Identity Management and HIPAA Compliance[1]

White Paper Identity Management and HIPAA Compliance January 2005 Many industries are today undergoing sweeping changes due to increased governmental regulations that have a dramatic impact on their business processes as well as IT infrastructure. One of the most important of these regulations is the Health Information Portability and Accountability Act, known as HIPAA. It often requires significant process and technology changes for any healthcare company that manages and processes private health information. A major goal of the HIPAA regulations is to ensure the privacy of any protected health information (PHI) for any individual that is collected, processed, and transmitted between healthcare organizations. Many companies and organizations have been and continue to be impacted by HIPAA. These include healthcare providers (hospitals, group practices), payers (insurance carriers, HMOs), as well as claims clearinghouses, pharmacies, and the like. It is therefore important that the specific requirements of HIPAA, as well as how certain technology solutions can aid you in achieving conformance, are widely understood. HIPAA specifies a control environment where organizations can manage their relationships with internal and external users throughout their lifecycle with the company, from initial creation of the user's identity to final access termination. Since most of the PHI is managed electronically, how this digital information and the related identities are managed becomes a key component of overall HIPAA compliance. eTrustTM Identity Management solutions for Computer Associates International, Inc. (CA) can help you more easily manage your user identities, control access to protected applications and information, and ensure that PHI is available only to properly authorized individuals. As you plan your HIPAA compliance strategy, you will be faced with issues such as these. eTrust Identity Management solutions can help you efficiently solve these problems: 1. 2. 3. 4. 5. 6. 7. How can I ensure that every user is strongly authenticated and is granted access to only those resources and information that they are authorized to access? How can I protect the confidentiality of my patient information and ensure that it is kept private? How can I audit my access policies, so that I can determine who has been granted access to specific applications or information? How can I create workflow processes so that appropriate management approval is required whenever a user requests access to confidential information? How can I ensure that access to confidential information is terminated immediately when an employee leaves the company? How can I protect confidential information, even across the boundaries of business units within a large corporation, or between corporations themselves? How can I develop procedures for creating and changing passwords, so that my environment has stronger security? A major goal of the HIPAA regulations is to ensure the privacy of protected health information (PHI) for any individual that is collected, processed and transmitted between healthcare organizations. 2 How eTrust Identity Management Can Help You Achieve HIPAA Compliance HIPAA includes requirements for a range of areas relating to protected health information. The following table lists some of the major requirements, and the capabilities of eTrust products that can support compliance: HIPAA Requirement Each user must be uniquely identified before being granted access to confidential information. eTrust Functionality Flexible user authentication capabilities which support a range of methods, from passwords to biometric authentication. Methods can be combined for additional security. Role-based access management with flexible, finegrained policies that manage users' access to critical resources and information. A centralized, policy-drive identity and access management solution that can administer and enforce access to sensitive applications and data. Comprehensive auditing and reporting capabilities to provide granular collection and analysis of access information. Full auditing of all login attempts, as well as all administrative security events, so that all suspicious activity can be monitored. A flexible user administration capability that provides immediate de-provisioning of users and their access rights. Session timeouts and idle timeouts, which can vary based on the sensitivity of the resource being accessed. Centralized access management can protect resources from access by anyone who does not have proper authorization rights. Access to PHI must be restricted to only those persons who need access as part of their role, and the conditions of this access must be clear. PHI must be reasonably safeguarded against intentional or inadvertent disclosure. Access to protected resources must be tracked, so that complete access reports can be generated. Login attempts must be tracked so that suspicious login attempts can be analyzed and corrective action taken. Access to protected resources must be terminated quickly when an employee leaves the company. A user's session can be terminated after a specific period of inactivity. For large corporations, procedures must be implemented to protect private information of a healthcare entity from access by someone in the larger organization. Procedures for creating and managing passwords must be implemented. Highly flexible Password Management Services, that provides significant capabilities to strengthen the security of user passwords. For more information, call 1- 800-875-9659 or visit ca.com © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP276000205