New HIPAA rules portend sweeping changes in medical data security

Eric Barnes
Jun 26, 2000

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) will bring major expenses for healthcare providers, but could also be a business boon for information technology vendors, according to a prominent PACS expert.

Speaking at this month’s Symposium for Computer Applications in Radiology, Samuel Dwyer, PhD, of the University of Virginia radiology department, said HIPAA's impact in the U.S. will reflect the enormous number of organizations that must comply. "We're dealing with about 1.2 million healthcare providers, and more than four million health plans," he said. Complying with its data security requirements will cost the average radiology department about $310,000 a year, he said.

Beginning this fall, healthcare organizations across the U.S. will have two to three years to implement the wide-ranging federal legislation. An outgrowth of the Clinton administration's 1993 healthcare reform efforts, HIPAA was passed in 1996 in order to improve access to health insurance, cut fraud and abuse, and lower healthcare costs through administrative simplification.

The latter goal has engendered tough new standards for storing, accessing, and transmitting medical data, with far-reaching implications for radiologists and imaging vendors. The new rules will apply broadly -- to any health plan, clearinghouse, or provider that processes or maintains any health information used in an electronic transmission.

HIPAA's data privacy requirements effectively mandate the development of a national key for encryption and decryption of such information, and identifiers to facilitate a standardized electronic medical record. Both Internet and intranet security are required under the plan, which covers both image data (PACS) and patient medical data (HIS-RIS).

HIPAA contains five major sections, Dwyer said, each designed to safeguard the "integrity, confidentiality, and availability," of medical data, including:

  • Administrative procedures
  • Physical safeguards
  • Technical security services
  • Technical security mechanisms
  • Electronic signatures

Data encryption is the only practical way to ensure security, Dwyer said, which means all patient data will need to be encrypted before it’s transmitted, using techniques such as public key cryptography combined with a digital signature.

Administrative procedures

Administrative requirements begin with certifying all users of a healthcare information technology network, Dwyer said. A "chain-of-trust partner agreement" ensures that every person who handles the information is certified to receive it, he said. The provider must also have a contingency plan for data-loss events. There must be a formal mechanism for records processing and access control, and internal audits to verify that planned security procedures are taking place.

Physical safeguards

Physical data safeguards include security personnel, locked doors, and other physical barriers between healthcare data and unauthorized users, Dwyer said. Other physical access controls include need-to-know rules for personnel access, visitor sign-in and escort procedures, equipment control, and procedures to verify authorization prior to physical access.

Equipment access can require anything from a password to biometric authorization, such as matching a stored image of the user's retina or hand. However, every method has its strengths and drawbacks. For example, access based on weight proved problematic when users would return from a big lunch to find they could no longer log into their workstations, Dwyer said.

Technical security services and mechanisms

Technical security services include role- or user-based access, data authentication, and entity authentication procedures such as automatic logoff, biometric controls, PINS and passwords, and telephone callback schemes, among others.

Technical mechanisms also guard against unauthorized access via alarms, audit trails, encryption, entity authentication, abnormal-event reporting, integrity controls, and message authentication.

Other issues

Even after the HIPAA final rules are published in late summer or early fall (Title 45 Part 142, Code of Federal Regulations), the work needed to fully implement them will be far from complete. Several organizations are still developing data security standards needed for implementation, Dwyer said. These include the Digital Imaging and Communications in Medicine (DICOM) standards committee.

In addition, the CPRI-HOST consortium is working with the National Information Assurance Partnership and others to develop common criteria and protection profiles. The National Institute of Standards and Technology in Gaithersburg, MD, is developing common criteria to describe the security requirements and profiles to measure system security in healthcare organizations.

Congressional hearings were held this month to address security for medical data moving across the Internet. Several industry leaders have testified about the solutions needed in light of HIPAA; by all estimates it will be expensive.

"Medicaid has estimated a cost of $1 million per state to implement the requirements," Dwyer said. Two new full-time personnel will be needed in the average institutional radiology department. With software, hardware, and consultant costs, the total annual bill comes to about $310,000 for a department.

As soon as a facility connects to the Internet, "it opens a whole new can of worms," Dwyer said. New security components must be added, software protected, hardware secured, and firewalls built. Many medical centers circumvent the whole issue by hiring external providers who guarantee security as part of their service, Dwyer said.

Firewalls reduce risk to network servers by filtering services, providing access control, and watching for viruses spread via e-mail. The importance of virus monitoring cannot be overemphasized in the wake of the recent ILOVEYOU and Melissa virus fiascoes, Dwyer said.

Institutions need to be flexible in applying security measures, he said. It’s important to get the support of workers, and avoid having security procedures get in the way of work. But a lack of security can be even more serious, Dwyer noted, citing the case of a healthcare services employee who brought her 15-year-old to work one day.

"Her daughter was a computer wizard who was able to look up all the patient names and arrange to send them letters saying they had AIDS," he said.

By Eric Barnes
AuntMinnie.com staff writer
June 27, 2000

Related Reading

HIPAA survival manual available on the Web, June 19, 2000

HIS executives to focus on HIPAA, e-health, April 10, 2000

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
Back To Top
IS
Vocal Discord: voice recognition technology dictates expanded role for radiologists
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page