NEW ORLEANS - The Health Insurance Portability and Accountability Act is hotter than a New Orleans streetcar on a July afternoon. HIPAA presentations are packed to capacity at this week’s Healthcare Information Management and Systems Society meeting, as healthcare information technology experts search for tips on how to comply with the complex new law.
On Monday, HIMSS attendees got the scoop on a real-world implementation of HIPAA’s data security provisions from Rita Aikins, information security and privacy officer in the Oregon region for Providence Health System in Tigard, OR. Providence began preparing for HIPAA two years ago, and in the process made a number of discoveries regarding data security that Aikins shared with the standing-room-only crowd.
Providence’s goal for HIPAA preparedness was to develop a manageable set of policies and procedures that could be implemented in all of its Oregon facilities. Providence took a risk management approach to HIPAA compliance by assessing its current business practices and identifying those that would require reengineering.
The first step is to develop a HIPAA compliance team, according to Aikins. Its organization should reflect the structure of the individual hospital or healthcare system, but there are some commonalities that should be followed, Aikins said. The initiative requires a sponsor, a senior-level executive who has the authority to move the project forward. The team should multidisciplinary, in order to ensure that everyone who will be affected by the initiative will buy into the compliance effort.
"HIPAA is not an IT problem, and it can’t be solved by IT alone," Aikins said. "You have to have your operational people participating."
With the team in place, an asset inventory should be conducted to determine what types of systems the hospital has in operation. These include software applications, operating systems, hardware, medical equipment, and interfaces. If the facility conducted an asset inventory as part of its Y2K preparedness program, it can be used as the foundation for the HIPAA inventory. Each inventory item should be flagged according to the degree to which it will be affected by HIPAA, she said.
A facility should also examine its existing contracts to ensure that they comply with the security rules. Providence, for example, discovered that it had oral rather than written contracts with external transcription services. Any contracts that could be affected by HIPAA should either have HIPAA-compliant verbiage inserted -- or be rewritten, Aikins said.
Data mapping is the next step of the compliance program. A complete analysis of the flow of patient data can turn up some surprising, and potentially problematic, discoveries. For example, at Providence some departments were sending information out of the health system without the knowledge of other departments.
A vendor inventory is also important for determining the HIPAA-readiness of the health system’s vendors. Like the asset inventory, a healthcare facility’sY2K readiness mailing also be used as the foundation for a HIPAA vendor inventory, but timing is important; many vendors are still waiting for the final security standards before starting their compliance efforts, Aikins said.
Sending a mailing before vendors are ready to respond could be a waste of time if vendors aren’t ready to provide detailed information, Aikins said. Providence plans to start its vendor mailing at the end of the second quarter, she said.
Risk assessmentAn assessment of the health system’s own level of HIPAA compliance is the next step. Providence chose to use a risk assessment methodology, focusing specifically on the risks involved in two areas: the inadvertent release of healthcare information and the intentional release of healthcare data.
Providence’s risk assessment started with an asset assessment survey, measuring each asset and checking it off against HIPAA’s requirements. An organizational assessment followed, in which the compliance team examined key business functions that crossed departments and looked for the gap between current practices and HIPAA.
The department assessment followed, with the team drilling into the minutiae of daily practice at Providence facilities in the Oregon region. As each risk is uncovered, someone in the department should be designated as the "owner" of the particular problem. That person then becomes responsible for figuring out how to mitigate the risk in compliance with HIPAA procedures, Aikins said.
When the assessment is completed, a threat report is delivered to each department, detailing the risks and suggesting mitigation steps. Good follow-up is key to effective HIPAA implementation, Aikins said. The HIPAA compliance team shouldn’t deliver a threat report and then assume that the problem is taken care of.
Policies and procedures
Policies and procedures are the HIPAA team’s tools for ensuring that the problems uncovered in the risk assessment are addressed in a proactive way and are not replicated across the organization in the future.
Good policies can enable a facility to create best-practices standards that measure the progress each part of the healthcare system is making towards HIPAA compliance. Aikins estimated that policy development was 80% of Providence’s HIPAA compliance effort, with the team ultimately developing 25 policies and more than 50 procedures.
As with the compliance committee, winning the cooperation of other service areas besides IT is crucial, Aikins said. Policies should not be developed by the IT group in isolation and then presented to other departments as a fait accompli. Good policies take existing business practices into account, and are adaptable from organization to organization.
The major categories covered by Providence’s HIPAA policies include health records, information security and confidentiality, information management, technology usage, and hardware use and standards.
With respect to health records, Providence developed guidelines on the release of patient information, the storage and destruction of health records, and patient access to them. In one example, Providence patients can now get copies of their medical records and suggest changes to inaccurate data. Before the compliance effort began, there was no policy covering such changes.
One of the most important features of an information security and confidentiality policy is an incident report form that deals with security breaches, both to information systems and to physical facilities like buildings.
On the information management side, a disaster recovery plan is crucial. Also important is a policy covering media controls, such as the destruction of archive media, both paper and computer-based. At one facility, the Providence compliance team discovered that paper records with patient data on them were being sent to recycling, where they were retrieved by housekeeping staff and used as scratch paper. "They thought they were being thrifty," Aikins said.
Technology use is another area that will require scrutiny in the era of HIPAA compliance. Remote printing and faxing can be a particular problem when documents containing patient data are sent to a device and then not picked up immediately. The problem can be especially acute if the device is located in an area that's accessible to the general public. In one case, lab results were being printed automatically to unattended departments that weren’t locked, making it possible for anyone to go in and pick up results, Aikins said.
Providence has also adopted more restrictive policies on computer usage. The health system had no controls over what kinds of software were being loaded on its computers, a situation that is going to change.
"People won’t be able to go out over the Internet and download their favorite screen saver," Aikins said. "We’ve been told that that won’t be very popular, but you need to tie this down so there are controls."
Laptops and portable computing devices like personal digital assistants (PDAs) are also potential problem areas. Many hospital personnel are buying their own portable devices outside Providence’s purchasing process, making it more difficult for the health system to track their usage.
HIPAA compliance teams should remember that they are responsible not just for fixing individual risks, but for developing a comprehensive policy to address HIPAA. Look at threats at a high level, she advised, to ensure that they're addressed across the entire health system.
"Reengineering means starting over," Aikins said. "Don’t try to fix something in a department that needs to be changed across a region."
By Brian CaseyAuntMinnie.com staff writer
February 7, 2001
Related Reading
Final HIPAA privacy rules could wipe out projected savings, legal experts say, December 22, 2000
HIPAA hopefuls get religion from privacy guru, December 11, 2000
Encryption is key to medical data security, September 19, 2000
Biometrics comes of age as security takes center stage, September 19, 2000
New HIPAA rules portend sweeping changes in medical data security, June 27, 2000
Click here to post your comments about this story in our PACS information security forum. Please include the headline of the article in your message.
Copyright © 2001 AuntMinnie.com
