Creighton University: Researchers Comply with HIPAA Using PKZIP
Creighton University is consistently
recognized as one of the top private universities in the country for medicine,
pharmacy, physical therapy, occupational therapy, dentistry, and nursing. In
addition to teaching, research is an important aspect of the school's programs.
Faculty members and graduate students conduct research in many areas, including
ethics, clinical drug studies, innovative educational techniques, among others.
HIPAA Implications
As part of their ongoing research, professors, doctors, graduate students, and
others exchange a wide range of confidential patient data. To maintain the integrity
and privacy of such data, the U.S. Government introduced the Health Insurance
Portability and Accountability Act (HIPAA) in 1996 and established April 2003
as the deadline for compliance. In 1999, Creighton set up a working group to
look at the implications of HIPAA as it related to its medical centers. In 2002,
the school began to consider the ramifications of HIPAA on its research efforts.
"We knew that the time was drawing near when we would have to have a standard
HIPAA procedure in place to adequately protect subject identifiers from improper
use and disclosure," says Dr. Phillip Vuchetich, assistant professor of Pharmacy
Sciences.
Meeting Requirements
The university was already using PKZIP to compress large files, so it was familiar
with the product and its capabilities. However, the school wanted to determine
if the newest version of PKZIP, which provided strong encryption, could meet
the tough security and privacy standards set forth by HIPAA. Alternative solutions
Creighton could have implemented included S/MIME and PGP, however, these methods
would have required greater investment, are more complex, and raise interoperability
issues.
Because PKZIP integrates with both PKI and non-PKI environments, the cost was much less for deploying internally as a security solution as well as for interoperating with external recipients.
"Our goal was to assess PKZIP's capabilities with regard to protecting health-related data as well as the integrity of our research," says Dr. Vuchetich.
To determine if PKZIP could meet HIPAA requirements, Dr. Vuchetich, along with Dr. Vasant Raval, chair of the department of Accounting in the College of Business Administration, launched a formal PKZIP study in June 2002. The researchers implemented PKZIP in a Microsoft Windows environment made up of more than 110 researchers, and then began testing in two browser environments, Microsoft Internet Explorer and Netscape Navigator.
"The implementation of PKZIP was swift and relatively easy," explains Dr. Raval. "We found the product performed data encryption well, and integrated smoothly with externally supplied digital certificates. Plus, once we equipped a few users, PKZIP scaled quickly and easily to our remaining researchers."
Seamless Integration
Today, more than 300 researchers associated with the Creighton University Medical
Center rely on PKZIP to exchange confidential patient data and other research-related
information. By relying on PKZIP's seamless e-mail integration with Microsoft
Outlook, researchers now have an easy-to-use solution for sending e-mail attachments
compactly and securely.
Phillip J. Vuchetich, Ph.D. (philv@creighton. edu), is assistant professor of Pharmacy Sciences, and Vasant Raval, Ph.D. (vraval@ creighton.edu), is professor and chair, Accounting, both at Creighton University.