HCFA Internet Security Cover Letter

		Health Care Financing Administration

		Memorandum

TO All Center/Office Directors
HCFA Press Office
All Regional Administrators

FROM Director
Office of Information Services

SUBJECT HCFA Internet Security Policy

TO	All Center/Office Directors HCFA Press Office All Regional Administrators
FROM	Director Office of Information Services
SUBJECT	HCFA Internet Security Policy

The new HCFA Internet Security Policy has now been finalized (attached). It will become part of the HCFA Information Systems Security Program Handbook. This new policy establishes the basic security requirements that must be addressed to transmit HCFA Privacy Act-protected and/or other sensitive HCFA information over the Internet.

It is important to recognize that while the policy document is "permisive" in nature, i.e., it allows the Internet to be used in a manner that had been prohibited in the past, it does not allow this utilization without a significant degree of planning and coordination by parties desiring to utilize the Internet. For example, paragraph 8 of the policy requires that all organizations subject to OMB Circular A-130 "modify their Security Plan to detail the methodologies and protective measures" that will be used for transmittal and to "adequately test implemented measures." Clearly this will require a specific planning effort. There are also a number of financial, technical and contractual implications that must be considered. Some organizations will have start-up costs associated with hardware and/or software; others may need to work out certain trading partner agreements, etc.

At this time, Medicare health transactions (e.g., claims and remittance advices) between providers and intermediaries/carriers are not to be transmitted over the Internet. Implementation issues remain to be resolved for such transmissions and we will be providing further guidance in the near future.

In summation, the policy does away with the restriction on use of the Internet, but does not give organizations the authority to begin utilizing this media without obtaining full coordination and approval from all parties in the communication process, making allowances for software and/or hardware upgrades or changes, and notifying HCFA of their intent.

A talking-point paper describing highlights of the new policy has also been attached to this memorandum.

All questions should be addressed to Bill Pollak, (410) 786-3018, wpollak@hcfa.gov.

Gary G. Christoph, Ph.D.
2 Attachments