Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona Hoffman School of Law Case Western Reserve University Cleveland, Ohio 44106
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Addresses both health insurance reform and “administrative simplification” Portability reforms protect health insurance coverage for workers when they change or lose their jobs
HIPAA Administrative Simplification Provisions Electronic Transactions and Code Sets National Provider Identifiers Privacy Standards Security Standards Civil Money Penalties
Entities Covered by HIPAA Standards Health care providers Health plans (payers) Health care clearinghouses
Effects of HIPAA on Electronic Data Interchange in Health Care Industry Brought substantial uniformity to EDI, though interoperability problems persist Generated concern about compliance with security standards Gave rise to important new model for interactions between covered entities
Provider-Clearinghouse*-Payer Model
Security Threats in the PC*P Model External threats Hacking, interception, deception, denial of service, etc. by outsiders Internal threats Abuse of authorized access to electronically protected health information (EPHI) by covered entities, their employees, or business associates
Meta-Threat: A Market in Illicitly- Obtained EPHI EPHI potentially has great value to outsiders, e.g., Marketers Employers Insurers Blackmailers Once EPHI is dispersed Internet, it cannot be recovered Harm is potentially unlimited Not adequately addressed by HIPAA Only partially addressed by other laws
HIPAA Security Standards Intended to ensure confidentiality, integrity, and availability of EPHI Define administrative, physical, and technical safeguards Emphasize technological neutrality at the expense of specificity C.E. must implement “reasonable and appropriate” policies and procedures to comply with the standards and must document these
Implementation Specifications May be “required” or “addressable” C.E. may implement an alternative to addressable spec or choose not to implement either spec or alternative Decision is based on analysis of risks, costs, available resources Must document rationale
HIPAA Safeguards Against Insider Threats Administrative safeguards Workforce security policy Workforce sanctions Security training Access authorization policy Periodic evaluation Information system activity review Business associate contracts
HIPAA Safeguards Against Insider Threats (2) Physical safeguards Facility access controls Device and media controls
HIPAA Safeguards Against Insider Threats (3) Technical safeguards Access control Unique user identification Encryption Audit controls Integrity controls Person or entity authentication
Limitations of HIPAA Safeguards Employees with legitimate access to EPHI can easily provide it to outsiders or modify it No technical restrictions on employees’ ability to distribute or modify EPHI are specified Form of audit controls is not specified Addressed primarily by deterrents Dismissal Employer sanctions Fines Imprisonment
Recommended Mandatory Implementation Specifications Employees must be prevented technically from electronically distributing or modifying EPHI except as required for essential business reasons Employees who normally process EPHI must not have system administration privileges Each transfer or modification of EPHI must be securely and permanently logged Actors strongly identified Relevant items identified
Implications of the Recommendations Most employees handling EPHI must use restricted hardware and software Hardware, software, and administrative support for “dual-key” system administration is required
Preventing Trafficking in Illicitly Obtained EPHI Requires combination of technical and legal means Proposals: Regulate all entities that handle EPHI Require that such entities be able to prove the provenance and authenticity of EPHI they have handled Require use of strong identification and data integrity validation
HIPAA Enforcement Provisions