HIPAA final privacy rule drives security implementation

Jonathan S. Batchelor
Jun 6, 2002

NAPLES, FL - Once again, the U.S. government has put the cart before the horse. The Centers for Medicare and Medicaid Services (CMS) issued the final privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) before it released the final rule on security. Unfortunately for radiology administrators, privacy cannot be assured without security, and the final security rule isn’t expected until sometime later this summer.

"Privacy defines who is authorized to access information, which is the right of individuals to keep information about them from being disclosed," said Cynthia Smith, senior manager of HIPAA security services for PricewaterhouseCoopers in Pittsburgh.

"In essence, it is about the individual’s right to exercise control over their health information," she said. "Security is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss."

Smith offered her views on the impact of the final privacy rule on security implementation at the 2002 Radiology Business Management Association summit this week.

With the April 2003 implementation deadline less than 10 months away, administrators and their facilities are running out of time to prepare for what amounts to a sea change in business practices. If an imaging center waits until the final security rule is published in August to start implementing its security plan, it will probably have waited too long to meet the April 2003 deadline, Smith said.

Close enough to final

While the security rule isn’t final, there is enough substance in the proposed rule to build a HIPAA security backbone, according to Smith. The rest of the body of security can be derived by looking at what assets the final privacy rule sets out to protect.

"The commonalities of the privacy and security rules are what an administrator should look at to define their implementation policy. For example, security boundaries are established by who and what is covered in the privacy rule," she said.

Safeguarding protected health information is another issue common to both privacy and security rules. Both rules also share the administrative responsibilities of documentation via procedures and policies, training requirements for staff and management, and the responsibilities of trading partners and business associates.

"For example, a business associate contract must be in place for any contractors who receive or can access protected health information from a covered entity in order to perform a function for or on behalf of the covered entity," Smith said. "This means an imaging center will need to have contracts in place for its designated providers, brokers, IT vendors, external review services, translation services, document-management vendors, and PACS and RIS vendors."

Synergy and symbiosis

The final security rule will be in harmony with the final privacy rule. As administrators hammer out the appropriate administrative, technical, and physical protections to safeguard protected health information for privacy, they can use much of this work to draft security policies and procedures.

The proposed security rule is technologically neutral in that each organization gets to determine the technology to achieve the outcome. However, the requirements are comprehensive, not piecemeal, so a facility will need to think of its security in both a systemic- and role-based model, according to Smith.

Because the rule does not prescribe security implementation, each center has latitude in making its implementation decisions. The proposed rule does call for a covered entity to enact measures reasonably required to protect health information from intentional or unintentional violations.

"No matter what decisions your facility comes up with in regards to privacy and security, be sure to thoroughly justify and document each and every decision," Smith said.

One of the first crossover areas from the privacy rule to the security rule that Smith suggested tackling is to match minimum access with each job description. By defining role-based access levels for privacy, a facility can then implement the security necessary to ensure access for those roles only at their assigned level.

Tracking, trailing, and training

The privacy rule requires accounting of each disclosure of protected health information. Likewise, the proposed security rule requires audit trails for access of this information, with no implementation provision.

"File access, log-on, log-off, and security instances are provided as examples of auditable events in the proposed regulation. A good rule of thumb is that if the regulation suggests something, you should probably do it," said Smith.

Privacy policies should be in writing, and designed to facilitate compliance with the rule. It’s reasonable to assume that general security policies addressing personal, physical, and technical safeguards will also need to be documented. And both sets of policies will need a formal mechanism in place to reflect revisions and changes to the organization and its workflow.

"Whereas the privacy rule will probably require individual policies in place for each job title within your organization, you can probably have one security policy in place for your end users. A separate set of policies will, however, be required for your information systems (IS) department," Smith said.

Smith recommended taking the following items into consideration in devising security policy and procedure:

  • Contingency planning and disaster recovery

  • Security incident handling

  • Formal record processing

  • Risk analysis and management

  • Audit trails and monitoring

  • Media controls

  • Personnel security and termination

  • Configuration and change management

  • System and physical access controls

  • Workstation location and use

  • Awareness training

The privacy rule requires training for employees, agents, and contractors of an organization on the policies and procedures used to safeguard protected health information. Security awareness training will also need to be conducted for these individuals and representatives.

"Your group will need to determine and document what precisely is a security incident, such as sharing a password with another employee, and where, when, and in what format it must be reported. You’ll then need to train your users in what is expected from them, and you’ll need to create a mechanism for ongoing reminders," said Smith.

Smith recommended customizing the security training for job responsibilities in the facility. The broad focus of the training should be on the issues of use, confidentiality, and security. The specifics should be about password management, virus control, and incident reporting.

"For the purposes of radiology business managers and administrators in HIPAA compliance and implementation, both the privacy and security rules address the processes for safeguarding health information. The bottom line is that privacy is the rule and security supports the rule," said Smith.

By Jonathan S. Batchelor
AuntMinnie.com staff writer
June 7, 2002

Related Reading

Security planning can prevent PACS attacks, May 3, 2002

CMS issues model for extending transaction code compliance, April 1, 2002

HIPAA to make challenging, costly demands on radiology, March 18, 2002

HIPAA, compliance programs fit like gloves, February 1, 2002

A roadmap for implementing HIPAA in radiology, July 26, 2001

Copyright © 2002 AuntMinnie.com

Latest in PACS/VNA
Business Deal Handshake
InsiteOne acquires Brit Systems
November 30, 2023
Cyber Informatics 400
What are the benefits of using an AI server downstream of PACS?
November 28, 2023
Amy Thompson of Signify Research.
Enterprise imaging: What is the market opportunity beyond radiology?
October 18, 2023
Gamingmouse
How to hack a gaming mouse for PACS: Group offers guide for rads
October 6, 2023
Related Stories
2002 05 30 14 17 48 706
PACS/VNA
The PACS soft sell
2002 04 10 14 30 27 706
PACS/VNA
From planning to PACS: A community hospital's journey
2002 04 02 15 21 10 706
PACS/VNA
IHE expands into new domains in Year 4
2002 03 20 12 27 26 706
PACS/VNA
The European PACS market: The best is yet to come
More in PACS/VNA
InsiteOne acquires Brit Systems
By AuntMinnie.com staff writers
Cloud-based clinical image management company InsiteOne will acquire BRIT Systems.
November 30, 2023
Business Deal Handshake
What are the benefits of using an AI server downstream of PACS?
By Liz Carey
Funneling image studies through a private AI server creates opportunities for big data research and speeds AI analysis time to reporting.
November 28, 2023
Cyber Informatics 400
Enterprise imaging: What is the market opportunity beyond radiology?
By Amy Thompson
Amy Thompson of Signify Research assesses the future prospects for the enterprise imaging market.
October 18, 2023
Amy Thompson of Signify Research.
How to hack a gaming mouse for PACS: Group offers guide for rads
By Will Morton
High-performance gaming mice offer radiologists multiple custom buttons and superior tracking features that can streamline radiology tasks.
October 6, 2023
Gamingmouse
Sectra posts growth in net sales, revenue in Q1
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra reported strong net sales and revenue growth in the first quarter of 2023, citing deployment of it cloud services for diagnostic imaging.
September 4, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
Rad AI to launch its Omni Reporting software
By AuntMinnie.com staff writers
Rad AI plans to formally launch its Omni Reporting software on September 27.
August 21, 2023
2018 08 01 23 13 1733 Artificial Intelligence Ai 400
Qure.ai and xWave establish strategic partnership
By AuntMinnie.com staff writers
Radiology AI software developer Qure.ai and xWave Technologies have established a strategic partnership focused on improving radiology workflows.
August 15, 2023
2022 06 28 17 16 2885 Hands Shaking3 20230509203239
Sectra inks $227M deal with U.S.-based health system
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra said it has inked a deal valued at $227 million to provide its Sectra One Cloud subscription service for diagnostic imaging to a large U.S.-based health system.
August 15, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
US Radiology Specialists begins recruiting for Connexia
By AuntMinnie.com staff writers
US Radiology Specialists is beginning recruitment for US Radiology Connexia, the company's new teleradiology organization.
August 14, 2023
2022 07 06 17 35 0405 Computer Doctor Patient Video 400
Segmed platform passed 100M studies
By AuntMinnie.com staff writers
Data management vendor Segmed said its Insight cloud-based platform has now surpassed 100 million imaging studies
August 13, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Radsource deploys 10 new ProtonPACS
By AuntMinnie.com staff writers
Radsource completed 10 installations of its ProtonPACS software for new customers in the second quarter of 2023, the company said.
August 9, 2023
2016 08 24 09 43 13 537 Hands Shaking V3 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Page 1 of 775
Next Page