New program helps satisfy HIPAA security rules

Encryption technology maintains confidentiality

While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has the primary goal of making health insurance portable for thousands of Americans, the act also mandates new security standards and electronic data interchange requirements. These requirements are having far-reaching effects on the entire health care industry, to say the least, including the professionals who manage occupational health clinics.

A new software application called ZixMail, developed by Dallas-based ZixIt Corporation, is designed to help ensure compliance with those security regulations. The product, introduced at several beta sites during the year 2000, was formally launched this spring.

"In addition to meeting confidentiality requirements, it is important for us to facilitate efficiencies for cost savings that the increased use of technology affords," notes Pat Feyen, director of sales in ZixIt’s health care division. "We are behind the curve in this regard compared to many other industries. This was one of the goals of HIPAA, in addition to developing standards to protect security, confidentiality, and integrity of private information."

HIPAA’s security standards address administrative procedures, physical safeguards of information in computer systems, technical security, and technical security mechanisms, notes Feyen, who served as president and CEO for the Texas and Oklahoma region of PacifiCare Health before joining ZixIt. "There have to be policies and procedures in place within the affected entity," he explains. "They have to be approved by the security committee, people must be in place who are accountable for compliance, and you have to track access to individually identifiable health information’ to desktops and to the database. If there is a way a reader can identify me with related health data, it has to be protected."

Encryption required

HIPAA requires this information to be encrypted before it can be moved electronically over the Internet, notes Feyen. "That’s the part of the process we bring value to," he notes. The strength of encryption in ZixMail will meet and exceed HIPAA standards and requirements, says Feyen. "Its other aspects as a business tool make it more efficient," he adds.

Here’s how it works: The program is installed on a desktop computer, which takes less than 10 minutes. "It can be downloaded from our web site [www.zixit.com]; if the client is a large company, we can work with the system administrator to push’ it to each computer," Feyen explains.

The users then create a password, and if they are using Microsoft Outlook or Lotus Notes e-mail programs, nothing else changes. "ZixMail is integrated with those programs," Feyen says. "You simply create an e-mail and grab all the attachments you need, as usual. Then, instead of clicking the send’ button, you click a red Z’ button, type in your pass phrase, and then hit send.’"

What happens then is a bit more complicated. In the world of encryption, there are both public and private keys. ZixIt stores and manages all of the public keys on its worldwide signature server in Dallas. "So, when I send you an e-mail and hit the red Z,’ the message goes to the server, which grabs the recipient’s public key and encrypts the message and attachments so they can be sent point to point," Feyen explains. The private key is inherent in the software when it’s downloaded. "The only thing that will open the file is your matching private key," says Feyen. "That triggers the decryption of the message."

Unlike earlier encryption programs, ZixMail can be used by individuals who have not downloaded the program themselves, Feyen observes. "You can send your information to anyone. If the receiver has not installed ZixMail, the system knows that. Since the recipient does not have a public key, we use the worldwide signature public key, send it to the sender’s desktop, encrypt the message, then send it back to the server and store it for anywhere from one to 21 days. The receiver is notified that they have a secure message waiting for them. They open it, click on the hyperlink, and through our secured connection it will go to the server and they can read or cut and paste and download the attachment. All of this happens instantaneously."

In this manner, says Feyen, the sender complies with HIPAA regulations by securing the message. The reply is encrypted as well. "But you can’t initiate a new message unless you have installed ZixMail," he adds.

Addressing challenges

There are no universal standards when it comes to encryption technology, says Feyen, which causes some difficult challenges. "A lot of products are exclusive; that is, you can’t talk to another institution if they are not using the same program you are. We’ve addressed the issues of interoperability and compatibility."

ZixMail also provides a certified receipt. "When I send you a message, I can check a box that says I want certified receipts notifying me of the exact time and date that you opened the message. I get a note back with that information. This is important, because there are time requirements for responding to claims, submitting credentialing information for physicians, and so on." Feyen notes that ZixMail also is quite affordable. "The charge is only $24 per year per e-mail address," he says.

Of course, because ZixIt’s health care initiative with ZixMail was just launched in March, the jury of users is still out. One such user, Paul Porter, security architect for United Health Care in Minnetonka, MN, is pleased with the results so far. "From our standpoint, this one just works," he says, while noting that ZixMail is not yet considered to be an "authorized product" for United Health. "We don’t yet have a formal relationship; we’re still beta-testing," Porter explains.

Porter is testing ZixMail in several different groups, including the security group. "There’s a tremendous need for secure messaging." he notes. "There are clearly some trade-offs one has to take a look at, and that’s why we’re trying to look at several systems. For example, once messages are encrypted, it’s difficult, if not impossible, to discover viruses." But, he adds, in light of HIPAA, encryption is a must. "This company [ZixIt] has done some non-standard things, and we have to wrestle with those issues," he says. "However, the other programs are not as automatic and user-friendly."

Need more information?

Pat Feyen, Director of Sales, Healthcare Division, ZixIt Corporation, 2711 North Haskell Ave., Suite 2300 LB36, Dallas, TX 75204-2960. Telephone: (214) 370-2005.

Paul Porter, United Healthcare, Minnetonka, MN. Telephone: (952) 936-1300.