| HIPAA compliance requires special focus and | | | | transparency about HIPAA compliance. Stated |
| effort as failure to comply carries significant risk | | | | policy typically includes a statement of least |
| of damage and penalties. A practice with multiple | | | | privilege data access to complete the job, |
| separate systems for patient scheduling, | | | | definition of PHI and incident monitoring and |
| electronic medical records, and billing, requires | | | | reporting procedures. Educational materials may |
| multiple separate HIPAA management efforts. | | | | include case studies, control questions, and a |
| This article presents an integrated approach to | | | | schedule of review seminars for |
| HIPAA compliance and outlines key HIPAA | | | | personnel.Technology Requirements for HIPAA |
| terminology, principles, and requirements to help | | | | Compliance Technology implementation of HIPAA |
| the practice owner to ensure HIPAA compliance | | | | proceeds in stages from logical data definition to |
| by medical billing service and software | | | | physical data center to network. To assure |
| vendors.The last decade of the previous century | | | | physical data center security, the manager must |
| witnessed accelerating proliferation of digital | | | | Lock data center |
| technology in health care, which, along with | | | | Manage access list |
| reduced costs and greater service quality, | | | | Track data center access with closed circuit TV |
| introduced new and greater risks for accidental | | | | cameras to monitor both internal and external |
| disclosure of personal health information.The | | | | building activities |
| Health insurance Portability and Accountability Act | | | | Protect access to data center with 24 x 7 onsite |
| (HIPAA) was passed in 1996 by Congress to | | | | security |
| establish national standards for privacy and | | | | Protect backup data |
| security of personal health data. The Privacy Rule, | | | | Test recovery procedure |
| written by the US Department of Health and | | | | |
| Human Services took effect on April 14, | | | | For network security, the data center must |
| 2003.Failure to comply with HIPAA risks | | | | have special facilities for |
| accreditation and reputation damage, lawsuits by | | | | Secure networking - firewall protection, |
| federal government, financial penalties, ranging | | | | encrypted data transfer only |
| from $100 to $250,000, and imprisonment, | | | | Network access monitoring and report auditing |
| ranging from one year to ten years. Protected | | | | |
| Health Information (PHI) The key term of HIPAA | | | | For data security, the manager must have |
| is Protected Health Information (PHI), which | | | | Individual authentication - individual logins and |
| includes anything that can be used to identify an | | | | passwords |
| individual and any information shared with other | | | | Role Based Access Control (see below) |
| health care providers or clearinghouses in any | | | | Audit trails - all access to all data fields tracked |
| media (digital, verbal, recorded voice, faxed, | | | | and recorded |
| printed, or written). Information that can be used | | | | Data discipline - Limited ability to download data |
| to identify an individual includes: | | | | |
| | | | Role Based Access Control (RBAC) RBAC |
| Name | | | | improves convenience and flexibility of systems |
| Dates (except year) | | | | management. Greater convenience helps reducing |
| Zip code of more than 3 digits, telephone and | | | | the errors of commission and omission in granting |
| fax numbers, email | | | | access privileges to users. Greater flexibility helps |
| Social security numbers | | | | implement the policy of least privilege, where the |
| Medical record numbers | | | | users are granted only as much privileges as |
| Health plan numbers | | | | required for completing their job.RBAC promotes |
| License numbers | | | | economies of scale, because the frequency of |
| Photographs Information shared with other | | | | changes of role definition for a single user is higher |
| healthcare providers or clearinghouses | | | | than the frequency of changes of role definitions |
| | | | across entire organization. Thus, to make a |
| Nursing and physician notes | | | | massive change of privileges for a large number |
| Billing and other treatment records Principles of | | | | of users with same set of privileges, the |
| HIPAA HIPAA intends to allow smooth flow of | | | | administrator only makes changes to the role |
| PHI for healthcare operations subject to patient's | | | | definition.Hierarchical RBAC further promotes |
| consent but prohibit any flow of unauthorized PHI | | | | economies of scale and reduces the likelihood of |
| for any other purposes. Healthcare operations | | | | errors. It allows redefining roles by inheriting |
| include treatment, payment, care quality | | | | privileges assigned to roles in the higher |
| assessment, competence review training, | | | | hierarchical level.RBAC is based on establishing a |
| accreditation, insurance rating, auditing, and legal | | | | set of user profiles or roles according to |
| procedures.HIPAA promotes fair information | | | | responsibilities. Each role has a predefined set of |
| practices and requires those with access to PHI | | | | privileges. The user acquires privileges by receiving |
| to safeguard it. Fair information practices means | | | | membership in the role or assignment of a profile |
| that a subject must be allowed | | | | by the administrator.Every time when the |
| | | | definition of the role changes along with the set of |
| Access to PHI, | | | | privileges that is required to complete the job |
| Correction for errors and completeness, and | | | | associated with the role, the administrator needs |
| Knowledge of others who use PHISafeguarding | | | | only to redefine the privileges of the role. The |
| of PHI means that the persons that hold PHI | | | | privileges of all of the users that have this role |
| must | | | | get redefined automatically.Similarly, if the role of |
| | | | a single user is changed, the only operation that |
| Be accountable for own use and disclosure | | | | needs to be performed is the reassignment of |
| Have a legal recourse to combat violations | | | | the user profile, which will redefine user's access |
| HIPAA Implementation Process HIPAA | | | | privileges automatically according to the new |
| implementation begins upon making assumptions | | | | profile. Summary HIPAA compliance requires |
| about PHI disclosure threat model. The | | | | special practice management attention. A practice |
| implementation includes both pre-emptive and | | | | with multiple separate systems for scheduling, |
| retroactive controls and involves process, | | | | electronic medical records, and billing, requires |
| technology, and personnel aspects.A threat model | | | | multiple separate HIPAA management efforts. An |
| helps understanding the purpose of HIPAA | | | | integrated system reduces the complexity of |
| implementation process. It includes assumptions | | | | HIPAA implementation. By outsourcing technology |
| about | | | | to a HIPAA-compliant vendor of vericle-like |
| | | | technology solution on an ASP or SaaS basis, |
| Threat nature (Accidental disclosure by insiders? | | | | HIPAA management overhead can be eliminated |
| Access for profit? ), | | | | (see companion papers on ASP and SaaS for |
| Source of threat (outsider or insider?), | | | | medical billing).Yuval Lirov, PhD, author of "Mission |
| Means of potential threat (break in, physical | | | | Critical Systems Management" (Prentice Hall, |
| intrusion, computer hack, virus?), | | | | 1997), inventor of multiple patents in artificial |
| Specific kind of data at risk (patient identification, | | | | intelligence and computer security, and CEO of |
| financials, medical?), and | | | | Billing Technologies. Vericle delivers comprehensive |
| Scale (how many patient records threatened?). | | | | practice workflow engine that integrates patient |
| HIPAA process must include clearly stated policy, | | | | scheduling, electronic medical records (EMR), billing, |
| educational materials and events, clear | | | | transcription, and compliance management. It |
| enforcement means, a schedule for testing of | | | | improves billing performance and reduces audit |
| HIPAA compliance, and means for continued | | | | risk. |