By Herman Oosterwijk, Myrna Hale, Nicholas Welsh, and Peter Zhang
If you ever decide to print the Health Insurance Portability and Accountability Act (HIPAA) regulations, you might want to stop at the office supply store first and pick up a stack of paper 1 1/2 feet high. That's what you'll need, so who can blame you for thinking that implementation will be just as tall an order.
Bringing HIPAA to radiology will indeed be challenging, but we have found that modeling the department and mapping the regulations to the information flow is an important first step in planning for HIPAA compliance. To get started, you'll need to study the workflow and the related information flow through the department. You must know what information comes in and what goes out to identify the potential impact of security and/or privacy regulations on those information streams.
Zones of information
The best way to visualize this information system is to divide the radiology department into several zones, each having a different priority and use level for the information.
- Zone 1: The radiology department.
- Zone 2: Outpatient clinic, ICU, ER, OR.
- Zone 3: Physicians offices, nursing stations.
- Zone 4: Remote, Web-based access to images.
Zone 1
In the radiology department, the workflow input is orders, which consist of patient demographics as well as order information; the output is a diagnostic report and images that were acquired.
Consider, for example, an ultrasound exam from a security perspective. A technologist should sign on in the morning with an individual password. The acquisition screen with the displayed images should be hidden from the patients.
Institutions might find it necessary to fine-tune their procedural protocols. A common problem: finding previous images still displayed on the screen upon entering the ultrasound room.
A typical ultrasound workflow scenario would involve the ultrasound films either printed locally and hung on an alternator, or sent to a workstation in radiology. Access to the radiology department is protected with a lock on the door or by the requirement for a pass (e.g. card) to enter it. The ultrasound images are backed up on a removable disk and stored in a locked cabinet next to the modality in the room. At that point, the images are sent to the workstation on a private (protected) local area network.
Unfortunately, a few security issues need to be addressed. HIPAA requires audit trails of who accessed what information when. There must be physical access protection for equipment and for the networks that have access to the modalities. If you look around in a department, you might notice wall connectors in almost every room, ready for someone to connect a simple device with a network sniffer (a tool that listens in on network communications and captures selected bits of information for analysis). They could then download all the images from a workstation -- or monitor each image and patient demographic information transfer.
Fortunately, the problems within a department are somewhat localized and manageable. More difficult issues arise as the distribution and access of images and information extend beyond radiology.
Zone 2
Let’s imagine what happens when image distribution and access are extended to Zone 2, a place outside of the department where radiology has certain control (i.e. MR images from the outpatient clinic, portable studies taken in the ICU and/or ER, and C-arm images from the OR.) It's much more difficult to control image display and access in this zone.
For example, some ICUs hang images of current patients on a light box at the entrance to ensure easy accessibility for physicians. Unfortunately, these images are also easily accessible by family members, other visitors, etc.
There is no difference between a light box and a viewing station. While it's easy to blank the screen of a viewing station, this is not always done in routine practice. Remote imaging locales such as emergency rooms are also a constant area of concern. However, providing only soft-copy images in the ER can prevent films from being "borrowed" by the surgeon, cardiologist, etc. Again, proper access controls are critical.
Zone 3
When image access is extended to Zone 3 (physician offices or any nursing station on any hospital floor, etc.), the much-predicted electronic medical record (EMR) will theoretically provide access to information about any patient at any time from any place. The question is, who should receive this information and in what form? Proper access control, authorization, and subsequent audit trails are critical.
Zone 4
Zone 4 is the most challenging scenario, enabling physicians to view images using a Web browser from any place at any time. As you might imagine, many institutions will not allow any image distribution beyond their controlled premises before some serious security and privacy issues can be addressed.
This zone also includes the application service providers (ASPs) that might store your images, the payers who sometimes require reports and/or images as claims attachments, and affiliated institutions that would like access to the images.
Other concerns
What if security procedures fail? For example, what if a physician needs access to information right there, right now, but because there's an emergency he left his access card at home and can't remember his password? In cases like these, the HIPAA regulations allow "shortcuts." However, these special cases must be tracked. The danger is, of course, that emergency procedures might be used regularly for access.
Another major area of concern is the provision of remote access for servicing imaging equipment. This access cuts straight through all zones often via a public phone line or sometimes the Web. Until recently, this type of connection was very common. Even if access is protected and service engineers can only get access after the proper (digital) authorization, they should not pull over images without removing all patient identifiers first. This is an area of great concern, and a special task force from National Electrical Manufacturers Association is looking into it.
By Herman Oosterwijk, Myrna Hale, Nicholas Welsh, and Peter ZhangAuntMinnie.com contributing writers
July 26, 2001
Oosterwijk is president of OTech, a healthcare technology training and consulting firm. Hale, Welsh, and Zhang are students in the medical informatics program at the University of North Texas.
Copyright © 2001 AuntMinnie.com