Sharing private health information over the internet can be a risky business. Unfortunately, as people become accustomed to doing most if not all of their personal business online, the demand for accessing this information online will grow to the point that health care providers will have no choice but to either provide access to this private health information or lose their customers.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to assure the confidentiality of patient information. This requires that health care providers employ stringent measures to assure that information shared on the internet is protected from unauthorized access.

The HIPAA Act requires health-providing entities to:

• Assign responsibility for security to a person or organization.
• Assess security risks and determine the major threats to the security and privacy of protected health information.
• Establish a program to address physical security, personnel security, technical security controls, and security incident response and disaster recovery.
• Certify the effectiveness of security controls.
• Develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual's status, change of status or termination.
• Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication

This law has serious implications for organizations that allow unauthorized access resulting in a breach in confidentiality.

Security is the key

Since the HIPAA law provides for both civil and criminal penalties for violations, data and access security is of the utmost importance. To assure HIPAA compliance, online document management must include a number of security features:

• Secure web server