With the growing amount of handheld technology that is being used today, from medical settings to classrooms, there is a vast amount of information being transfered back and forth. Anytime personal information, such as the diagnosis and history of a patient, is transfered from a handheld device to another computer device, there is a security risk that exists. The need for education on security issues is important and Healthlink was kind enough to supply a three-part article series on HIPAA in the medical field. The following article is the first of three, so read on to learn about the HIPAA Act and stay tuned next week for the second article regarding HIPAA in the handheld world.
Implications of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be felt throughout the healthcare industry as it crosses the intersection of medical care and the dramatic new advancements in technology. Some of these technologies are generating newer and more user-friendly tools, and with HIPAA now facing the healthcare community, these technologies now have implications for health information security and privacy. Before embracing these technologies, consideration should be given to the security and privacy perspective, as well as cost and return on investment.
As healthcare provider organizations and their clinicians develop readiness strategies for HIPAA, one initiative that must be undertaken is determining how to continue the deployment and expansion of Personal Digital Assistant (PDA) usage while assuring compliance with the regulations.
This article, "The Implications of HIPAA on Hand Held Clinical Applications" is written as a three-part series which will cover a basic understanding of HIPAA legislation for Privacy and Security, the implications of HIPAA on PDAs, and real life scenarios and solutions of using PDAs in the healthcare environment.
Part 1 - Understanding HIPAA legislation for Privacy and Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated that the Department of Health and Human Services (DHHS) develop high-level health information security and privacy standards to support the increased use of electronic patient information contained as part of the standardized transactions.
The objective of HIPAA is to:
- Deploy national standards for electronic data interchange (EDI) across the industry;
- Secure electronic individual health information;
- Ensure uniform privacy related to access and disclosure of patient information; and,
- Require documentation of organization-wide compliance with security and privacy regulations.
The final Privacy Standards amount to a dramatic new federal role in determining the way personal health information should be handled by providers, payers and health plans. It extends certain privacy rights and confidentiality protection to all patients regarding the confidentiality of their medical records and medical information.
Deadlines for compliance with HIPAA legislation begins with the deployment of electronic transactions on October 16, 2002, and privacy rules on April 14, 2003. Final rules for Security are pending, but are expected to be effective during the fourth quarter of 2001. Publication of the Notice of Proposed Rule Making (NPRMs) for identifiers and enforcement are expected this year.
HIPAA affects all covered entities including Health Plans, Healthcare Providers, and Healthcare Clearinghouses; and it affects vendors and contracted services that are business associates of the covered entities.
HIPAA affects all departments of provider organizations - not just Information Services (IS).
It affects:
- Senior healthcare executives who will be responsible for ensuring their organization's operations comply with a comprehensive and detailed set of rules governing health information practices.
- Business associates of a covered entity that have access to protected information will also need to provide the same level of privacy to protected information (i.e., billing contractors, transcriptionists, software vendors, marketing and development firms).
For each activity, the regulation defines parameters and implementation specifications that must be followed to ensure privacy and compliance with the integrated activities of the rules.
If an entity fails to comply, the Office of Civil Rights (OCR) of the Department of Health and Human Services (DHHS) will enforce the privacy regulations. Unintentional violations could result in fines ranging from $100-$25,000 for each violation; intentional violations could result in up to ten years imprisonment and up to $250,000 per offense.
Not complying with the regulations could also mean a missed opportunity to realize the benefits of simplification, or a missed opportunity to reduce Accounts Receivable (A/R) by as much as 14-21 days.
The HIPAA Challenge
The HIPAA challenge involves business transactions, security standards and privacy regulations.
Business transactions entail implementing standardized transactions and establishing unique identifiers for provider, employer, health plan, and individuals.
Security standards cover documentation standards for Administrative Procedures and Physical Safeguards, and technical standards for Technical Security Services and Technical Security Mechanisms.
Privacy regulations include developing privacy processes and supporting policies and procedures, and organization-wide cultural changes for the way private information is conveyed throughout patient care delivery, billing and hospital operations. In addition, disclosures outside of the organization will require careful scrutiny.
PDAs and HIPAA
PDAs are being used, whether they are officially supported or not. Many are connected to provider resources and some are being used for patient care.
With the availability and portability of electronic health information in the clinical setting, the HIPAA security and privacy requirements become paramount. It is imperative that providers understand the scope of the HIPAA regulations and the impact on how the information is collected and secured.
Organization's can secure information without making it private, but, it is not possible to keep information private without making it secure.
Conclusion
HIPAA includes a number of security and privacy regulations that will significantly affect the security requirements of hand-held clinical devices. It defines technical standards for access control and network communications, and requires cultural changes for maintaining the privacy of patient information. All applications containing protected health information (PHI) must comply with these standards to remain viable solutions in the clinical environment.
Part 2 of this series offers an in-depth look at the impact of HIPAA on the use of PDAs in healthcare.
If you would like to join others in chatting about this article or sharing a similar experience, join our discussion board at this thread:www.pdamd.com/vertical/forums//read.php3?num=5&id=285&loc=0&thread=285
Healthlink Authors
Liz Johnson, Executive Vice President, National HIPAA Practice Leader Liz.Johnson@healthlinkinc.com.
Liz Johnson is Healthlink's Executive Vice President and National Practice Leader for HIPAA. Ms. Johnson is a talented author and an extremely dynamic speaker on any level. As a nationally recognized HIPAA expert, she has shared her in-depth knowledge of HIPAA in over 200 presentations across the nation. A partial list of her national HIPAA speaking engagements include, ACHE, CHIM, CHIME, TEPR, RX2000 and HIMSS. Additionally, Ms. Johnson has directed numerous HIPAA consulting engagements, including readiness assessments, offices of project management, HIPAA planning and training.
With over 25 years of healthcare experience, the last 15 serving in executive positions throughout provider organizations, Ms. Johnson understands provider operations from every perspective, and the role IT plays in enabling best practices to be deployed by healthcare providers. Ms. Johnson has served on the Adjunct Faculty at the University of Texas at Arlington and the Texas Women's University. She is currently an Associate of the American College of Healthcare Executives and a member of HIMSS.
Susan Rivers, Service Line Coordinator Susan.rivers@healthlinkinc.com.
Susan Rivers' background in healthcare information systems has been in working with consultants to provide marketing and operational support to clients. In her role with Healthlink as Service Line Coordinator, she provides product and marketing research, documentation support, and service line content for marketing publications.
About Healthlink
Healthlink is the largest privately held services company dedicated to the healthcare information technology industry. Healthlink delivers unmatched expertise in enterprise business and clinical processes, technology integration and implementation, and customized healthcare applications to the healthcare community. This expertise results in total solutions for managing and enhancing healthcare services through technology and process improvement. Healthlink has working relationships with more than 400 leading hospitals and Integrated Delivery Networks (IDNs) nationwide. Responding to the current federal and state legislation affecting healthcare organizations, Healthlink is helping our clients realize cost efficiencies and achieve overall improved quality patient care. Healthlink has worked across the nation for organizations including: large IDNs, academic medical centers, community-based health systems, public hospitals and private not-for-profit organizations. For more information on Healthlink and its services, visit www.healthlinkinc.com.