Alliance Activities : Publications : HIPAA Report

HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements

Publication Date: September 2003

Pages: 47

Executive Summary

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) affects health care organizations in two ways: first, by strongly encouraging the conversion of paper-based health care information systems to electronic systems, and second, by mandating that the design and implementation of the electronic systems guarantee the privacy and security of patient information gathered as part of providing health care. To achieve HIPAA compliance, health care organizations must implement physical, technical, and administrative safeguards that ensure the integrity and security of health care information.

Multiple Technologies Are Used to Meet HIPAA Requirements

Historical requirements for protecting facility access mean that multiple techniques are candidates for fulfilling the HIPAA requirement to safeguard information physically. The rise of the Internet has led to the development and use of numerous technologies, such as firewalls, smart cards, virtual private networks (VPNs), public key cryptography, and other standards-based encryption technologies that can satisfy the requirement to safeguard electronic information. An appropriate safeguard must also support the provision of fast, efficient, and appropriate medical care and allow institutions to meet their need to track patients, verify patient eligibility, and bill appropriate entities for appropriate amounts. Additional considerations include concern for the patient experience and the experience of the health care provider, for whom the system is a secondary consideration and ease of use is critical.

Smart Cards Represent an Excellent Solution for HIPAA Compliance and Support New Applications That Improve Medical Care

The presence of processing capability and memory in a smart card, along with the smart card’s ability to support multiple applications, make smart cards an efficient and flexible mechanism that can help organizations achieve HIPAA compliance while meeting the goals of patients and practitioners. Smart cards have a unique ability to make information access easier for users while at the same time enforcing the more robust security policies required of health care organizations to bring their environments into HIPAA compliance. Smart cards can represent an excellent solution to an organization’s multiple physical and electronic security requirements. Systems that use smart cards as the identity token and secure data carrier have unique benefits.

Health care organizations worldwide are implementing smart health cards. With the appropriate security architecture, smart cards can be a very valuable tool to providers, insurers, and patients alike. They can be an instrumental component of any system that is designed to ensure compliance with HIPAA regulations, as well as supporting new applications that deliver clinical and administrative benefits.

About This Report

This report was developed by the Smart Card Alliance to describe how smart cards can be used to meet HIPAA Security Rule and Privacy Rule requirements. Designed as an educational overview for decision makers, it summarizes the HIPAA privacy and security requirements, provides an overview on how smart cards work, describes how smart cards can be used to support HIPAA compliance and implement other health care applications, and outlines key implementation success factors. The report also includes profiles of smart health card implementations including the University of Pittsburgh Medical Center, Mississippi Baptist Health Systems, and the French, German and Taiwanese health cards.

This report provides answers to commonly asked questions about the use of smart cards as health care cards, such as:

If you would like to join the task force, please contact info@smartcardalliance.org.