Data Transmissions under HIPAA

AMBA’s View on Transmitting Data Through Electronic Media

Release Date: 3/12/02

From: AMBA 

Under what circumstances is transmitting protected health information required to meet HIPAA regulations? 

It is AMBA’s interpretation that any health information that is sent to or received by a healthcare provider using any form of electronic media must meet the security standard under HIPAA Regulations and includes using password protection and encryption. 

Use of electronic signatures is not mandated by HIPAA

Electronic media is the method or mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media. 

Under § 142.306 Rules for the security standard, an entity must apply the security standard described in 

§142.308 to all health information pertaining to an individual that is electronically maintained or electronically transmitted. 

There are four main areas you must address to be compliant with HIPAA regarding security of data transmissions: 

User Authentication

User Authorization

Data Security

Access Accountability 

User authentication requires a user (provider or biller) to enter a valid user name and password before access to the system is granted. 

User authorization is controlled by the system administrator allowing access to a system through the permission specified and set up by the administrator, thus, giving the administrator control over which users access a system or data. 

To maintain the security of the system data you must assess potential risks and vulnerabilities to the individual health data and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current. That means that you must have documented policies and procedures for the routine, and non-routine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information. For more information on maintaining security, visit http://www.hipaaprivacyworkgroups.com/Regs/Part142/308.htm 

Access accountability requires you to keep an internal audit (in-house review of the records of system activity (such as logins, file accesses, and security incidents) of data accessed and or transmitted and be maintained. In other words, who is accessing the data and under what circumstances? How often is the data accessed and what method is used to access the data? 

If you are providing reports to physicians through electronic media or allowing a provider to access your system to obtain a report, you must apply the security standards under the CFR (Code of Federal Regulations) Part 142. 

These requirements apply if you are using any method to transmit or send health information to a provider or you are allowing a provider to access your system to download reports containing health information. Any method to transmit or allow access includes pcAnywhere or similar software that allows you to send or receive health information. 

Encryption and password protection should be included in pcAnywhere v. 10 and above, however, if you don’t have that capability, you might want to look into buying a PGP (pretty good privacy) Encryption program. You can learn more about PGP by searching that keyword on the internet. 

Questions should be addressed to AMBA at amba@webcom.com