Frequently Asked Questions: HIPAA and AS2

Since the HIPAA privacy rules define procedural details on who/how/why access is granted to patients' protected health information, AS2 addresses the requirements as a technical safeguard to protect information privacy while data is in transit over the Internet. HIPAA's privacy rules require covered entities to have appropriate administrative, technical and physical safeguards in place. This includes all medical information that contains any of a number of patient identifiers, including name, Social Security number, telephone number, medical record number or ZIP code. The regulations protect all individually identifiable health information in any form (electronic, paper-based) that is stored or transmitted by a covered entity.

The following explains in detail how AS2 addresses specific HIPAA rules: HIPAA Transaction Rules. AS2 is capable of transporting the X12 EDI and NCPDP messages as required by the Transaction Rules. AS2 can support both real-time (generally small messages) and batch styles (generally very large messages). HIPAA Security Rule. AS2 is capable of addressing all HIPAA Security Rules in relation to data that is being transmitted over an electronic communications network. HIPAA Security addresses access control, encryption/decryption, integrity, transmission security and electronic signature rule:

Access control. Allows access only to those persons or software programs that have been granted access rights. AS2 provides:

Binding to https. This allows authentication by a digital certificate.
Digital Signatures. This identifies that a holder of a specific Digital Certificate has digitally signed a message

Encryption and decryption. This implements a mechanism to encrypt and decrypt electronic protected health information. AS2 provides both:

a binding to https which allows encrypted data transfer
The implementation of smime or pgp and optionally other encryption technologies which allow for end-to-end data encryption

Integrity. Electronically protects health information from improper alteration or destruction, corroborates that electronic protected health information has not been altered or destroyed in an unauthorized manner and verifies that a person or entity seeking access to electronic protected health information is the one claimed.

AS2 provides for HIPAA Integrity through both data integrity and entity authentication via:

a binding to https which allows entity authentication by Digital Certificate
Digital Signature, which allows for identification that a holder of a specific Digital Certificate has digitally signed a message
Digital Signature which allows for both the sender and receiver to validate data integrity of the message exchange
Message Disposition features which allow a sender to validate that the receiver has received the intended message exactly as sent

Transmission security. Implements technical security measures to guard against unauthorized access to electronically protected health information that is being transmitted over an electronic communications network. Protected health information is not improperly modified without detection and a mechanism is implemented to encrypt electronic protected health information whenever deemed appropriate.

As described above, AS2 allows for security of messages in transit via:

a binding to https which allows encrypted data transfer
The implementation of smime or pgp or other encryption technologies which all allow for end-to-end data encryption
Digital Signature which allows for both the sender and receiver to validate data integrity of the message exchange
Message Disposition features which allow sender to validate that the receiver has received the intended message exactly as sent

Electronic Signature Rule. The Electronic Signature rule is a proposed rule, and not yet a final rule, but the AS2 messaging standard is capable of supporting its requirements. The rule defines options for how Digital Signatures can be used to provide:

Message Integrity

Non-Repudiation

User Authentication

AS2 defines a standard way to use the SMIME Digital Signatures standard that provides:

Message Integrity of both request and response messages

Non-Repudiation of origin and Non-Repudiation of receipt

User Authentication via a Digital Certificate associated with a digital signature

9) If I use a clearinghouse,why would I use AS2 for HIPAA?

If you use a clearinghouse, you will more than likely continue to use the messaging transport technology that you and your clearinghouse have already established and go through a process of validating that those technologies are HIPAA compliant. AS2 is most applicable to scenarios where business partners desire to send message directly to each other over the Internet.

10) Why wouldn't I just use file transfer protocol (FTP) to transfer HIPAA messages?

FTP messaging can be compliant with HIPAA, if used in a secure manner. The primary consideration around FTP is that there is no well-accepted standard for secure FTP. Partners typically must use the exact same FTP software vendor or make use of dedicated secure networks. In contrast, AS2 has standard security mechanisms that can interoperate between AS2 implementations from multiple software vendors over the public Internet.

11) Can I leverage AS2 with other health standards (HL7, NCPDP, etc.)?

Yes. AS2 is payload agnostic, it can transport business documents of any format, including any EDI- and XML-based business documents.

12) Why wouldn't I use ebMS or another message transport service for HIPAA?

HIPAA purposefully does not prescribe specific technologies, allowing covered entities to leverage new technologies as they become available. AS2 is well-suited to supporting HIPAA transactions between partners, but there are other messaging standards that can be used to meet HIPAA's compliance requirements.

ebMS is a standard for transporting EDI and any other business data formats over the Internet, and is also an appropriate messaging standard for HIPAA transactions.

DGI has available research on its website:

For additional FAQs on using ebMS for HIPAA, please visit the FAQ
For a comparison of AS2 and ebMS in detail, please see: http://www.drummondgroup.com/html-v2/research/soap.html

13) Does AS2 support "mailboxing" of messages or pull-style messaging?

AS2 does not have specific features for pull-style messaging. Software vendors and end users may implement this type of "mailbox" style delivery using AS2 as the underlying message transport.

14) If I buy a software solution supporting ebXML Messaging, will it work with an AS2 based software solution?

No. The AS2 and ebXML Messaging standards do not interoperate. However, a growing number of software vendors provide functionality that would support both standards. So, one might start with AS2 and move to ebXML or vice versa with the same product base. Please check with your software vendor for particulars.

15) Where can I find additional information on HIPAA?

There are many discussion groups and web sites dedicate to HIPAA. The U.S. government organizations responsible for HIPAA include CMS (Centers for Medicare and Medicaid Services) and OCR (Office for Civil Rights). Their respective HIPAA websites are located at:

http://www.cms.hhs.gov/hipaa/

http://www.hhs.gov/ocr/hipaa/

WEDI/SNIP is an influential HIPPA DSMO (Designated Standards Maintenance Organization) and maintains a web site at: http://www.wedi.org/snip/

16) Where can I find additional information on AS2?

The current AS2 specification can be found at:: http://www.ietf.org/internet-drafts/draft-ietf-ediint-as2-12.txt

Background

General

Technical