The Path to Paperless

Protecting Your Electronic Data

Part 2: HITECH confuses HIPAA requirements.

By Peter J. Polack, MD, FACS

Last month, I presented some of the issues regarding the safety of patient information as required by HIPAA and the HITECH Act, and, more importantly, precisely what effect these regulations may have on the average medical practice.

In this column, I'll explore the debate over what constitutes protected information and what your practice can do to to stay in compliance.

A crucial controversy is brewing regarding what types of data need to be encrypted, or protected with specified security protocols. This is due to the fact that the two pieces of legislation cited above don't quite agree. To make matters worse, the technical terminology that they use is not utilized by experts in the computer industry.

In general, data that is going from one place to another requires protection. This is certainly easy enough to understand. If a person who is not authorized were to intercept this information, the privacy of the data might be breached. But this is where things get complicated: Who decides what data is vulnerable to a breach?

■ Data-at-rest. According to the National Institutes of Science and Technology, data on external storage media such as backup tapes or flash memory sticks is considered data-at-rest. Since this information can be literally taken from one place to another, it runs the risk of becoming compromised, and therefore it needs to be encoded. This makes sense.

■ Data-in-motion. This refers to information traveling from one point to another, usually between distinct networks. Consider electronic transactions between a hospital and an insurance company, or between two banking companies. The catch is that some interpret the HIPAA data requirements to include data traveling within a local area network (LAN). This would include local networks within a medical practice, including the practice management and electronic medical records systems.

Others believe that the data flowing on a LAN is under the management of the practice. As a result, the presumption is that this data need not be encoded when going from one practice computer to another. The system is deemed protected from unauthorized users.

And further confusing still, there are some that say the information in your network is data-at-rest and consequently ought to be encrypted.

With no definitive judgment on this issue, some sort of statutory judgment will be needed before medical practices know for sure.

If the data on a medical practice's LAN falls under the requirements for protected information, it will surely be an onerous proposition. It would be prohibitively expensive if a medical practice had to encrypt its LAN information, not merely in terms of the extra hardware and software required, but also for processor and memory ‘overhead.’ Even if a practice could afford to do it, its network may slow to a crawl.

ILLUSTRATOR: MARK HEINE/DEBORAH WOLFE, LTD

■ What should a practice do? The safest option for now is to encode any information on portable media CDs, tapes, thumb drives or memory sticks. This is easy enough. However, doctors and staff accustomed to simply plugging in a USB device in a practice computer may resist the added precautions.

Data transmitted from the practice to another organization — clearing houses, insurance companies, etc. — is largely encrypted today by default. Apart from that, medical practitioners should stay up-to-date with the news regarding security of protected health information in order to stay clear of the law. OM

In a multipart series, Dr. Polack is describing how an 11-physician practice, Ocala Eye in Ocala, Fla., with five locations and 140 employees, makes the major transition from paper medical records to EMR. During the course of the series, Dr. Polack will provide readers with a “real-time” look at how the implementation is progressing. Dr. Polack can be reached at ppolack@ocalaeye.com.

Peter J. Polack, MD, FACS, is comanaging partner for Ocala Eye, a multisubspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice management resource for physicians and administrators.