Medical Billing, HIPAA Compliance, and Role Based Access Control

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of "Mission Critical Systems Management" (Prentice Hall) , inventor of multiple patents in artificial intelligence and computer security, and CEO of Vericle.com Billing Technologies. Vericle delivers comprehensive practice workflow engine that integrates patient scheduling, electronic medical records (EMR), billing, transcription, and compliance management. By consolidating technology for hundreds of separate billing services, Vericle? tracks payer performance from a single point of control, shares compliance rules globally, and creates massive economies of scale. Yuval invites you to share your knowledge of medical billing and compliance at BillingWiki.com and register to the next webinar on audit risk at ChiroAudit.com.

Biometric Access Control - Your Finger is the Key to Crime Prevention

Biometric Identification has been around for many years. In the beginning, it was extremely expensive and cost prohibitive and would only be found in the highest security applications. Since 9/11, biometric readers have become increasingly popular and subsequently more cost effective.

Current Biometric Readers include Hand Geometry, Fingerprint, Iris Scan, Passive Facial Recognition, Active Infrared Facial Recognition, Voice Pattern Recognition and blood vessel authentication.

Biometric readers can be stand alone, networked or part of a large P.C. based solution, but no matter which technology is being utilized, each biometric reader will require that a baseline template be provided for comparison purposes. This means a couple of things.

* Each and every person must enroll in the system to create a baseline template
* Every template needs to be stored for comparison either in the computer software or at the reader

The first biometric readers were standalone controllers that stored all of the templates at the reader itself. When a person presented their "credential", whether it was a finger, hand or iris, it needed to be compared to the "template" as stored in the reader. In the case of multiple users, this became a ?one to many? comparison and the reader had to search through its library of templates until it found one that matched. In larger systems with multiple users, this could take several seconds before a match was confirmed.

To speed up the process, manufacturers started storing the biometric templates on central computers that could sort through the templates faster and provide a quicker match.

Eventually, someone came up with the brilliant idea that a ?one to one? comparison would be much quicker than a ?one to many? comparison and require less processing time. Keypads were added to the readers and users were issued Personal Identification Numbers (PIN?s) that essentially called up their template for an immediate ?one to one? comparison.

This simple innovation made biometric readers capable of much faster throughput times and therefore more widely accepted. No longer were there lines at the reader waiting to get in.

Off course, we live in America, and people are very concerned with their personal privacy. An employer storing your biometric information is dangerous, right...Not to mention that storing individual biometric templates on a computer takes up a lot of room on a server.

Security Equipment Manufacturers have solved this dilemma with the advent of smart card technology. Highly popular in Europe and Asia, smart cards are making a strong impact in America. Manufacturers have begun building proximity non-contact type cards that transfer bi-directional data utilizing radio frequency identification (RFID) technology.

Smart cards are in essence read/writable data chips that are used to store and transfer information. Some of them are capable of holding up to 16-kilobits of data that can only be accessed by readers through the use of a 64-bit encrypted "key". This recent innovation provides highly secure credentials for access control systems without the need to store and transfer biometric templates for each person enrolled into the system.

You now enroll and carry your identification templates around with you on your own RFID Proximity Smart Card. The readers download the template from your card and compare it to your fingerprint, Iris, or whatever credential you are using for verification.

If they match, and you have access to the door, it unlocks. You see, your finger really can be the key?.

Roy Stephenson is a Security Consultant with over 21 Years Experience Designing and Installing High End Integrated Security Systems. He is currently the VP of Marketing at http://www.Security-Kits.Com

Access Control List in .

BalajiAccess Control List in .NET Framework

Once you complete developing a web application, you need to secure it. This is when the aspect of security comes into picture. There will be some portions of your application which need to be secured from users. Securing an application may need extra hardware to build complex multi-layer systems with firewalls, and also some highly secure features. Security enables you to provide access to a specified user after the user is authenticated and authorized to access the resources in your web application. The Access Control List is used in the authorization process.

The basic concepts of security are Authentication, Authorization, Impersonation and Data or functional security. Authentication is the process that enables to identify a user, so that only that user is provided access to the resources. Authorization is the process that enables to determine whether a particular user can be given access to the resources that the user requests. Impersonation is the process that provides access to resources requested by a user under a different identity. Data or functional security is the process of securing a system physically, updating the operating system and using robust software.

Some elements of an operating system, the Internet Information Server (IIS), and the .NET Framework work in coordination to provide the features required to execute the security concepts mentioned above. For example, Windows 2000 uses its own list of user accounts for identifying and authenticating users. IIS identifies the users based on the information provided by Windows, when the users access a web site. IIS after identification of the users, passes this information to ASP.NET. Then the user information is checked for authorization.

To restrict access to the users for certain resources of an application, a process of identifying the users becomes a necessity. Authentication enables to restrict a user to access the resources by certain ways. It could be a combination of a username and password, a digital certificate, a smart card or a fingerprint reader. The validity of the information provided by the user helps identify the user, so that the user is provided access to the requested resources. The process of successful identification of the user implies that the user is authenticated.

After identification of the user is over, the next step is to determine whether the authenticated user has access to the resources. The process of determining the access to the resources for a particular user is known as Authorization. In Windows based systems, resources have an Access Control List, which provides a list of users who have access to that resource. The list also specifies the kind of access such as read, write, modify, and delete the resource, for each user. For example, if a user requests an ASP page, the operating system checks whether the user has Read access to the page and if the user has read permission, then the operating system allows the IIS to fetch the page. The IIS has authorization settings which enable the IIS to control the access of resources by users. File Access Control Lists are set for a given file or directory using the Security tab in the Explorer property page.

To access online version of the above article, go to http://www.dotnet-guide.com/accesscontrol.html

Once you complete developing a web application, you need to secure it. This is when the aspect of security comes into picture. There will be some portions of your application which need to be secured from users. Securing an application may need extra hardware to build complex multi-layer systems with firewalls, and also some highly secure features. Security enables you to provide access to a specified user after the user is authenticated and authorized to access the resources in your web application. The Access Control List is used in the authorization process.

The basic concepts of security are Authentication, Authorization, Impersonation and Data or functional security. Authentication is the process that enables to identify a user, so that only that user is provided access to the resources. Authorization is the process that enables to determine whether a particular user can be given access to the resources that the user requests. Impersonation is the process that provides access to resources requested by a user under a different identity. Data or functional security is the process of securing a system physically, updating the operating system and using robust software.

Some elements of an operating system, the Internet Information Server (IIS), and the .NET Framework work in coordination to provide the features required to execute the security concepts mentioned above. For example, Windows 2000 uses its own list of user accounts for identifying and authenticating users. IIS identifies the users based on the information provided by Windows, when the users access a web site. IIS after identification of the users, passes this information to ASP.NET. Then the user information is checked for authorization.

To restrict access to the users for certain resources of an application, a process of identifying the users becomes a necessity. Authentication enables to restrict a user to access the resources by certain ways. It could be a combination of a username and password, a digital certificate, a smart card or a fingerprint reader. The validity of the information provided by the user helps identify the user, so that the user is provided access to the requested resources. The process of successful identification of the user implies that the user is authenticated.

After identification of the user is over, the next step is to determine whether the authenticated user has access to the resources. The process of determining the access to the resources for a particular user is known as Authorization. In Windows based systems, resources have an Access Control List, which provides a list of users who have access to that resource. The list also specifies the kind of access such as read, write, modify, and delete the resource, for each user. For example, if a user requests an ASP page, the operating system checks whether the user has Read access to the page and if the user has read permission, then the operating system allows the IIS to fetch the page. The IIS has authorization settings which enable the IIS to control the access of resources by users. File Access Control Lists are set for a given file or directory using the Security tab in the Explorer property page.

To access online version of the above article, go to http://www.dotnet-guide.com/accesscontrol.html

Visit http://www.dotnet-guide.com for a
complete introduction to .NET framework. Learn about ASP.NET, VB.NET, C# and other related technologies.