HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements
Publication Date: September 2003
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) affects health care organizations in two ways: first, by strongly encouraging the conversion of paper-based health care information systems to electronic systems, and second, by mandating that the design and implementation of the electronic systems guarantee the privacy and security of patient information gathered as part of providing health care. To achieve HIPAA compliance, health care organizations must implement physical, technical, and administrative safeguards that ensure the integrity and security of health care information.
Multiple Technologies Are Used to Meet HIPAA Requirements
Historical requirements for protecting facility access mean that multiple techniques are candidates for fulfilling the HIPAA requirement to safeguard information physically. The rise of the Internet has led to the development and use of numerous technologies, such as firewalls, smart cards, virtual private networks (VPNs), public key cryptography, and other standards-based encryption technologies that can satisfy the requirement to safeguard electronic information. An appropriate safeguard must also support the provision of fast, efficient, and appropriate medical care and allow institutions to meet their need to track patients, verify patient eligibility, and bill appropriate entities for appropriate amounts. Additional considerations include concern for the patient experience and the experience of the health care provider, for whom the system is a secondary consideration and ease of use is critical.
Smart Cards Represent an Excellent Solution for HIPAA Compliance and Support New Applications That Improve Medical Care
The presence of processing capability and memory in a smart card, along with the smart card’s ability to support multiple applications, make smart cards an efficient and flexible mechanism that can help organizations achieve HIPAA compliance while meeting the goals of patients and practitioners. Smart cards have a unique ability to make information access easier for users while at the same time enforcing the more robust security policies required of health care organizations to bring their environments into HIPAA compliance. Smart cards can represent an excellent solution to an organization’s multiple physical and electronic security requirements. Systems that use smart cards as the identity token and secure data carrier have unique benefits.
- Smart cards can provide easier information access management, ensuring that users are following established security policies.
- Smart cards are a familiar form factor that can be used for both physical access to facilities and logical access to information on personal computers and networks.
- Smart cards can help enforce access control to health information, providing support for both user authentication and encryption of data on the card and during transmission.
- Smart cards can store health information on the card, performing as secure portable data carriers that are under the control of the patient and the health care professional.
- Smart cards, with on-card intelligence and processing capabilities and the ability to use standards-based cryptography, are uniquely capable of enabling compliance with strong privacy guidelines and of enforcing the privacy and security policies set by the health care organization
- Smart cards provide a feature-rich platform for health care organizations to implement new applications that improve access to and convenience of medical care.
Health care organizations worldwide are implementing smart health cards. With the appropriate security architecture, smart cards can be a very valuable tool to providers, insurers, and patients alike. They can be an instrumental component of any system that is designed to ensure compliance with HIPAA regulations, as well as supporting new applications that deliver clinical and administrative benefits.
About This Report
This report was developed by the Smart Card Alliance to describe how smart cards can be used to meet HIPAA Security Rule and Privacy Rule requirements. Designed as an educational overview for decision makers, it summarizes the HIPAA privacy and security requirements, provides an overview on how smart cards work, describes how smart cards can be used to support HIPAA compliance and implement other health care applications, and outlines key implementation success factors. The report also includes profiles of smart health card implementations including the University of Pittsburgh Medical Center, Mississippi Baptist Health Systems, and the French, German and Taiwanese health cards.
This report provides answers to commonly asked questions about the use of smart cards as health care cards, such as:
- What requirements do the HIPAA Security Rule and Privacy Rule impose on health care providers, insurers, and patients?
- How do smart cards work?
- How can smart cards help health care organizations fulfill the HIPAA requirements?
- What capabilities do smart cards provide for clinical and administrative benefits that extend beyond HIPAA requirements?
- What can we learn from organizations who are currently using smart cards as health care cards?
- What considerations are important to the successful implementation of a system that uses smart cards as health care cards?
If you would like to join the task force, please contact [email protected].