HCFA may soon replace its Internet-based medical information ban with a flexible set of operating guidelines and security requirements.
The draft of its new policy, released earlier this month to healthcare information technology industry representatives, is subject to final approval by Gary Christoph, HCFA's chief information officer. The draft would become policy immediately upon Christoph's approval, which industry leaders predict could come in two to four weeks.
Healthcare organizations and information technology vendors have been calling for a swift updating of HCFA's Internet stance, criticizing the current policy as behind the times and at cross-purposes with government and industry objectives of reducing healthcare costs (June 8, p. 12).
Despite improvements in security measures, such as information encryption and sophisticated methods to identify senders, a memo issued last year by the New York regional HCFA office said that no technological methods could adequately protect transmissions of data that could identify individuals.
"As a result, any activities using the Internet or an unsecured internal network (to transfer individual health information) must cease immediately," declared the memo, which started the debate over the Internet's use.
But while the policy broadly banned transmission of data protected under the Federal Privacy Act of 1974, it did not specify the types of information banned, adding uncertainty to industry research and development.
The final draft of the new policy outlines and provides examples of data included in the Internet policy (See chart). The draft also permits transmitting the information over the Internet and lists a number of methods HCFA considers acceptable for information scrambling and transmission authentication.
The Center for Healthcare Information Management, which had prodded HCFA to overturn the Internet prohibition, said it was pleased with the result. "They've reached out to the industry, and we're very comfortable with it," said Bradley Casemore, deputy director of Ann Arbor, Mich.-based CHIM, which represents about 100 information technology vendors and consulting firms.
Casemore credited HCFA for recommending methods for encrypting and authenticating the data, rather than merely issuing bans.
The draft provides the flexibility needed to meet the changing challenges of the Internet. It outlines state-of-the-art methods that will be recognized as minimally acceptable to protect information, while asserting that those minimum levels could rise "when deemed necessary by advances in techniques and capabilities associated with the process used by attackers to break encryption."
Encryption employs complex scrambling formulas and long strings of digits, called keys, to allow access only to authorized people.
"Encryption must be at a sufficient level of security to protect against the cipher being readily broken and the data compromised," the draft states.
"The length of the key and the quality of the encryption framework and algorithm must be increased over time as new weaknesses are discovered and processing power increases," it says.
The draft establishes four high-tech methods to determine the identities of those who send sensitive patient data over the Internet. But it also allows traditional exchanges of identities and passwords by phone, certified mail, bonded messenger, smart cards and direct personal exchange.
Organizations that want to use the Internet would have to announce their intent to HCFA's division of enterprise standards through written correspondence or e-mail. Casemore said the organizations would not need to submit a security plan before their use of the Internet, but HCFA could audit to verify adherence to its new requirements.