The Sun white paper "Identity and Access Management: Enabling HIPAA/HITECH Compliance" (login or registration required) explores the requirements that healthcare organizations and vendors face as they become more reliant on digital information technology and the need to comply with increasing regulatory requirements, which presents a range of challenges. Author Mark Dixon includes best practices for implementing identity management systems that help ensure compliance, and shows how Sun’s pragmatic approach to identity management simplifies the technology environment.

The challenges facing the healthcare industry include such requirements as improving security and privacy, increasing cost efficiency, and improving quality of service. In order to effectively address the needs of managing electronic healthcare records in a complex, multi-enterprise environment as mandated by the Health Insurance Portability and Accountability Act (HIPAA), enacted by Congress in 1996, regional and national healthcare exchanges or healthcare information networks are emerging to improve the ability to collect, store and transport data efficiently while integrating diverse healthcare systems.

A further refinement of the requirements of HIPAA was mandated by the passage in 2009 of the Health Information Technology for Economic and Clinical health Act (HITECH), which expanded the reach of HIPAA by introducing the first federally mandated data breach notification requirement and extending HIPAA privacy and security liability to business associates of “covered entities,” generally understood to include health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions on behalf of individuals.

The HIPAA/HITECH requirements for privacy, security, auditing and notification are supported directly by identity and access management (IAM) technology and processes, which control user access to data, applications, networks and other resources. By streamlining the management of user identities, access rights, and security policies across the enterprise and throughout health care information networks, the overall cost of compliance can be reduced.

Experience in the field since the initial passage of the HIPAA act has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. IAM solutions from Sun are particularly well-suited to addressing the privacy and security requirements of HIPAA/HITECH. Sun’s pragmatic approach to IAM helps organizations achieve compliance by simplifying, rather than further complicating, the technology environment.

The white paper provides an overview and reviews the administrative provisions of both HIPAA and HITECH before turning to a discussion of the impact of both acts on business practices and patients.

In the section of the paper devoted to "The Role of IAM in HIPAA/HITECH Compliance" shows how streamlining the management of user identities and access rights and automating time consuming audits and reports, IAM solutions can help support strong privacy and security policies across the enterprise and throughout HIEs while reducing the overall cost of compliance.

The paper lists and reviews the following key enablers provided by IAM for HIPAA/HITECH compliance:

• Assign and control user access rights
• Adjust user access rights when responsibilities change
• Revoke user access upon termination
• Manage allocation of user credentials
• Enforce segregation of duties policies
• Provide uniform access policy
• Manage access based on business roles
• Enforce secure access policies
• Enforce informed-consent principles
• Extend access control to business associates
• Verify access rights
• Conduct periodic compliance assessments
• Provide automated reports
• Reduce time to react to new regulations
• Reduce cost of compliance

Having enumerated these enablers, the paper then turns to a brief review of the several Sun IAM solutions that are available to healthcare providers as they work to address the requirements of HIPAA/HITECH. These include:

• Sun Identity Manager
• Sun Role Manager
• Sun OpenSSO Enterprise
• Sun Directory Server Enterprise Edition
• Sun Messaging Server
• Sun Java Composite Application Product Suite
• Trusted Solaris Operating System

The paper also illustrates how these Sun IAM products apply to each primary compliance enabler.

Chapter 8 of the paper, "Best Practices for the IAM/Compliance Journey," outlines the 13 recommended best practices that have evolved in the field for implementing IAM systems to enable HIPAA/HITECH compliance.

Chapter 9, "How to Get Started with HIPAA/HITECH and IAM," includes a list of pragmatic steps designed to implementing a compliance strategy, and Chapter 10, The Sun IAM Workshop points readers to the service offered by Sun Professional Services designed to accomplish exactly that.

More Information

Identity and Access Management: Enabling HIPAA/HITECH Compliance(login or registration required) Dixon's white paper

Achieving HIPAA Compliance with Identity Management from Sun

IAM Best Practices

Download OpenSSO Express Build 8

Migrating to Role Base Access Control (RBAC)

Madrid Hospital Group Implements Sun Identity Manager-based Security Solution

How Sun Approaches Identity Management

Using Identity as a Service [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter