DHHS proposes security, electronic signature standards

October 1, 1998

DHHS proposes security, electronic signature standardsRules would affect PACS and teleradiology users As healthcare institutions began to implement electronic medical record systems, privacy concerns led to a Congressional mandate for

DHHS proposes security, electronic signature standards

Rules would affect PACS and teleradiology users

As healthcare institutions began to implement electronic medical record systems, privacy concerns led to a Congressional mandate for electronic data security standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In response to this mandate, the Department of Health and Human Services has proposed electronic health data security standards, designed to protect all electronic health information from loss of records or improper access or alteration.

Published in the Federal Register on Aug. 12, the proposed rules provide technical guidance as well as administrative requirements for those who use electronic health information and medical records. All health plans, healthcare providers, and healthcare clearinghouses that transmit health information electronically would be required to maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information, according to DHHS.

The regulations would require PACS and teleradiology users to implement a security protection program, if they haven't already, said Thomas Greeson, a lawyer with Hazel & Thomas in Falls Church, VA, and previously general counsel for the American College of Radiology. Gresson discussed the ramifications of the standard at the Diagnostic Imaging 1998 healthcare conference, How to Buy, Use, and Succeed with PACS, which was held in Dallas on Sept. 14 and 15.

"This will not just be a recommendation, but ultimately a requirement for institutions that transmit individual patient records electronically," he said. "DHHS will have the power to enforce the regulations by imposing penalties."

The proposed rules neither delineate or advocate the use of a specific technology, nor do they spell out the exact procedure required to meet the privacy standards. Instead, they provide a framework for institutions to assess their security needs and develop a security program to meet their respective situations.

As part of meeting the required security standard, healthcare organizations should adopt organizational practices that address security and confidentiality policies, information security officers, education and training programs, and sanctions, according to the DHHS. In addition, technical practices and procedures should also be implemented, such as individual authentication of users, access controls, audit trails, physical security, and disaster recovery procedures. Protection of remote access points, as well as of external electronic communications, should also be provided for. Software discipline and system assessment must also be maintained, according to the agency.

If users have employed digital signature technology, such procedures as message integrity, nonrepudiation, and user authentication must be maintained, according to the proposed rules. The comment period for the proposed regulations ends Oct. 13. Under HIPAA, Congress is given until August 1999 to enact privacy protections. If Congress has not acted by then, the secretary of DHHS is authorized to implement privacy protections by regulation. A final rule, however, is not expected to be enacted until 2000.

The DHHS security standards are not the only agency action of note to PACS and teleradiology users. The Health Care Financing Administration has assembled draft policy and guidelines for protecting the privacy of patient information transmitted over the Internet.

In the draft, the agency states that patient information sent over the Internet must be accessed only by authorized parties, and that technologies that allow users to prove their identity must be used. The use of encryption to avoid inappropriate disclosure or modification of data must also be employed, according to the document.

Acceptable encryption approaches described in the document include hardware encryptors and software-based encryption, such as Secure Sockets Layer (SSL), S-MIME, in-stream encryption and off-line encryption techniques. HCFA believes that acceptable Internet authentication procedures include authority-based use of digital certificates, locally managed digital certificates, self-authentication (using private keys), and smart cards.