OVERVIEW
The State of Colorado's Multi-Use Network (MNT) provides statewide network transport
services to a number of state and local entities that require HIPAA compliant
security solutions. MNT is a leased network on Qwest's commercially available
Colorado High Speed Digital Network (CHSDN). MNT serves as an "anchor tenant"
and thereby improves access to high bandwidth connectivity in each of Colorado's
64 counties. Health care organizations are encouraged to contact the MNT project
team to discuss potential participation in the MNT network by calling 1 866-MNT-COLO.
HIPAA does not require nor does it provide standards for certification of compliance by network transport providers. It also does not endorse or specify a single method of compliance for network users. Therefore, neither the MNT nor the Qwest Colorado High Speed Digital Network, or any other vendor network for that matter, requires certification as HIPAA compliant. The source and destination systems linked over a network, however, must be HIPAA compliant.
The State of Colorado's Multi-Use Network (MNT), like any basic data transport infrastructure, provides certain network-level security but not necessarily data-level security and, therefore, by itself, is not capable of completely satisfying customer needs for HIPAA compliance. HIPAA compliant customer needs must be established and met within the customer system, that is before the network connection boundary at the customer system firewall. The State of Colorado network architecture is designed to provide basic infrastructure security, for example, access control, intrusion detection, perimeter defense, response capability, and testing/auditing. However, data security for HIPAA compliance is the responsibility of each HIPAA "covered entity" as defined in the HIPAA Administrative Simplification regulations. This means that data security might require encryption and decryption efforts in order to maintain confidentiality and data integrity between sender and recipient during the transport of information required to be HIPAA compliant.
TECHNICAL
Network security focuses on keeping the network's components (circuits, routers,
etc.) operational and undisrupted in order to ensure the transport mechanism's
availability to all customers. Data security focuses on protecting confidentiality
and integrity of the actual traffic flowing across a network. Unless changed,
by April 14, 2003 anyone who conducts medical, financial, or administrative
transactions using patient-identifiable data must comply with the new HIPAA
Standards/Final Rules. Specifically, the Patient Privacy Rules require such
entities to guard the integrity, confidentiality, and availability of patient
data during both storage and transport.
A review of current remote-access security practices within the MNT and in the health care field generally shows that "Virtual Private Network" (VPN) technology is emerging as a dominant methodology. VPNs use complex encryption and "tunneling" technology to provide a cost-effective alternative to costly point-to-point dedicated network linkages. Because of these cost efficiencies, many healthcare organizations are turning to VPNs as a way to conduct secure electronic transactions. VPNs have also become the standard method for remote access for all of Colorado's higher education campuses. The MNT supports the deployment of VPN technology for secure networking.
The first step in determining if the MNT can provide network services to a health care organization is to call 1-866-MNT-COLO to determine eligibility. If the organization is an eligible participant, the next step is to request a price quotation for service, stating both the requirements for HIPAA compliance and the sites (or variety of sites) to which the organization needs HIPAA compliant connectivity. If the site's "upstream" connection has technical requirements (use of a specific device, encryption methodology or software application), these should be stated also.
If necessary, the MNT will refer the contact to one or more MNT partner vendors who will contact the health care organization to assess the organization's needs and suggest HIPAA compliant solutions that may be available and appropriate for their use. Qwest, for example, offers pre-sales assessment services for both technology and HIPAA-specific requirements for privacy and security. An MNT referral does not constitute an endorsement.
Please note that access to the MNT may be denied due to an organization's ineligibility under statute (HB-99-1102), the technology requested or incompatible business relationships of the health care organization. In those cases, the health care organization may want to contact Qwest or another network provider for transport services.
ADDITIONAL INFORMATION
Health Insurance Reform: Standards for Electronic Transactions
http://aspe.hhs.gov/admnsimp/final/txfin00.htm
The text of the law, from the Federal Register.
Network Security Solutions for Healthcare - Making HIPAA SAFE
http://www.cisco.com/warp/public/345/hipaa/docs/hipaa_wp.pdf
Cisco, Inc. web site
HIPAA (Health Insurance Portability & Accountability Act) requires that the Healthcare industry protect the privacy of patient records and promotes a national, uniform security standard for the secure electronic transmission of patient-identifiable information.
HIPAA is specific in its intent, but does not identify devices or architectures that would be viewed by the government as sufficient to secure patient data.
Qwest Communications And American Hospital Association Sign Agreement
To Advance The Use Of Technology In Hospitals
http://www.qwest.com/about/media/pressroom/1,1720,807_current,00.html?storyId=807
The American Hospital Association selected Qwest, the lead vendor in the MNT partnership, as the preferred provider of network services to the healthcare field.
Return to MNT Home Page