A practical approach to HIPAA security compliance

Radiology administrators face a multiplicity of issues in the task of ensuring HIPAA security compliance at their facilities. Among the challenges for departments is a lack of access control, especially at modalities. Audit information is often incomplete or nonexistent, and administrators must rely on the various proprietary logs generated by vendors to compile a potentially inadequate and incomplete audit trail of security events.

In addition, each vendor has a different (and time-consuming) method of accessing, searching, and reporting audit information. It is next to impossible to time-synchronize the audit data from multiple vendors to provide a meaningful report.

However, to ensure HIPAA security compliance and handle existing workflow, administrators have a need for comprehensive, centralized auditing. Unfortunately, there is a general lack of funds for developing and implementing a department-wide audit solution.

The compliance approach

Given these constraints, we suggest the following seven steps:

  1. Look to Integrating the Healthcare Enterprise (IHE), sponsored by the RSNA, the Healthcare Information Management Systems Society (HIMSS), and the American College of Cardiology (ACC), for professional compliance guidelines.

  2. Review your facility's security risk assessment/gap analysis, and follow the IHE's Audit Trail and Node Authentication (ATNA) Profile to establish a secure domain.

    A network can be considered secure only when all nodes are secure. To help determine which nodes are secure, we have included a vendor compliance assessment form. Once your vendors complete it, the form will assist you in determining both your short-term compliance requirements, as well as your long-term compliance goals.

    In our experience, we have found that most, if not all, modality nodes are without one or more of the following:

    • User authentication/access control
    • Node authentication
    • Auditing capabilities

    It's important to note that where no user authentication/access control or auditing exists, a security incident can neither be prevented nor detected, nor can sanctions be imposed. This, of course, is contrary to the HIPAA Security Rule and IHE guidelines for security compliance.

  3. Assess the life expectancy and replacement cost of the modality. Decide which units should be upgraded to current security standards and which should be removed from service.

    A "reasonable" cost to upgrade, relative to the cost of the modalities (for example, 2.5%), would likely be considered a "required" expenditure under the HIPAA Security Rule.

  4. For each modality that will stay in service, upgrade with the manufacturer's security product, or a product offered by another vendor.

    Given the upcoming April 20, 2005 compliance date, we recommend immediate attention be given to the item above.

  • Confirm that all other vendor products provide acceptable access control, and that they log the required security data in an audit log, at minimum.

  • Determine if and when vendors intend to adhere to the IHE guidelines so the department can schedule its move to a centralized auditing solution.

    If the time interval is unacceptable or the vendor is not contemplating an IHE upgrade, then look to another company to provide log generating/reading capabilities, along with the capability to send security audit messages to an IHE-compatible central repository.

  • Purchase an IHE-compatible security repository. This will provide a central repository to record, search, and report on security incidents and other audit messages from the upgraded modalities and other IHE-compatible products.

    An IHE-compatible repository gives the department a standalone departmental centralized security audit repository to which all other vendor products will send audit messages as they become IHE-compliant.

  • By Terry Callahan
    AuntMinnie.com contributing writer
    February 10, 2005

    Callahan is managing director of HIPAAT, a Mississauga, Ontario-based firm that offers technology-based solutions to meet the healthcare industry's privacy and security compliance challenges. For further information, HIPAAT can be contacted at 905-405-6299, or via the Web at www.hipaat.com.


    HIPAA Security Rule preamble, Implementation Specifications

    IHE Audit Trail and Node Authentication (ATNA) Profile in the IHE IT Infrastructure Technical Framework

    HIPAA Security Standards

    Disclaimer: HIPAAT should be considered a solution provider and not a HIPAA-compliance authority. All regulatory information contained herein should be verified as to being both accurate and current.

    Related Reading

    HIPAA security: IHE guidelines help ensure compliance, November 26, 2004

    HIPAA compliance encountering rocky road, August 30, 2004

    Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004

    HIPAA security and privacy compliance concerns, October 23, 2003

    HIPAA TCS standards float in compliance limbo, October 17, 2003

    Copyright © 2005 HIPAAT

    Page 1 of 603
    Next Page