Separating HIPAA facts from fiction

Erik L. Ridley
May 11, 2003

Ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) is no simple task, due to the complexity of the legislation itself, and a pervasive lack of training and information complicated by varying interpretations of the regulations. The challenges can be especially daunting for radiology departments, which often come up short in ensuring security, according to Herman Oosterwijk of Dallas-based consulting firm OTech.

"Security is virtually nonexistent in imaging," he said. "Integration is poor, and multiple passwords and/or screens are not uncommon. Single logins are typically nonexistent, making (security) more difficult."

Oosterwijk discussed major HIPAA issues and common misconceptions during a presentation at PACS 2003: Integrating the Healthcare Enterprise, sponsored by the University of Rochester School of Medicine and Dentistry, in San Antonio in March.

HIPAA certainly impacts the practice of digital image management. But contrary to some speculation, the regulations do not prohibit the use of teleradiology, Oosterwijk said.

Images do contain protected health information (PHI), with information contained in the header, including private attributes, Oosterwijk said. And 3-D image reconstruction could reveal the patient's identity, especially when a surface reconstruction is shown.

However, teleradiology fits within HIPAA's treatment, payment, and healthcare operations (TPO) rules, and does not require separate patient consent, Oosterwijk said. Commercial off-the-shelf solutions can handle the necessary security requirements. However, physicians must be treated as business associates (BA) as defined by HIPAA, and require special training requirements and technical measures, he said.

As for demands that all products at an institution be HIPAA-compliant, keep in mind that there's no such thing as a HIPAA-compliant product, Oosterwijk said. Products need to implement security mechanisms in combination with policies and procedures at an institution to achieve HIPAA compliance, he said.

Networking issues

There has been some speculation that HIPAA will shut down the use of modem access for service. Employing centralized access might be more efficient in achieving effective audit trail and authentication procedures, Oosterwijk said.

"(However), modem access could be a cost-effective solution if security mechanisms are implemented (authentication, encryption, logging, and safekeeping of PHI)," Oosterwijk said.

Service organizations are also considered to be business associates according to HIPAA rules, so it's important to make sure that the chain of trust is extended, he said.

It's overkill to force every connection outside the institution to use a virtual private network (VPN), he said. While VPNs are an effective means of encryption and are suitable for many applications, there are also pragmatic, low-cost solutions available, ones that are even part of the DICOM standard.

The ability to have a single technical solution to provide security for all products is also a myth. Oosterwijk suggests that customers require maximum functionality and configurability with their purchases.

"Security implementation depends on where the product is used," he said. "To help categorize these features, it is helpful to consider different (security) zones for the implementations."

These zones would have their own set of rules, policies, and procedures, Oosterwijk said.

The training of staff alone is not sufficient to achieve HIPAA compliance, Oosterwijk said. Security is typically 25% technology and 75% procedures, but can range from 10/90 to 40/60, respectively, he said.

"The trade-off between technology and policies/procedures depends on the cost, environment, and application," Oosterwijk said.

It's also not true that every transaction needs to be logged, he said. Consent is not required to allow PHI access to TPO, such as when an image is sent from a modality to a PACS archive.

However, if an image is sent from a scanner to a doctor's home or copied for a teaching file, for example, care must be exercised.

"Either restrict access and/or the destination or log everything and/or filter real-time," he said.

Sending e-mails to patients and other relevant parties can lead to HIPAA concerns. E-mails of this nature definitely contain PHI and are relatively easy to intercept, Oosterwijk said. Particular care should be exercised when attaching any claims, images, and reports, Oosterwijk said. Secure e-mail mechanisms are available to help.

The use of wireless networking represents a complex security dilemma, owing to its notorious susceptibility to security break-ins, he said. There is a new extension to the wireless standard that includes security.

"Wireless seems ready to take off, with bed-side, PDA applications, etc.," he said. "It will certainly happen, so be prepared."

No more sticky notes

One thing's for sure: HIPAA will render extinct the common practice of attaching yellow sticky notes with login and password information to workstations, Oosterwijk said. It's important to implement sign-off procedures as well as eliminate group sign-in ability. Role-based access should be provided, and access should be removed as personnel leave the institution or no longer need access, he said.

"Rotating residents are especially a challenge," he said. "And make sure to take care of termination policies."

HIPAA also requires implementation of a disaster recovery plan.

"Especially when there have been calamities before, off-site backup and hot-cold spares should be seriously considered," Oosterwijk said.

Providing a patient with images on a compact disk (CD) will not have HIPAA implications, as the patient is ultimately responsible for his or her images. If the CD is used for a teaching file, however, the physician is responsible, Oosterwijk said.

CDs that are sent out must be kept anonymous, with encryption of attributes or the entire disk. Commercial encryption utilities are available, as well as standard DICOM encryption specifications, he said.

"HIPAA is an attitude," he said. "Compliance can only be achieved top-down with a universal awareness. The challenge is sharing information to get many opinions while preserving patient privacy."

Role of consultants

While some might feel that hiring a consultant will solve the problem, HIPAA can't be outsourced, Oosterwijk said. It's the institution -- not the consultant -- that is liable for non-compliance.

"Also, be aware of the 'HIPAA-titus' that some consultants are trying to infect you with," he said. "HIPAA is common sense. It's a pragmatic implementation, and patient care should not be compromised."

Consultants can be helpful in interpreting the regulations and assisting in training and implementing policies and procedures. They can also perform audits and gap analysis, especially for technical components that require dedicated expertise, Oosterwijk said.

By Erik L. Ridley
AuntMinnie.com staff writer
May 12, 2003

Related Reading

Medical privacy rules face bumpy road, April 12, 2003

Patient notification letters: How to keep them hush-hush and HIPAA-compliant, April 2, 2003

HIPAA security: best practices drive implementation roadmap, February 20, 2003

Looming HIPAA rule highlights healthcare business associates, February 11, 2003

HIPAA-related courses and seminars: Worth the time, every time?, November 11, 2002

Copyright © 2003 AuntMinnie.com

Latest in PACS/VNA
Business Deal Handshake
InsiteOne acquires Brit Systems
November 30, 2023
Cyber Informatics 400
What are the benefits of using an AI server downstream of PACS?
November 28, 2023
Amy Thompson of Signify Research.
Enterprise imaging: What is the market opportunity beyond radiology?
October 18, 2023
Gamingmouse
How to hack a gaming mouse for PACS: Group offers guide for rads
October 6, 2023
Related Stories
2003 04 14 17 36 26 706
PACS/VNA
X-rays and the boys of summer: Imaging goes to bat for baseball injuries
2003 02 11 17 35 31 706
PACS/VNA
Misys debuts RIS/PACS initiatives
2003 02 03 17 06 07 706
PACS/VNA
Medical system migration, Part II: New target-architecture design
2003 02 01 16 28 43 706
PACS/VNA
Medical system migration: Developing a new software architecture
More in PACS/VNA
InsiteOne acquires Brit Systems
By AuntMinnie.com staff writers
Cloud-based clinical image management company InsiteOne will acquire BRIT Systems.
November 30, 2023
Business Deal Handshake
What are the benefits of using an AI server downstream of PACS?
By Liz Carey
Funneling image studies through a private AI server creates opportunities for big data research and speeds AI analysis time to reporting.
November 28, 2023
Cyber Informatics 400
Enterprise imaging: What is the market opportunity beyond radiology?
By Amy Thompson
Amy Thompson of Signify Research assesses the future prospects for the enterprise imaging market.
October 18, 2023
Amy Thompson of Signify Research.
How to hack a gaming mouse for PACS: Group offers guide for rads
By Will Morton
High-performance gaming mice offer radiologists multiple custom buttons and superior tracking features that can streamline radiology tasks.
October 6, 2023
Gamingmouse
Sectra posts growth in net sales, revenue in Q1
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra reported strong net sales and revenue growth in the first quarter of 2023, citing deployment of it cloud services for diagnostic imaging.
September 4, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
Rad AI to launch its Omni Reporting software
By AuntMinnie.com staff writers
Rad AI plans to formally launch its Omni Reporting software on September 27.
August 21, 2023
2018 08 01 23 13 1733 Artificial Intelligence Ai 400
Qure.ai and xWave establish strategic partnership
By AuntMinnie.com staff writers
Radiology AI software developer Qure.ai and xWave Technologies have established a strategic partnership focused on improving radiology workflows.
August 15, 2023
2022 06 28 17 16 2885 Hands Shaking3 20230509203239
Sectra inks $227M deal with U.S.-based health system
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra said it has inked a deal valued at $227 million to provide its Sectra One Cloud subscription service for diagnostic imaging to a large U.S.-based health system.
August 15, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
US Radiology Specialists begins recruiting for Connexia
By AuntMinnie.com staff writers
US Radiology Specialists is beginning recruitment for US Radiology Connexia, the company's new teleradiology organization.
August 14, 2023
2022 07 06 17 35 0405 Computer Doctor Patient Video 400
Segmed platform passed 100M studies
By AuntMinnie.com staff writers
Data management vendor Segmed said its Insight cloud-based platform has now surpassed 100 million imaging studies
August 13, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Radsource deploys 10 new ProtonPACS
By AuntMinnie.com staff writers
Radsource completed 10 installations of its ProtonPACS software for new customers in the second quarter of 2023, the company said.
August 9, 2023
2016 08 24 09 43 13 537 Hands Shaking V3 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Page 1 of 775
Next Page