Intranet Journal
The online resource for intranet professionals

HIPAA 101

Tasks Related to Patient Privacy

These tasks will help ensure that privacy guidelines exist and are followed:

• Review your written privacy policy comparing it to the requirements imposed by HIPAA
• Review your procedures on how you train your staff to safeguard patient privacy
• Find out if personnel are given access to patient records based on minimum need to know
• Keep a record of disclosures of patient health information
• Require that disciplinary action be taken against employees that violate patients' privacy
• Ensure that policies exist to reduce the risk of inappropriate patient record modification

Tasks Related to Online Penetration Test

An online penetration test is another name for an online network scan. By scanning systems electronically, you can find out what vulnerabilities and threats pose an information technology risk to patient data kept on healthcare provider systems and networks. The basic tasks related to performing an online penetration test or network scan are as follows:

• Select a reputable network scanning tool or outsource the job to a consultant
• Scan all systems, databases, networks, firewalls, and messaging servers
• Generate a report with the results of the network scan
• The report should rank vulnerabilities according to levels of risk
• The report should offer recommendations for corrective action
• Corrective action should proceed according to a plan and schedule
• After corrective action has taken place, a new network scan should be done for verification purposes

HIPAA is a big project. It is bigger and more complex than the Year 2000 data problem which was a much more straightforward problem to solve. If healthcare providers are not yet working on HIPAA compliancy, they are risking violation of this mandatory privacy law and could be reprimanded with severe financial and criminal penalties. All healthcare providers should assign a program manager the responsibility of making sure their organization becomes HIPAA compliant.

Recommendations for Health Care Providers
There are different ways to secure medical records and typically healthcare providers will need a layered approach to effectively secure the data and reduce the risk of exposure. The following items all require their own layer of security:

• The data and records
• The systems
• The networks
• The applications
• The facilities

Data and records are secured through encryption and read-write discretionary access controls. Systems are secured through authentication systems, single sign-on systems, intrusion prevention systems and locked data centers. Networks are secured through firewalls, intrusion detection systems, and VPNs. Applications are secured through single sign-on systems and intrusion prevention systems. Facilities are secured with locks, surveillance cameras, card access control systems and security guards. If healthcare providers do not have staff capable of researching HIPAA and making sure their systems are in compliance, they should outsource this project to reputable consultants. The full 93 page document that includes references to U.S. Code that healthcare providers need to comply with is at the following URL: http://www.hhs.gov/ocr/hipaa/privrulepd.pdf

This document known as 45 CFR Parts 160 and 164 should be reviewed by both systems security experts and legal experts working on behalf of the healthcare provider who is seeking compliance.

Compliance of Medicare records will be under particular scrutiny due to the mandate of all Medicare transactions to occur electronically by October 2003. Therefore, if healthcare providers feel that they may not have time complete the entire gamut of HIPAA regulations, start with Medicare records first.

On January 15, 2003, the U.S. Department of Health and Human Services is hosting a call-in HIPAA to learn more about HIPAA. The number to call-in is 877-381-6315 and the access code is # 6632809. Callers intending to participate should send an email to Alikia Brown at ABrown1@cms.hhs.gov. For help on answer to HIPAA questions, healthcare providers should call the HIPAA Administrative Simplification Hotline at 1-866-282-0659.

Recommendations
Unfortunately at this time there is no way of knowing if your healthcare provider is HIPAA compliant. However, you should be able to find out your healthcare provider's intentions on HIPAA compliancy, and if they are pro-active, they will send you a letter stating their intention to comply with HIPAA regulations if they are not already compliant today.

If you call your healthcare provider for account or billing information, they should verify your identity before releasing any information to you over the phone. Typically they will ask you for the last four digits of your social security number, your mother's maiden name, you address and phone number, or your account number. If your healthcare provider does not ask you any of these identity-validating questions it is a sign that they are not taking the privacy of your personal information very seriously. If you feel that your patient privacy is being violated, you should report this violation to the Center for Medicare and Medicaid Services (CMS) which is the division of the U.S. Department of Health and Human Services that is overseeing compliance. CMS can be contacted at 1-866-282-0659.

Go to page: 1  2