Ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) is no simple task, due to the complexity of the legislation itself, and a pervasive lack of training and information complicated by varying interpretations of the regulations. The challenges can be especially daunting for radiology departments, which often come up short in ensuring security, according to Herman Oosterwijk of Dallas-based consulting firm OTech.
"Security is virtually nonexistent in imaging," he said. "Integration is poor, and multiple passwords and/or screens are not uncommon. Single logins are typically nonexistent, making (security) more difficult."
Oosterwijk discussed major HIPAA issues and common misconceptions during a presentation at PACS 2003: Integrating the Healthcare Enterprise, sponsored by the University of Rochester School of Medicine and Dentistry, in San Antonio in March.
HIPAA certainly impacts the practice of digital image management. But contrary to some speculation, the regulations do not prohibit the use of teleradiology, Oosterwijk said.
Images do contain protected health information (PHI), with information contained in the header, including private attributes, Oosterwijk said. And 3-D image reconstruction could reveal the patient's identity, especially when a surface reconstruction is shown.
However, teleradiology fits within HIPAA's treatment, payment, and healthcare operations (TPO) rules, and does not require separate patient consent, Oosterwijk said. Commercial off-the-shelf solutions can handle the necessary security requirements. However, physicians must be treated as business associates (BA) as defined by HIPAA, and require special training requirements and technical measures, he said.
As for demands that all products at an institution be HIPAA-compliant, keep in mind that there's no such thing as a HIPAA-compliant product, Oosterwijk said. Products need to implement security mechanisms in combination with policies and procedures at an institution to achieve HIPAA compliance, he said.
Networking issues
There has been some speculation that HIPAA will shut down the use of modem access for service. Employing centralized access might be more efficient in achieving effective audit trail and authentication procedures, Oosterwijk said.
"(However), modem access could be a cost-effective solution if security mechanisms are implemented (authentication, encryption, logging, and safekeeping of PHI)," Oosterwijk said.
Service organizations are also considered to be business associates according to HIPAA rules, so it's important to make sure that the chain of trust is extended, he said.
It's overkill to force every connection outside the institution to use a virtual private network (VPN), he said. While VPNs are an effective means of encryption and are suitable for many applications, there are also pragmatic, low-cost solutions available, ones that are even part of the DICOM standard.
The ability to have a single technical solution to provide security for all products is also a myth. Oosterwijk suggests that customers require maximum functionality and configurability with their purchases.
"Security implementation depends on where the product is used," he said. "To help categorize these features, it is helpful to consider different (security) zones for the implementations."
These zones would have their own set of rules, policies, and procedures, Oosterwijk said.
The training of staff alone is not sufficient to achieve HIPAA compliance, Oosterwijk said. Security is typically 25% technology and 75% procedures, but can range from 10/90 to 40/60, respectively, he said.
"The trade-off between technology and policies/procedures depends on the cost, environment, and application," Oosterwijk said.
It's also not true that every transaction needs to be logged, he said. Consent is not required to allow PHI access to TPO, such as when an image is sent from a modality to a PACS archive.
However, if an image is sent from a scanner to a doctor's home or copied for a teaching file, for example, care must be exercised.
"Either restrict access and/or the destination or log everything and/or filter real-time," he said.
Sending e-mails to patients and other relevant parties can lead to HIPAA concerns. E-mails of this nature definitely contain PHI and are relatively easy to intercept, Oosterwijk said. Particular care should be exercised when attaching any claims, images, and reports, Oosterwijk said. Secure e-mail mechanisms are available to help.
The use of wireless networking represents a complex security dilemma, owing to its notorious susceptibility to security break-ins, he said. There is a new extension to the wireless standard that includes security.
"Wireless seems ready to take off, with bed-side, PDA applications, etc.," he said. "It will certainly happen, so be prepared."
No more sticky notes
One thing's for sure: HIPAA will render extinct the common practice of attaching yellow sticky notes with login and password information to workstations, Oosterwijk said. It's important to implement sign-off procedures as well as eliminate group sign-in ability. Role-based access should be provided, and access should be removed as personnel leave the institution or no longer need access, he said.
"Rotating residents are especially a challenge," he said. "And make sure to take care of termination policies."
HIPAA also requires implementation of a disaster recovery plan.
"Especially when there have been calamities before, off-site backup and hot-cold spares should be seriously considered," Oosterwijk said.
Providing a patient with images on a compact disk (CD) will not have HIPAA implications, as the patient is ultimately responsible for his or her images. If the CD is used for a teaching file, however, the physician is responsible, Oosterwijk said.
CDs that are sent out must be kept anonymous, with encryption of attributes or the entire disk. Commercial encryption utilities are available, as well as standard DICOM encryption specifications, he said.
"HIPAA is an attitude," he said. "Compliance can only be achieved top-down with a universal awareness. The challenge is sharing information to get many opinions while preserving patient privacy."
Role of consultants
While some might feel that hiring a consultant will solve the problem, HIPAA can't be outsourced, Oosterwijk said. It's the institution -- not the consultant -- that is liable for non-compliance.
"Also, be aware of the 'HIPAA-titus' that some consultants are trying to infect you with," he said. "HIPAA is common sense. It's a pragmatic implementation, and patient care should not be compromised."
Consultants can be helpful in interpreting the regulations and assisting in training and implementing policies and procedures. They can also perform audits and gap analysis, especially for technical components that require dedicated expertise, Oosterwijk said.
By Erik L. Ridley
AuntMinnie.com staff writer
May 12, 2003
Related Reading
Medical privacy rules face bumpy road, April 12, 2003
Patient notification letters: How to keep them hush-hush and HIPAA-compliant, April 2, 2003
HIPAA security: best practices drive implementation roadmap, February 20, 2003
Looming HIPAA rule highlights healthcare business associates, February 11, 2003
HIPAA-related courses and seminars: Worth the time, every time?, November 11, 2002
Copyright © 2003 AuntMinnie.com