A practical approach to HIPAA security compliance

Feb 9, 2005

Radiology administrators face a multiplicity of issues in the task of ensuring HIPAA security compliance at their facilities. Among the challenges for departments is a lack of access control, especially at modalities. Audit information is often incomplete or nonexistent, and administrators must rely on the various proprietary logs generated by vendors to compile a potentially inadequate and incomplete audit trail of security events.

In addition, each vendor has a different (and time-consuming) method of accessing, searching, and reporting audit information. It is next to impossible to time-synchronize the audit data from multiple vendors to provide a meaningful report.

However, to ensure HIPAA security compliance and handle existing workflow, administrators have a need for comprehensive, centralized auditing. Unfortunately, there is a general lack of funds for developing and implementing a department-wide audit solution.

The compliance approach

Given these constraints, we suggest the following seven steps:

  1. Look to Integrating the Healthcare Enterprise (IHE), sponsored by the RSNA, the Healthcare Information Management Systems Society (HIMSS), and the American College of Cardiology (ACC), for professional compliance guidelines.

  2. Review your facility's security risk assessment/gap analysis, and follow the IHE's Audit Trail and Node Authentication (ATNA) Profile to establish a secure domain.

    A network can be considered secure only when all nodes are secure. To help determine which nodes are secure, we have included a vendor compliance assessment form. Once your vendors complete it, the form will assist you in determining both your short-term compliance requirements, as well as your long-term compliance goals.

    In our experience, we have found that most, if not all, modality nodes are without one or more of the following:

    • User authentication/access control
    • Node authentication
    • Auditing capabilities

    It's important to note that where no user authentication/access control or auditing exists, a security incident can neither be prevented nor detected, nor can sanctions be imposed. This, of course, is contrary to the HIPAA Security Rule and IHE guidelines for security compliance.

  3. Assess the life expectancy and replacement cost of the modality. Decide which units should be upgraded to current security standards and which should be removed from service.

    A "reasonable" cost to upgrade, relative to the cost of the modalities (for example, 2.5%), would likely be considered a "required" expenditure under the HIPAA Security Rule.

  4. For each modality that will stay in service, upgrade with the manufacturer's security product, or a product offered by another vendor.

    Given the upcoming April 20, 2005 compliance date, we recommend immediate attention be given to the item above.

  • Confirm that all other vendor products provide acceptable access control, and that they log the required security data in an audit log, at minimum.

  • Determine if and when vendors intend to adhere to the IHE guidelines so the department can schedule its move to a centralized auditing solution.

    If the time interval is unacceptable or the vendor is not contemplating an IHE upgrade, then look to another company to provide log generating/reading capabilities, along with the capability to send security audit messages to an IHE-compatible central repository.

  • Purchase an IHE-compatible security repository. This will provide a central repository to record, search, and report on security incidents and other audit messages from the upgraded modalities and other IHE-compatible products.

    An IHE-compatible repository gives the department a standalone departmental centralized security audit repository to which all other vendor products will send audit messages as they become IHE-compliant.

    • By Terry Callahan
    AuntMinnie.com contributing writer
    February 10, 2005

    Callahan is managing director of HIPAAT, a Mississauga, Ontario-based firm that offers technology-based solutions to meet the healthcare industry's privacy and security compliance challenges. For further information, HIPAAT can be contacted at 905-405-6299, or via the Web at www.hipaat.com.

    References

    HIPAA Security Rule preamble, Implementation Specifications

    IHE Audit Trail and Node Authentication (ATNA) Profile in the IHE IT Infrastructure Technical Framework

    HIPAA Security Standards

    Disclaimer: HIPAAT should be considered a solution provider and not a HIPAA-compliance authority. All regulatory information contained herein should be verified as to being both accurate and current.

    Related Reading

    HIPAA security: IHE guidelines help ensure compliance, November 26, 2004

    HIPAA compliance encountering rocky road, August 30, 2004

    Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004

    HIPAA security and privacy compliance concerns, October 23, 2003

    HIPAA TCS standards float in compliance limbo, October 17, 2003

    Copyright © 2005 HIPAAT

    Latest in IS
    2017 03 30 15 16 56 745 Mammogram Calendar 400
    Can self-scheduling and referral close breast cancer screening gaps?
    July 31, 2023
    2018 11 19 17 20 4754 Back Pain 400
    Simple EHR intervention reduces unnecessary lower-back x-rays
    July 30, 2023
    2020 01 28 20 45 5229 Cloud Computing Laptop 400
    Amazon Web Services releases imaging data platform
    July 25, 2023
    2021 06 16 23 10 5735 Student Doctor Laptop Test 400
    Online course teaches students about appropriate imaging use
    July 19, 2023
    Related Stories
    187x200 Am Logo
    Companies
    AuntMinnie.com
    Rsna
    Market research reports
    RSNA
    Merge
    IS
    Merge eFilm
    Ris
    IS
    Clinical specialization, connectivity keep RIS vital
    More in IS
    Can self-scheduling and referral close breast cancer screening gaps?
    By Amerigo Allegretto
    Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
    July 31, 2023
    2017 03 30 15 16 56 745 Mammogram Calendar 400
    Simple EHR intervention reduces unnecessary lower-back x-rays
    By Kate Madden Yee
    A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
    July 30, 2023
    2018 11 19 17 20 4754 Back Pain 400
    Amazon Web Services releases imaging data platform
    By AuntMinnie.com staff writers
    Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
    July 25, 2023
    2020 01 28 20 45 5229 Cloud Computing Laptop 400
    Online course teaches students about appropriate imaging use
    By Amerigo Allegretto
    An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
    July 19, 2023
    2021 06 16 23 10 5735 Student Doctor Laptop Test 400
    CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
    By Erik L. Ridley
    In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
    July 13, 2023
    2019 07 31 17 01 7432 Medicare Puzzle 400
    Summary reports improve CT planning for ovarian cancer surgery
    By Kate Madden Yee
    A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
    July 12, 2023
    2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
    PET/CT shows value in patients with portal vein thrombosis
    By Will Morton
    PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
    June 26, 2023
    2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
    Ransomware affects emergency radiology workflows
    By Amerigo Allegretto
    Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
    June 19, 2023
    2021 08 10 16 10 2928 Cybersecurity Lock V2 400
    SIIM: Can Microsoft Teams lessen radiologist interruptions?
    By Erik L. Ridley
    AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
    June 18, 2023
    2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
    Turing debuts MRI visual feedback module at ISMRM 2023
    By AuntMinnie.com staff writers
    Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
    June 8, 2023
    2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
    ImagineSoftware acquires Within Health
    By AuntMinnie.com staff writers
    Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
    May 23, 2023
    2020 08 20 17 37 8876 Business Handshake Man 400
    DetectedX touts learning platform success
    By AuntMinnie.com staff writers
    DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
    May 3, 2023
    2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
    Page 1 of 603
    Next Page