Under the current guidelines of the U.S. Health Insurance Portability and Accountability Act (HIPAA), a healthcare facility must obtain business-associates agreements with nearly every entity that it works with. This contract ensures that both parties will maintain a chain of trust and safeguard patient-identifiable information. However, there is one entity with whom no contract is necessary: the Grim Reaper.
"According to the current privacy rules, once you become deceased, your (protected health information) no longer needs to be protected," said James Keese, chief privacy officer for Eastman Kodak Health Imaging in Rochester, NY.
For some administrators, just implementing HIPAA may feel like a fate worse than death. With a deadline fast approaching, making HIPAA a reality is crucial. During a presentation at the 2002 American Healthcare Radiology Administrators meeting in New Orleans, Keese offered some essential considerations for getting ready for HIPAA.
What is PHI?
The first step is to determine what elements of an imaging practice are considered protected health information (PHI), or information that can reasonably lead to the identification of a patient. These include the obvious, such as significant dates (birth date, discharge date); significant numbers (Social Security, telephone); and health-plan information (medical records, account numbers). But Internet protocol (IP) addresses, finger and voice-prints, and photographic images fall under the umbrella of PHI.
PHI can be in any format: oral, paper, film, and electronic. Only authorized personnel can access PHI, according to HIPAA. Impermissible disclosure could lead to civil and criminal sanctions.
"The important factor associated with HIPAA is being able to take the necessary steps to minimize the exposure or release of PHI without affecting patient care," Keese said.
The most basic way to handle PHI is to minimize exposure by removing all patient identifiers before transferring information. Another tool is mass sweeping: checking all incoming e-mail and attachments and shared software for viruses; cleaning up all floppy disks before use; and keeping facility virus software up-to-date.
Security basics
Confidentiality, integrity, and availability form the axis of security, Keese said.
"Confidentiality means protecting the information. Integrity means (keeping track) of who is seeing what comes into (your) system, as well as what goes out. You need to identify how you handle sensitive information," he said.
A facility's practices, policies, and procedures must incorporate the security axis. For instance, using passwords, smart cards, and secure-server access to identify and track users means ensuring confidentiality. This is of utmost importance at a facility, such as a teaching institution, where there is a high turnover.
"You may issue user IDs and passwords (to students) that still have active accounts even though they are long gone," according to Keese.
Evidence of a security design, such as airtight PACS data flow and virtual private networks (VPNs) for secure information transfer, takes care of integrity and confidentiality. Secure storage (encryption) also means an appropriate level of integrity and confidentiality.
Finally, availability refers to a plan of action for emergencies and disaster recovery.
The big picture
The power of three comes into play again when a facility ponders what it needs to make HIPAA happen. The first element is the human factor: operational policies and procedures should be in place to handle PHI. Workforce training will be in order here, Keese said.
Technology must be analyzed and possibly upgraded to enable privacy. The latest technology to establish, control, and monitor all external connections must be deployed. Outwitting or shutting down hackers is one technological issue that, if gone unexamined, could seriously jeopardize PHI, he added.
Creating an audit trail for anyone who can access your site’s information is one weapon. Installing secure remote service access for primary connectivity is the safest bet.
Finally, there is the compliance component, which means thinking ahead about a facility's future needs. Important parts of the picture include rearranging information technology resources, emphasizing a network (versus mainframe) strategy, and coming up with an e-business plan. Based on that plan, transform the costs of implementing HIPAA into an investment, Keese suggested.
"(HIPAA) will cost the industry between $14-15 million to implement," Keese said, citing recent regulatory statistics. "However, they also forecast that you’ll save $30 million over 10 years."
Keese recommended seven basic steps for HIPAA implementation:
- Get organized by hiring or appointing a security officer. Achieve buy-in through employee education.
- Develop an assessment plan and conduct data standardization planning sessions for logistical as well as economic purposes.
- Perform an assessment with the goal of meeting security basics.
- Analyze the outcome of the security assessment; flag points of failure or accidental breaches.
- Develop a compliance strategy and look at the enterprise as a whole. Avoid Band-Aid solutions, as they will only require costly retrofitting down the road.
- Remediate and maintain compliance by keeping current with HIPAA updates. For example, in the last week, amendments were implemented into HIPAA regulations, such as removal of mandatory consent requirements. This addition eliminates the need to obtain written consent from patients prior to sending their images via teleradiology.
"Unlike Y2K, this is an ongoing opportunity for you to maintain compliance as well as change with the regulations as time goes on," Keese urged the audience. "It’s not just a one-time deal."
By Shalmali PalAuntMinnie.com staff writer
August 30, 2002
Related Reading
HHS amends HIPAA privacy rule, August 13, 2002
HIPAA final privacy rule drives security implementation, June 7, 2002
HIMSS, AHIMA launch security, privacy certification, May 21, 2002
HIPAA to make challenging, costly demands on radiology, March 18, 2002
Copyright © 2002 AuntMinnie.com
