Software Solutions: Don't Look Now: HIPPA's Back in the Spotlight

• By Daniel J. Cho, Emily Morgan
• Mar 01, 2005

It's been awhile since the mention of "HIPAA" was guaranteed to fill a room with an uncomfortable silence and fear of the unknown. After all, the mad scramble over the Transaction Standards is, for the most part, over and the Privacy and Confidentiality Standards have eased their way into widespread use.

But here we are again with another provision and deadline at hand: compliance with the Security and Electronic Signature Standards must be met by April 21, 2005. For those of you who may have forgotten, these regulations relate to the safeguarding of electronic protected health care information (PHI). For a set of rules that may sound difficult to implement, they are surprisingly easy to adhere to since many medical software systems have been in compliance for quite some time.

HIPAA In A Nutshell
The security rules can be summed up as being the privacy standards written specifically for electronically stored data. The regulations define the technical, physical and administrative safeguards required to protect all electronic health information. However, the standards are extremely broad and allow health care professionals to make "addressable" approaches to meet specific rules, an acknowledgement from the government that not every organization runs their office the same way.

On the administrative side, there's very little that must be done since the rules were designed to be flexible with regards to your office workflow. To become compliant with the administrative safeguards you will need to create policies that detail what your office will do to protect electronic data. These policies should be designed to prevent, detect, contain and correct security violations, and must address four required implementation specifications: risk analysis of vulnerabilities, risk management, sanction policy for employees who violate security policies and an information system activity review of audit logs and access reports.

The rule also establishes physical safeguards for computers and networks including Internet-accessible systems containing electronic PHI from unauthorized disclosure, modification or destruction. To this end, organizations need to address access to individual workstations and facilities housing computerized PHI, as well as document all maintenance and modifications performed on the facility. The rule also calls for controls on the receipt, movement and removal of hardware and electronic media that contain PHI, including disposal policies and data backup and storage.

The last of the rules, the technical safeguards, mandate four sets of actions that must be implemented to control and monitor the access to information.

1. All systems must allow for unique user identification and include an emergency access procedure for obtaining electronic data during an emergency.
2. Two forms of transmission security should be in place, including (a) integrity controls that ensure that electronically-transmitted health information is not improperly modified without detection; and (b) data encryption, particularly over the Internet.
3. There needs to be some method in place?hardware, software or procedural?to provide for audit controls.
4. Procedures should be established to protect patient health information from being altered or destroyed, and must include a mechanism to prove that the data has not been tainted.

Connecting Software to HIPAA
The Security Standards are one of the two HIPAA provisions that are directly related to the exchange of protected health information electronically, using computers. The first provision to take effect related to standards over claim and payment information. By now, all software that sends and receives claims should be formatted to the ANSI X12 standards. Now, to address the security issues, medical office software need only comply with the four action sets defined in the technical safeguards.

Many software systems include a mechanism that allows companies to become compliant with the first rule: multi-level security. This is a simple security setting assigned to each individual user that not only allows the software to track that employee's access to PHI, but it also enables management to restrict access to records and system features based on his or her user-level settings. This method, to some extent, also helps compliance on the fourth rule by ensuring that any employees seeking access to PHI has the authentication to do so. Having a system backup should take care of the rest.

The second rule, securing transmissions of PHI, was designed to be addressed on an as-needed basis. For instance, companies concerned about sending eCMNs should ask their software vendors about the measures in place to encrypt and protect data. Those interested in sending PHI in an e-mail are advised to consider the use of encryption technology.

Addressing the audit trail rule does not require your software to keep a log of every activity performed, though systems that do are obviously helping address this requirement. Companies also can remain compliant by implementing hardware or procedural methods for providing activity records.

Medical management systems can help maintain compliance with the technological aspects of the Security Standards, but you also will need to enact new policies and procedures around these software updates. HIPAA compliance requires the combined efforts of covered entities and their partners to ensure the safe usage, exchange and storage of protected health information. While those challenges may at times still seem daunting, most health care executives recognize the positive effects of their implementation. The security provisions now on the immediate horizon provide clear benefits to all health care stakeholders.

This article originally appeared in the March 2005 issue of HME Business.