SAN ANTONIO - As the deadline for compliance with the Health Insurance Portability and Accountability Act (HIPAA) looms on the horizon, healthcare institutions and radiology departments must create security and privacy programs. And for PACS and teleradiology users, the need is particularly acute.
"PACS and modality networks have surprisingly poor security," said Dr. Eliot Siegel, chief of imaging at the VA Maryland Health System in Baltimore. Siegel spoke during a session at "PACS 2002: Implementing CR/DR and Integrating the Healthcare Enterprise," a conference sponsored by the department of radiology at the University of Rochester in Rochester, NY.
Among common pitfalls: passwords and user IDs posted on monitors, and users who do not sign off workstations upon completion of a session. This makes it impossible to properly audit user access, Siegel said. In addition, some systems do not audit user queries, and permit universal access to all images on all patients and the entire patient record, he said.
These kinds of shortfalls will need to change, in light of HIPAA's privacy and proposed security regulations. While many consultants don't expect active enforcement by the U.S. Department of Health and Human Services (HHS), civil fines (imposed by the Office of Civil Rights) are capped at $25,000 per calendar year for each provision of the regulations that is violated, Siegel said. And criminal penalties are graduated and increase if an offense is committed under false pretenses or with intent to sell for personal gain.
Of course, achieving HIPAA compliance is something of a moving target. While the final privacy regulations were published on April 14, 2001, final security rules have not yet been published. Healthcare institutions will have two years from the date final rules are published in the Federal Register to comply, with smaller health plans (less than $5 million in annual receipts) having three years.
On July 6, 2001, HHS released a guidance in response to frequently asked questions on its patient-privacy guidelines. Of particular import to radiology departments, HHS said that the use of sign-up sheets is acceptable. In addition, the practice in which institutions place x-ray lightboxes with films in a non-public work area would not be prohibited. This policy would presumably apply to PACS workstations with images, Siegel said.
In addition, radiologists and other healthcare professionals may discuss a patient's condition during teaching rounds in an academic or teaching institution. And as long as practitioners "lower their voices or stand away from other people," they can discuss imaging results over the phone, Siegel said.
Maintaining security
Proposed security regulations require that the hospital, department, or imaging center hire or designate a security officer. A mechanism must be established through which potential or actual incidents of inappropriate data access, use, or disclosure can be reported and investigated, Siegel said.
The institution must also give notice of information practices to patients, and track and audit information on where images are kept, who accesses images, and when they are accessed. Patients must also be permitted to have full access to their medical records, including images, he said.
The facility must also provide a mechanism to capture and track any patient concerns about the confidentiality of their records. Employee backgrounds and identities must be checked before they can gain access to data, Siegel said. A mechanism to apply sanctions and discipline employees who violate patient confidentiality must be formed.
When staff leave the organization, the site must make sure they can't continue to access confidential data. All staff must receive training and sign a privacy agreement, he said.
Institutions need to monitor access and perform audits of who is using the system, and which patient records are being accessed. They also need to implement authentication procedures.
Of practical changes necessitated by HIPAA, facilities need to create a mechanism to ensure that data has not been altered or destroyed. If open networks are used, encryption must be employed, Siegel said. Sites also need to control physical access to health information and certify that computer systems meet security standards.
"If you have information on computer workstations, it has to be in areas where the public can't walk up and sit down at the workstation and have access (to the network)," he said.
Written contingency plans need to be formulated for emergencies. Institutions need to backup their data and have disaster recovery plans in place, Siegel said.
Technology, including biometric identification devices, firewalls, virtual private networks, digital signatures, virus protection, and data encryption, will help, Siegel said. But the largest portion of the proposed HIPAA security regulations deals not with technology, but with personnel and access. These issues are the largest risk to security, he said.
"Even the very best in technological security features are worthless in the hands of poorly trained or unmotivated staff," he said.
And HIPAA compliance won't be cheap, either. Estimates of the cost to the healthcare industry range from $2 billion to $43 billion over the next five years. For the typical radiology or nuclear medicine department, estimates range from $100,000 to $600,000, depending on the size of the practice, Siegel said.
"(And) a lot of people think that's probably a pretty low figure," he said.
By Erik L. Ridley
AuntMinnie.com staff writer
March 18, 2002
Related Reading
HIPAA, IHE are top HIMSS 2002 highlights, February 8, 2002
HIPAA, compliance programs fit like gloves, February 1, 2002
HIPAA extension becomes law, January 10, 2002
A roadmap for implementing HIPAA in radiology, July 26, 2001
HHS pushes 'reasonableness' in HIPAA guidance document, July 19, 2001
Copyright © 2002 AuntMinnie.com
