Cutting Edge Issues

eHealth:
Towards A New World of Communications in Medicine

Case Study: Overlake Hospital Medical Center

Information on Demand: Consumer-Controlled Medical Records

Finding Leaders for Internet Health Care

Building the Security-Capable Enterprise

Planning Business Strategies with Internet Support

Internet Use as a Survival Strategy

Case Study Zone

Who is eMed?

Building the Security-Capable Enterprise: HIPAA Preparation

Defining administrative procedures is the linchpin of HIPAA compliance.

By Ted Cooper, MD

There can be few health care providers who have not heard of the Health Insurance Portability and Accountability Act (HIPAA), which was enacted by Congress in 1996. It is actually an amendment to the regulations governing the Medicare program; its passage required the US Department of Health and Human Services (DHHS) to publish a number of standards concerning the transactions that can be sent electronically, their code sets, and the identifiers that go into them. At the same time, the act stated that the secretary of the DHHS needed to publish standards for security and, if Congress did not do so, to publish standards on privacy as well. Congress did not act, and the final privacy standards have not yet been published.

Some of the sample requirements that the secretary of the DHHS published in the notice of proposed rules issued August 12, 1998 [1] and November 3, 1999 [2] fell into the category of security and privacy. These sample requirements have to do primarily with

• controlling authorization of users and access to data,
• chain-of-trust agreements,
• data availability,
• contingency plans,
• continuity-of-operation plans,
• preventing unauthorized changes to data,
• organizational policies, and
• considerable changes in the human resources area.

For example, employees’ backgrounds and identities must be checked before they can gain access to data, and there must be a mechanism through which potential or actual incidents inappropriate data access, use, or disclosure can be reported and investigated. It is also necessary to apply sanctions, as well as to discipline employees when suspected violations of confidentiality turn out to be true. When staff members leave an organization, it is necessary to determine how to prevent them from having ongoing access to confidential data. Everyone involved with patient information must be trained regarding confidentiality, and each person with access to data must sign a privacy agreement.

The privacy proposed rule requires organizations to give notice of their information practices to patients. Some information disclosures must be tracked; it will also be necessary to permit patients to review data about themselves, request corrections to errors, and (if they do not agree with the data) add amendments. Audit services must be provided, and considerable documentation of activities must be performed. Ways for individuals to complain about what they perceive as violations of confidentiality must exist.