News
In the News
Taking Another Look at HIPAA and I.T.
Providers and payers are taking steps to ensure they remain compliant with the HIPAA security rule.
By Joseph Goedert, News Editor
October 01, 2005
Courtesy of Health Data Management
Like many provider organizations, Ellis Hospital in Schenectady, N.Y., has instituted many policy and technology changes to comply with the HIPAA privacy and security rules. One change, which has been common among HIPAA covered entities, was to mandate unique usernames and passwords for clinicians accessing protected health information electronically at a workstation.
However, now that the security rule's April 20 compliance deadline has come and gone, Ellis Hospital and many other covered entities are taking another look at their policies to see if they need refinement. They also are hunting for continued areas of weak security in their information infrastructures.
"We're looking to see where we can improve, or if we went overboard," explains Mark McGill, network engineer at the 368-bed facility.
Ellis Hospital, for example, is not going to let clinicians go back to using a common username and password to access information systems. But officials do understand the adverse effect on workflow when clinicians must log out of one application before logging into another. "We have to meet them somewhere in the middle," he adds.
That's why the hospital now is considering single-sign-on technology and proximity cards as ways to ease data access while continuing to safeguard patient information.
To be successful, policy review must be an ongoing process when seeking to comply with the security rule, McGill says. That's because as changes occur in an organization, they affect data security, he explains. Changes also affect the documentation requirements of the security rule because an organization must provide evidence it's in compliance.
"Policy review is a changing and growing matter," he adds. "If you don't keep documentation up to date, it's useless."
Constant vigil
With compliance deadlines for the security and privacy rules past, covered entities cannot sit on their accomplishments to date, says William Gillespie, vice president and CIO of WellSpan Health, a two-hospital delivery system in York, Pa. "We felt we hit the bar with reasonable compliance in April, but now we have to do more."
That means identifying and fixing holes in the security net via new or revised policies, or new technologies. WellSpan recently implemented user provisioning software from Framingham, Mass.-based Courion Corp., enabling unit managers and other leaders to handle the process of assigning usernames, passwords and role-based access.
The administration group for WellSpan's picture archiving and communication system-not the I.T. department-already has been managing day-to-day operations of the delivery system's PACS, and now manages access to the application via the provisioning software.
Decentralized provisioning gives unit leaders more control over who is accessing what information within their areas, Gillespie says. What's more, it reduces a constant headache for the I.T. department. "Our No. 1 call from users is about password problems."
Many covered entities are not resting on their laurels after weathering the privacy and security rule deadlines. Here's how several are continuing to raise the bar on their level of compliance:
A TPA's task
Just before the security rule deadline, Corporate Benefit Services of America Inc. still was implementing new technology to further protect information. The Minneapolis-based third-party administrator serving 500 employers with 400,000 covered lives viewed the deadline as a period by which covered entities should have addressed security issues to some degree, says LaForest Sherman, HIPAA project manager.
But more work remained because there's no hard and fast rule about when an organization's data is secure enough. "When do you have a garden?" Sherman asks. "Is it when you plow it? Is it when you plant carrots and potatoes?"
That's why as the deadline approached, Corporate Benefit Services was implementing secure messaging software from San Mateo, Calif.-based Secure Data in Motion Inc., also known as Sigaba.
The vendor's secure e-mail software is replacing a cumbersome file transfer protocol system the TPA used to securely communicate with clients. And the vendor's secure Web portal lets clients access their own data.
On the policy front, Corporate Benefit Services now is working to standardize the reporting and documentation of security incidents. "The policies are in place, but are not as well organized as we'd like," Sherman says. "For instance, we want a central log for incident data."
On-demand policy checks
To ensure new or modified information systems adhere to organizational and regulatory policies, Catholic Health System uses network monitoring software from San Mateo, Calif.-based Elemental Security Inc.
The Buffalo, N.Y.-based 10-hospital delivery system has written policies into the monitoring software, says Doug Torre, director of networking and technical services. "The software monitors network activity to determine if organizational or regulatory policies are being followed," he explains. "It provides a compliance score and reporting for audit purposes."
Because policies are routinely updated and new applications are regularly added to Catholic Health's network, I.T. personnel can query which applications are compliant with policies and software patches. "Networks are very dynamic," he adds. "They're changing all the time."
Some organizations may be comfortable conducting a network risk assessment on a quarterly or semi-annual basis, Torre notes. But Catholic Health implemented the monitoring software as part of a continuing effort to go beyond "base compliance" with the security rule.
"Security is a matter of risk reduction," he says. "This tool allows us to monitor, mitigate and understand our risk. It gives us a much higher level of assessment."
To further strengthen security on an ongoing basis, Catholic Health is looking to enhance e-mail encryption. The delivery system also is investing in additional layers of information security redundancy for disaster recovery/business continuity purposes, Torre adds. "The return is there because the cost of the risk is greater than the investment."
Contingency planning is lagging in many security rule compliance efforts across the nation, contends Lesley Berkeyheiser, a principal at The Clayton Group, a Glen Mills, Pa.-based consulting firm. "People will always be people and hate planning for negative events."
At the same time, though, many other organizations are starting to take a better look at their contingency plans, Berkeyheiser adds. This is an area of ongoing activity to enhance the depth of knowledge and the efficacy of plans, she says.
Evaluating policies
Cardiovascular Management of Illinois spent the first week of August conducting a complete policy evaluation of its office. About one-third of the review covered HIPAA privacy and security policies, says Cathie Biga, president and CEO.
The Woodridge, Ill.-based firm manages West Suburban Cardiologists Ltd., a six-site, 23-physician group practice in the Chicago metropolitan area. Policies reexamined included, among others, acceptable e-mail and Internet usage, loaning of software, and the use of screen savers.
The evaluation found that some physicians were exchanging e-mails with patients, a prohibited practice until the organization implements secure messaging and encryption software, Biga says.
"We reaffirmed the prohibition on e-mail," she adds, "and re-educated physicians on the importance of not using e-mail to communicate with their patients."
Continuing HIPAA compliance takes some effort, but the task is relatively easy, Biga contends. Consciously defending the privacy and security of protected health information now is one of many universal precautions-like putting on gloves-in a provider organization, she notes. "It's now just part of doing business."
To make sure it remains so, a brief HIPAA refresher course is part of the annual employee review process at Cardiovascular Management and many other health care organizations. "It's not a huge extra step, it's simply become a part of our review process," Biga says.
Dual-use technology
Early this year, Camino Medical Group in Sunnyvale, Calif., installed network monitoring software from NetIQ Corp., San Jose, Calif. The 200-physician, 15-location group practice did so because the security rule requires covered entities to maintain a high degree of information systems availability, says Richard Navarro, information technology manager.
Now, the monitoring software-which includes incident management tools-also serves as an ongoing compliance tool to assist help desk personnel in investigating security events and managing security-related e-mails from employees.
For instance, messages from employees with security concerns or questions about privacy and security guidelines are funneled to the organization's HIPAA coordinator. "The software manages the case from request to investigation to closure," Navarro says. "It tracks what we did for audit purposes."
Like other organizations, Camino Medical Group is taking another look at its compliance levels now that the security rule deadline has passed. The organization, for example, wants to implement secure messaging software.
"We're presently not sending e-mail that contains protected health information, but mailing password-protected compact disks," Navarro says. "We've decided we need some kind of encryption for e-mail, and now we're looking at products to fit the need."
In late July, the group practice instituted a new policy to prohibit the use of wireless keyboards, mouses and headsets. The concern was that because these devices can be plugged into USB ports, unauthorized persons could more easily access a computer.
The new policy is part of the follow-up risk assessment of the organization's security levels. "We are actively looking for holes that need to be filled," Navarro adds. Subsequent assessments will follow every six months.
Further, a new change management policy is being developed to ensure that when modifications are made to an existing information system, security of the system will be re-checked. Also, any new system will go through a complete assessment.
All of these activities are part of Camino Medical Group's effort to move beyond a base level of compliance with the security rule, Navarro explains.
The organization originally did a high-level risk assessment, looking for obvious security holes. "Now we're doing a comprehensive review to make sure we haven't missed anything," he adds. "We need a policy that determines on an ongoing basis how routine comprehensive reviews should be done."
Along the way, the group practice has learned that while employees were interested in learning about security, they worried about its effect on practice patterns. Administrators, Navarro acknowledges, have learned how to mesh security with workflow.
The practice uses proximity badges to enable clinicians to automatically log on and off computers in examination rooms. Administrators, however, were thinking of installing software on computers in physician offices that would "lock down" or freeze the computer after a few minutes of inactivity. Physicians objected, saying they could be on the telephone with a patient for five minutes and their computer would lock down.
"We worked out a plan with physicians where they would be responsible for locking their computers to protect patient information," Navarro says.
Keeping HIPAA fresh
At City Hospital in Martinsburg, W.Va., CIO Gary Praznik keeps HIPAA privacy and security fresh in the minds of others by talking about recurring compliance efforts at monthly management meetings.
In March, the 260-bed facility started training new employees about HIPAA requirements. And every new resident or medical student meets with Kym Cleaver, R.N., information technology physician liaison, to go over privacy and security procedures.
The hospital also will require all employees, physicians, clergy and volunteers go through an annual HIPAA refresher course. "That is our expectation," Praznik says, acknowledging getting the doctors to go along with it may be a challenge.
For now, the hospital's two emergency departments-one of which is a "bumps and bruises" urgent care center-are the toughest physical areas in which to maintain a high level of information security.
"We've done a good job with the nurses, but it is challenging with physicians because of the number of patients seen each day," Praznik says. "The fast-paced nature of the emergency department, for instance, doesn't ensure workstations are always logged off."
To ease clinician data access to its core hospital information system and picture archiving and communication system, before the security rule deadline the hospital bought 500 user licenses of single-sign-on software from Imprivata Inc., Lexington, Mass. It recently bought another 500 licenses to give more clinicians easier access and to identify those who don't consistently log off information systems after a session. City Hospital also has installed 50 biometric fingerprint identification readers to authenticate users on workstations.
Now the hospital is working with Imprivata to expand reporting capabilities to be able to track where within the hospital information system or PACS a clinician goes once he or she has logged in, Praznik says.
A major lesson HIPAA enforcers at the hospital have learned is the difference in work pace across various parts of the hospital.
Before moving to I.T., Cleaver was a nurse on the medical-surgical floors. "The emergency department works at a much faster pace. They're used to putting X-rays up, flipping the switch, viewing the image, turning it off and walking away. Now they use the PACS and they want to keep the images up on the screen to refer back to, or while they bring the patient or family to see them."
Consequently, the hospital now is putting screen savers on some workstations and automatic log-off software on others. The hospital also is starting to use wireless mobile carts to roll workstations to patients so only the physician and patient can see the images or data.
When all's said and done
Complying with the privacy and security rules forced health care organizations to look at their internal workings in ways they never had before. That means, says consultant Berkeyheiser, that people have a better understanding of their own organizational processes.
That's been a real benefit of HIPAA, she says. "People tend to stay in their own box, but HIPAA forced them to look at things across the entire organization."
As a result, some organizations now realize the degree to which they rely on outside business partners, called "business associates" in HIPAA parlance. Business associates are not covered entities under HIPAA, but covered entities are expected to ensure that business associates comply with the privacy and security rules.
Initially, many covered entities simply put language in their business associate contracts demanding HIPAA compliance, then moved on. Now, says Berkeyheiser, "covered entities are starting to put heat on business associates for proof of HIPAA compliance."
HIPAA's self-imposed obstacles
Congress passed the Health Insurance Portability and Accountability Act and two presidential administrations put the privacy and security rules into effect. These actions, though, have placed some pretty large obstacles in the road toward compliance, some of those who already have complied with the rules contend.
"The law calls for individual identifiers," notes LaForest Sherman, HIPAA project manager at Corporate Benefit Services of America Inc., a Minneapolis-based third-party administrator. "That should have been done first. It's still not done and that's causing all kinds of problems."
The TPA creates a proprietary individual identifier for patients, but so do countless thousands of other health care organizations. "The fact that we don't have a rock-solid identifier increases the risk that information about the wrong person will be disclosed," Sherman says.
The Department of Health and Human Services designed the security rule to be applicable for covered entities of all sizes. By its nature, that means the rule is quite vague in many areas, leaving it to covered entities to interpret what is required and the degree to which they will comply.
Most providers and payers have made some attempt to do an analysis of their risk and mitigate problems, says Lesley Berkeyheiser, a principal at The Clayton Group consulting firm in Glen Mills, Pa. "The levels of accepted risk, however, vary widely."
Small provider organizations focused on the rule's physical and administrative safeguards before moving to the technical safeguards, she notes. In part, that's because many physician practices have only recently implemented clinical information systems or made the decision to do so.
"Everyone recognizes they must move to electronic records and that's when the technical security stuff that didn't make sense before makes sense now," Berkeyheiser says.
But even though the rule had to be scalable, some covered entities would have liked more specificity from federal rule makers. "They could have made things a lot easier," says Cathie Biga, president and CEO of Cardiovascular Management of Illinois in Woodridge. The firm manages a multi-location cardiology group practice in the Chicago area.
Biga, however, is confident her organization can justify its privacy and security policies. "Our intent is always to do the proper things," she says. "If audited, I don't think we would pass on everything, but that might be because of different interpretations. If you put your systems and policies together in an ethical, logical way, you shouldn't have any problem meeting the intent of the HIPAA rules.