With enforcement of the Health Insurance Portability and Accountability Act (HIPAA) looming on the medical horizon, nothing is more important than to adhere to strict compliance of privacy and security principles and standards. Virtual Charting 1.x allows you to do just that.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress as an attempt at incremental health care reform. This Act requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients. HIPAA is an enterprise-wide issue-not an information technology issue. There are legal, regulatory, process, security, and technology aspects to each proposed rule that must be carefully evaluated before an organization can begin its implementation plan.
These standards are designed to:
Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions g Protect the security and confidentiality of electronic health information. The requirements outlined by the law and the regulations promulgated by DHHS are far reaching---all health care organizations that maintain or transmit electronic health information must comply. This includes health plans, healthcare clearinghouses, and healthcare providers, from large integrated delivery networks to individual physician offices.
General Failure to Comply:
- Each Violation: $100.
- Maximum penalty for all violations of an identical requirement: May not exceed $25,000.
Wrongful Disclosure of Individually Identifiable Health Information:
- Wrongful Disclosure offense: $50,000, imprisonment of not more than one year, or both.
- Offense Under False Pretenses: $1000,000, imprisonment of not more than 10 years, or both.
- Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.
Accessing information, as everyone in healthcare knows, requires familiarity with a seemingly endless list of procedures and “products”, including claims coding and status, lab results, eligibility data, referral authorizations, outcomes analyses, fraud and abuse measures, and hospital interfacing. Furthermore, proprietary systems, payerspecific requirements, regulatory measures and paper processes make access to patient information difficult.
There are standards that affect health claims and patient encounter information, enrollment and unenrollment in a health plan, health plan eligibility, healthcare payment and remittance advice, health claim status, referral certification and authorization, and coordination of benefits. And with hundreds of versions of these standard used today, a single provider could have to deal with more than 25 versions. HIPAA will simplify this process by requiring the standardization of all code sets, definitions and data elements through the employment of an
unambiguous data dictionary.
Privacy is another matter. Just as consumer access to financial credit information is federally regulated, Congress is promulgating legislation to give citizens control over their own health information. In allowing such information access, HIPAA necessitates the implementation of privacy and security standards and provisions.
The HIPAA security regulations are mainly borrowed from other industries, with modifications for the uniqueness of healthcare. The regulations describe technical solutions that provide solid security for patient information traveling electronically among providers, payers, and other healthcare organizations. The purpose of HIPAA’s stringent security measures is to ensure that patient information is protected from view by anyone other than the intended recipients.
To meet HIPPA’s security and privacy requirements, a secure system must have:
- Authorization: Role-based authorizations (access controls) confidentiality (encryption) and nonrepudiation (digital signatures).
- Authentication: The assurance of a user’s identity, accomplished by the use of a unique identifier (e.g. password, biometric identifier, smart card).
- Audit Trail: A record of all activities occurring in the system, providing a “chain of trust”.
- Secure Data Storage and Transmission: Data security must be maintained during electronic document transmission, with encryption being the likely solution.
- Integrity: Information must be accurate, consistent, and complete.
Summary of HIPAA Security Rules
- 1. Individual authentication of Users
Every individual in an organization can have a unique identifier (or log-on ID) for use in logging onto the organizations information systems. Strict rocedures shall be established for issuing and revoking identifiers. Where appropriate, computer workstations shall be programmed to automatically log off if idle for a specified period of time.
Healthcare organizations shall move toward implementing strong authentication practices that provide greater security than individual log-on ID’s and password, such as single-session or encrypted
authentication protocols and token-based authentication systems.
Organizations shall move towards enterprise-wide authentication systems in which users need to log on only once during each session and can access any of the systems functions or databases to which they have access privilege.
All healthcare organizations that use computer based systems to handle critical records and functions (such as entering physicians orders) shall use technologies for electronic authentication that will be capable of identifying individuals who enter or alter information in the electronic record.
Hardware mechanisms and genetic characteristics shall be verified to provide additional strength to the authentication process.
- 2. Access Controls
Procedures shall be in place for ensuring that users can access and retrieve only that information they have a legitimate need to know. Healthcare organizations shall use software tools to help ensure that the information made available to users complies with their access privileges.
- 3. Audit Trails
Organizations shall maintain, in retrievable and usable form, audit trails that log all access to clinical information. The logs shall include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations shall establish procedures for reviewing audit
logs to detect instances of inappropriate access.
- 4. Physical Security and Disaster Recovery
Organizations shall limit unauthorized physical access to computer systems, displays, networks and medical records; they shall plan for providing basic system functions and ensuring access to medical
records. In the event of an emergency (whether a natural disaster or a computer failure) they shall store backup data in safe places or in encrypted form.
- 5. Protection of Remote Access Points
Organizations with centralized Internet connections shall install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outside users. Organizations with multiple access points shall consider other forms of security protection to protect the host machines that
allow external connections.
Organizations shall also require a secure authentication process for remote and mobile users, such as those using home computers. Organizations that do not implement either of
these approaches shall allow remote access only over dedicated lines.
- 6. Protection of External Electronic Communications
Organizations shall encrypt all patient-identifiable information before transmitting it over [public networks, such as the Internet. Organizations that do not meet this requirement shall either refrain from transmitting information electronically outside the organization or shall do so only over secure dedicated lines. Policies shall be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.
- 7. Software Discipline
Organizations shall exercise and enforce discipline over user software. At a minimum, they shall install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices shall be supplemented with organizational procedures and educational campaigns to provide further protection against malicious software and to raise user’s
awareness of the problem.
- 8. System Assessment
Organizations shall formally assess the security and vulnerabilities of their information systems on an ongoing basis. For example, they shall run existing “hacker scripts” and password “crackers” against their systems monthly.
- 9. Security and Confidentiality
Organizations shall develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies shall clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be follows in making a release and the types of people who are authorized to receive information.
- 10. Information on Security Officers
Organizations shall identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The information security officer shall maintain contact with relevant national security organizations.
- 11. Education and Training Programs
Organizations shall establish programs to ensure that all users of information systems receive some minimum levels of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.
- 12. Sanctions
Organizations shall develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations shall adopt a zero tolerance policy to ensure that no violation goes unpunished.
- 13. Key Management, Certificate Revocation and Key Recovery
Organizations shall establish an effective key management system, incorporating automatic certificate revocation and key recovery systems to ensure proper authentication.
The HIPAA regulations affects virtually every person that works in the healthcare sector. HIPAA’s security and privacy standards are clear, and failure to comply will be punishable by imprisonment and fines of up to $250,00.
Protecting patient information will be expensive and difficult—but can you afford not to?
Links to HIPAA Resource Sites