verbiage built-in to handle the relationship.

Next.

Quote:

Well, SSL encryption is a start. Yes, passwords will need to be stored using hashes.

Another thing to strongly consider is encrypting any Individually Identifiable Healthcare Information (IIHI). This would include first name, last name, SSN, etc.

Another part of it is access control. You have to make sure that as few people have access to any healthcare information as possible. This means creating a user authentication system that prevents unauthorized persons from getting to the information you're storing.

Yet another issue is physicial access. You want to make sure that your servers are kept under lock and key. You should investigate the security of your servers with your hosting company.

Encryption is an addressable implementation of the technical standard (Ref. 164.312(a)(1) Access Controls) and as far as CMS/HHS are concerned, they do not have this specification quite done yet, nor will they give a solid answer on methodology of encryption. Addressable line items do not have to be completed, however a CE has to use a similar methodology to below in order to, "accept the risk":

“ADDRESSABLE” ACTION ITEMS
If an implementation specification is addressable, a covered entity can:

• Implement, if reasonable and appropriate
• Implement an equivalent measure, if reasonable and appropriate
• Not implement it

I would suggest SSL definitely, but hashing info may be a little far for right now until the specification is refined a few years down the road. Additionally, you aren't protecting any information as YOU know the hash logarithm, ergo you are the gatekeeper and you run the risk of being the first suspect if a compliance issue arises. Moreover, I've found from a plethora of conf calls, meetings, and industry experts, that any encryption storing a key or hash method is not an encryption method. Unless in certain contractual (I.e. BA's) are agreed upon (This can get ugly). Good luck with this one.

Also, other specifications access controls are required and others are addressable. Have methodologies in place for unique user id's and an emergency access policy and procedure (This allows for access to the data in an emergency situation) but not much more is required to meet this spec by the deadline.

Most of the physical req's are also addressable, be sure just to make sure that your ISP or dedicated is on a card scan or lock and key system, document this with some policies and you are good to go. Dedicated server with vulnerability scanning, patch management and a dedicated security person reviewing this information is the way to go to be completely compliant with the administrative safeguards, however your situation may not allow for this implementation. Which is ok, HIPAA is flexible, and that is what drives this industry (healthcare) mad.

CE's can be fined, as of right now, a maximum of up to 25,000 per year. That's it. If you are not a CE, you are basically a terrorist and will receive some pretty hefty fines and jail time, irregardless of the BA in place or measures taken to be compliant. The rule looks big and nasty but the key is, right now, policy and standards work. 80% of the Security specification is policy and procedure, and remember: the ruling is flexible so that smaller companies can meet compliance.

If you are employed by a CE, don't worry to much unless under administrative specification 164.308(a)(2), your CE names you as the sole responsibility.
If you are a contractor and are separate from a CE, here is what I would suggest:

1) Get a lawyer, in addition to your general business lawyer. A good one. With lots familiarity with the rulings.

2) Hiring a third-third party company to complete a HIPAA Compliance assessment (Risk Analysis) on your applications before deployment. Hopefully, you've worked this into the contract with the CE.

3) Based on findings, perform audit of complete Security Rule. Define which risks you will accept, why, and the ones you'll address.

4) Re-write application.

5) Cry a little. Realize that you are a man and you shouldn't be crying.

6) Lawyer review. Client Review. Lawyer review. Client Review. Lawyer review. Client Review. Lawyer review. Client Review. Lawyer review. Sign-Off.

That’s it for today, it is almost 5 and I’ve double-dipped the past hour writing this up. Enjoy!
I am enjoying this post, please keep it going!

[davidjmedlock]

Good post, oneclick.

I've found that, unfortunately, much of the HIPAA verbiage is vague and doesn't give much direction, much like this statement:

Quote:

Implement, if reasonable and appropriate
Implement an equivalent measure, if reasonable and appropriate
Not implement it

That seems to say that you can basically do whatever you want...

I think I'll be looking into a HIPAA training camp soon...

[oneclicksolution]

lol..
That is the problem with HIPAA, you basically can DO whatever you want, unless you are audited and they find something wrong. Then THEY determine your fine.

Be wary of many of those camps right now from a non-accrediated company. Many of these companies providing the camps do not know anymore than than a person interpreting the rule for the first time, and their course offerings are a textbox overview of the rule. SANS offers some good courses, but they are pricey.

I've found that adopting/researching an ITIL or ITM program helps to understand the principles behind HIPAA and *their* thinking. ISO17799 or BS7799 are good ones.

[davidjmedlock]

I looked at trainingcamp.com (I think is that address). They are a HIPAA Academy partner.

I'll look into those others you mentioned.

How are audits determined? Do they just randomly pick out of the blue, or is there a methodolgy? Or do they just look for those they suspect might be non-compliant?

I guess the key is to try and cover your bases thoroughly, make sure your application is as secure as you can get it.

[oneclicksolution]

Audits? No one knows yet. I was on a conf call about mid. January with the CMS folks and that came up as a question. No answer. They are to be determined. Whatever that means, who really knows. The worst/funny part is that, under the administrative ruling, there is an accredidation section in which, from my research, requires a CE to be accredited for HIPAA Security Compliance. CMS answer: At this point in time, there are none, however we are looking into this. In fact, that was their answer for the majority of the questions. Unbelieveable.

Good job CMS/HHS, good job. Bravo. I hope at least the Sarbanes-Oxley OR Grahams-Bliley Folks have their ruling a little more defined.

Quote:

I guess the key is to try and cover your bases thoroughly, make sure your application is as secure as you can get it.

That is absolutely correct. Document, document, document, secure what you can afford, and state as to why you are not as secure as fort knox (risk acceptance).

[mcsolas]

Why wait till step 5 to start crying ? I am already! Ahh..

Quote:

First off, MCsolas, I hope that these sites are yours (I.e. Not Contracted) and you "own" the connections that they will be placed on, otherwise you might be in some grey area. Secondly, I'm not lawyer, so use this opinion as your own risk however I have spent the past two years working intimately with a mid-sized healthcare company (~250,000 members) to meet compliance in HIPAA Privacy and Security. I'm going to reference quite a bit of this conversion, so be prepared for some reading.

Are you a Covered Entity (CE)? If so, then you will have to comply with the HIPAA Security Ruling by April 21. If not, then your CE should be compliant or workings towards compliance, and their Business Associate Agreement (BA) with you will have directives, policies, standards, and verbiage built-in to handle the relationship.

Well this site is not mine. Nor am I under contract. If I had to speficy the nature of my role, its more of an outside consultant and web developer for the presentational aspects of a much bigger business.
So to say if I am a CE or not, I had to find out a little more to answer that question.

Quote:

Covered Entities and Protected Health Information Pursuant to HIPAA, the Department of Health and Human Services issued regulations limiting the ability of "covered entities" (CE) to use and disclose "protected health information" (PHI). Generally, HIPAA requires CE to insure the confidentiality, integrity and availability of all electronic PHI the covered entity creates, receives, maintains or transmits.

In general, CE are entities involved in health care operations, medical research and patient services. If an entity is classified as a CE, then the entity must follow strict rules regarding the use and disclosure of electronic PHI. While electronic PHI is the specific focus of HIPAA, HIPAA still requires appropriate security for all PHI, regardless of its format. Text Source

To answer your question in HIPAA's vague verbage:
I am maybe not but kind of close to being almost an unofficial CE.
Translation: I still have no idea.


The good news is that we have an excellent lawyer and I will ask how much I would be responsible for and we are already looking for an expert in this area .. so hopefully I can find someone else to be in the pressure cooker if we get audited. I am simply not good enough at this to claim that I could build a hipaa compliant system ( I am trying to do what I can ) but I told them this today and they understood after looking into it themselves.

[davidjmedlock]

Ladies and gents, the US Government hard at work providing absolutely nothing of value to anyone at this point in time. ("But we will do something soon.")

Excellent posts, oneclick. Drop me an email and let's stay in touch in the future. We may have opportunities to work together at some point in time.

MCSolas, hope this info has helped. oneclick summed it up very well:

Quote:

Document, document, document, secure what you can afford, and state as to why you are not as secure as fort knox (risk acceptance).

Keep in touch and let me know if you have other questions on the CF development side of things...

[Technosailor]

Well HIPAA is sorta up my alley. (Not as much as oneclick, but I've worked for CMS and Navy Medicine). There have been breaches and hard lessons learned along the way.

Let me repeat, underscore, emphasize things already said:

1. You MUST be on a dedicated server as access control MUST be tight and theres no way to guarantee access control on a shared server.
2. If the server is colocated or is leased as a dedicated server, you run into sticky situations. You cannot let ANYONE work on that server who isn't authorized to do so, including junkie data center techs. You must know at all times who is accessing that data or who may access that data. I recommend that you setup a server in-house and lock it up.
3. There MUST be some measure of secure authentication before any info is provided... preferrably multiple layers.
4. Treat HIPAA sensitive info as top secret classified eyes-only. Super secret CIA spooks will swoop in on you in the middle of the night if you aren't compliant. Better get a copy of Catcher in the Rye
5. Find another way to rtefer to patients than social security numbers. Create your own identifiers. Whatever. But SSNs should never be used. Even over SSL.

[davidjmedlock]

Quote:

Originally Posted by MCsolas

Why wait till step 5 to start crying ? I am already! Ahh..

Well this site is not mine. Nor am I under contract. If I had to speficy the nature of my role, its more of an outside consultant and web developer for the presentational aspects of a much bigger business.
So to say if I am a CE or not, I had to find out a little more to answer that question.


To answer your question in HIPAA's vague verbage:
I am maybe not but kind of close to being almost an unofficial CE.
Translation: I still have no idea.


The good news is that we have an excellent lawyer and I will ask how much I would be responsible for and we are already looking for an expert in this area .. so hopefully I can find someone else to be in the pressure cooker if we get audited. I am simply not good enough at this to claim that I could build a hipaa compliant system ( I am trying to do what I can ) but I told them this today and they understood after looking into it themselves.

Yeah, I would get your client to work with a lawyer who has healthcare and HIPAA experience and make sure that the client pays the lawyer to cover your butt as well. It's only reasonable.