Applied Information Management

Securing e-PHI During Data Exchanges

New technologies and the web help address security threats.

This annotated bibliography summarizes thirty references published between 2000 and 2011 that examine ways to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI) during data transmission and the need to provide protection against reasonably anticipated threats to the security or integrity of e-PHI. Four sub-questions frame this bibliography: (a) how can HIPAA-covered entities assess existing security frameworks in relation to the HIPAA security rule, (b) what are the potential risks and liabilities due to HIPAA violation during e-PHI data exchanges, (c) how can covered entities protect the confidentiality, integrity, and availability of e-PHI data exchanges, and (d) how can covered entities select appropriate emerging technologies purported to improve the security of e-PHI data exchanges.

Factors Driving the Need for DAR Protections
Assess Existing Security Frameworks MedDocs Central (2011) provides a twenty-eight item HIPAA security checklist for health care providers, intended to assist in a self-assessment of the existing security framework prior to implementing health information technology capabilities such as electronic health information exchange.
Identify Potential Risks and Liabilities HHS (2011) provides an eight step risk analysis process:
  1. identify the analysis scope,
  2. gather data,
  3. identify and document potential threats and vulnerabilities,
  4. assess current security measures,
  5. determine likelihood of threat occurrence,
  6. determine potential impact of threat occurrence,
  7. determine the level of risk, and
  8. identify security measures and finalize documentation.
The AMA (2011) provides a detailed chart of civil penalties for HIPAA violations.
Protect e-PHI Confidentiality, Integrity, and Availability Lerner and Koh (2004) describe three larger types of safeguards, including:
  1. administrative safeguards involving business processes to manage e-PHI,
  2. technical safeguards for software and hardware to store and transmit e-PHI, and
  3. physical safeguards for facilities to house software and hardware used to store and transmit e-PHI, and facilities where staff who handle e-PHI work.
Select Appropriate Emerging Technologies
  • Use a secure socket layer virtual private network (SSL VPN).
  • Internet protocol security (IPsec) can provide the following types of protection:
    1. confidentiality,
    2. integrity,
    3. peer authentication,
    4. replay protection,
    5. traffic analysis protection, and
    6. access control.

Health insurance providers report a commitment to the goal of creating an interconnected health care system in which health information can be exchanged electronically, so that doctors and hospitals have patients' information in the right place, at the right time (AHIP, 2008). The implications of HIPAA related security breaches can be serious and covered entities must have a greater stake in ensuring information security at all levels.

Complying with the security rules not only protects covered entities from internal or external security threats but also safeguards organizations from any potential federal, civil, or criminal penalties that may be imposed upon them due to a violation. Appropriate security measures must be carefully implemented to protect e-PHI within covered entities to comply with the law and to ultimately improve the overall quality of patient care.


AIM alumnus Sandesh Kuckian

Author: Sandesh Kuckian, business systems analyst, MedImpact Healthcare Systems, Inc.—2011 University of Oregon, AIM Program Graduate.

Abstract: HIPAA requires covered entities to follow standards for protecting the security of electronic protected health information (e-PHI). This study examines the need to develop a secure data exchange in order to maintain compliance with the goals of the HIPAA Security Rule. Literature published between 2000 and 2011 is analyzed to ensure the confidentiality, integrity, and availability of e-PHI while allowing entities to adopt new technologies to improve the quality, safety, and efficiency of patient care.

Download the entire Capstone research project