The Right Reaction to HIPAA (Part 2 of 3)
Safeguard your electronic records to ensure patient privacy.
By Mark E. Kropiewnicki, J.D., LL.M., and Janice G. Cunningham, Esq.

You know that your practice must soon comply with patient confidentiality and privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). But do you know what you must do to keep this private information protected electronically? If you have patient medical records in a digital format, they're vulnerable not only to hackers, but also to any mistakes a staff member might make.

Here, I'll discuss steps you can take to safeguard your electronic medical records so that they don't cause problems for your practice because of unauthorized use or loss. Then, in Part 3 of this series, I'll provide some practical advice that you can use as you deal with the new HIPAA regulations.

The HIPAA statute authorized the U.S. Department of Health and Human Services (HHS) to develop regulations that specify how the requirements of the law are to be carried out. When regulations are first released, they generally are in "proposed" form, with a period of time allotted for public comments before the regulations are issued in "final" form. HHS has the option to make changes or clarifications in the final regulations based on the comments it receives.

There are a number of sets of HIPAA regulations in various stages of development by HHS. Some of the more controversial regulations, including those dealing with unique identification and tracking of physicians, may never be finalized. However, there are two distinct sets of HIPAA regulations that apply to maintaining the security and integrity of electronic records:

Standards for Privacy of Individually Identifiable Health Information ("Privacy Regulations"). These regulations provide standards for maintaining the privacy and integrity of protected health information. You must comply with these standards by April 14, 2003. We don't expect to see any extension of the compliance date for the Privacy Regulations requirements, so if you haven't started to think about compliance, you need to start planning right now.

These regulations require physicians to intensify their efforts to maintain patient confidentiality and to limit the unauthorized use or disclosure of protected health information. While the primary focus is on privacy, the Privacy Regulations also include some elements that involve maintaining the security of digital records.

Standards for Security ("Security Regulations"). These regulations are specifically geared toward maintaining the security of digital records so that potential unauthorized access is eliminated or greatly reduced. These Security Regulations are currently still in proposed form. Because they haven't been finalized, the specific requirements and date of compliance are not yet known. However, they're likely to be final before the end of this year.

Unless there are significant changes from the current proposed form, the Security Regulations will require medical practices to implement additional safeguards for digital records -- beyond those measures that have already been included in the Privacy Regulations.

Implement safeguards now

Why worry about regulations that haven't been made final? Mainly because they provide valuable insights into the direction in which HHS is going and outline the goals these rules are intended to achieve. Plus, there's a good chance that little will be changed from the proposed regulations to the final version.

Note that both sets of regulations cover not only clinical records, but also any individually identifiable patient business records, such as billing and demographic data. These regulations call for comprehensive safeguards against improper access, distribution and use of protected health information.

Cutting through the voluminous pages of regulations is more than most ophthalmologists care to do. But here are some practical steps you can take now to begin your HIPAA compliance efforts:

Maintain adequate computer system safeguards, as well as procedural and management controls over the use of your system. Proposed HIPAA regulations regarding technical security are divided into two parts: technical mechanisms (data in transit) and technical services (stored data). Can your systems secure your data and support any new procedures that your practice puts into place to satisfy HIPAA requirements? If you don't have an in-house computer expert, consider bringing in an electronic security consultant to check out your systems and make technical recommendations.

Assess your security risks. Talk to your employees about their everyday computer practices. Observe how electronic information is routinely handled by your staff. Here again, a security consultant's insights can help. Once you have a good idea of where and how your systems are vulnerable to security threats, you can begin to establish protocols.

Put physical safeguards in place. Where are your computer terminals physically located in relation to public areas? To be HIPAA compliant, access to your practice's computer equipment must be physically secure and restricted. Are monitors left unattended, possibly showing confidential patient information? Situate workstations so that unauthorized people can't see the information displayed. Use automatic workstation timeouts after a few minutes of nonuse and educate staff to log off if they're going to be away from the workstation for more than a few minutes.

Develop internal security levels and password protection so that not all staff members have access to all information. Employees have been known to share passwords or tape them to computer terminals. Limiting access will help ensure that information hasn't been altered or added to without the proper authorization. A good procedure to have in place is to deactivate system passwords immediately after an employee resigns or is terminated. Computer users who are unaware of the seriousness of data tampering tend to choose easy-to-guess passwords. Have employees select less obvious passwords and instruct them to change passwords frequently.

As technology emerges, passwords may be replaced by other forms of user identification. In the near future, it won't be uncommon for retinal scans or fingerprint identification systems to be used to allow access to the computer system.

Protect all PDAs. Be aware that data can also fall into the wrong hands by the theft or misuse of a handheld device carrying patient information. More and more ophthalmologists are using personal digital assistants (PDAs) for everything from scheduling, to electronic medical records, to electronic mail. Be especially aware of where your PDA is at all times and keep it secured when it's not in use.

Educate staff members in data security practices. Staff education as a part of orientation, and periodically for all employees, is a priority in HIPAA compliance and must be documented. All staff members must be trained in the policies related to protected health information.

Provide internal protection. Determine which staff members absolutely need access to clinical information, and set up your information systems so that they will allow access to only those individuals. For example, billing clerks don't need access to detailed clinical information.

Install features on your system that keep records of all user log-ins and log-outs, as well as all attempts to access the system by unauthorized users. Disgruntled employees with authorization are security risks as well and can steal sensitive electronic information. When a staff member leaves the practice, immediately remove his or her authorization to enter the system. Make sure your staff is aware of the penalties for unauthorized access and misuse of patient information.

Implement Internet security. Internal data is at risk of being accessible to Internet users outside of the practice. Encryption technologies can be used to reduce unauthorized access. Ensure that other physicians, hospitals, payers, claims clearinghouses and ancillary providers have adequate security controls in place in keep your data from being corrupted. The proposed Security Regulations require you to have written agreements with other entities to which you transmit digital protected health information.

Use security technology

A basic element of your electronic security program is acquiring, installing and managing virus prevention software. Buy a license that covers every workstation in your practice. Make sure the service is updated so you can be covered for new viruses. In addition, employees who access your system from outside the office should have the same kind of protection on their personal equipment.

You can also install firewalls to reduce the risk of an Internet security breach. (For more detailed information about security, see "Prevent Intrusions into Your Computer System".) A firewall is a combination of hardware and software that protects an internal network from potential security breaches by way of the Internet. Be aware, though, that a determined hacker can breach firewalls, and a firewall is usually only the first line of defense against outside intrusion.

Consider software to allow for authentication of transmissions over the Internet. Some systems will verify that the record you receive from someone else was sent by that person and not by a hacker.

As your practice makes the transition from paper to digital records, you need to think about all the things that may happen that would cause you to lose those records. In addition to high-tech hackers, your systems are also vulnerable to the same physical dangers as your paper records, particularly fires, floods and thefts. Develop a disaster management plan for your electronic records to minimize the damage that may occur and to deal with the aftermath of a disaster quickly. Be sure to back up any information on your computer system on a regular basis. That way you'll have recent copies of everything should your system be damaged or hacked into.

Earn your patients' trust

Patients rank privacy very high on satisfaction surveys. They're unlikely to provide confidential information if they're concerned about where the data will end up, especially if it can affect the outcome of their treatment. It's crucial for your practice to protect the confidentiality of medical records, while at the same time making sure that the appropriate healthcare providers can access the information when they most need it.

Mark E. Kropiewnicki, J.D., LL.M., is a principal consultant with the Health Care Group, Inc. and a principal and president of Health Care Law Associates, P.C., in Plymouth Meeting, Pa. He regularly advises physicians and practices on contracting matters and business law obligations. Janice G. Cunningham, Esq., is a consultant with the Health Care Group and an attorney with Health Care Law Associates, specializing in business and legal issues that affect physicians and their practices. You can reach them both at (800) 473-0032.