FREE Health Data Management Site Registration

Sign up today and access the leading source of Health Care I.T. information on the Web.
Your FREE site registration entitles you to:

Free Health Data Management e-newsletter
 
Search more than 12,000 articles
 
Access Web Seminars on a host of I.T. topics
 
White Papers and Industry Research that provide valuable insights on a variety of technologies and implementation issues
 
Podcasts, updates on industry events, and much more!

 
   

Taking Another Look at HIPAA and I.T.


By Joseph Goedert, News Editor October 2005

Like many provider organizations, Ellis Hospital in Schenectady, N.Y., has instituted many policy and technology changes to comply with the HIPAA privacy and security rules. One change, which has been common among HIPAA covered entities, was to mandate unique usernames and passwords for clinicians accessing protected health information electronically at a workstation.

However, now that the security rule's April 20 compliance deadline has come and gone, Ellis Hospital and many other covered entities are taking another look at their policies to see if they need refinement. They also are hunting for continued areas of weak security in their information infrastructures.

"We're looking to see where we can improve, or if we went overboard," explains Mark McGill, network engineer at the 368-bed facility.

Ellis Hospital, for example, is not going to let clinicians go back to using a common username and password to access information systems. But officials do understand the adverse effect on workflow when clinicians must log out of one application before logging into another. "We have to meet them somewhere in the middle," he adds.

That's why the hospital now is considering single-sign-on technology and proximity cards as ways to ease data access while continuing to safeguard patient information.

To be successful, policy review must be an ongoing process when seeking to comply with the security rule, McGill says. That's because as changes occur in an organization, they affect data security, he explains. Changes also affect the documentation requirements of the security rule because an organization must provide evidence it's in compliance.

"Policy review is a changing and growing matter," he adds. "If you don't keep documentation up to date, it's useless."

Constant vigil

With compliance deadlines for the security and privacy rules past, covered entities cannot sit on their accomplishments to date, says William Gillespie, vice president and CIO of WellSpan Health, a two-hospital delivery system in York, Pa. "We felt we hit the bar with reasonable compliance in April, but now we have to do more."

That means identifying and fixing holes in the security net via new or revised policies, or new technologies. WellSpan recently implemented user provisioning software from Framingham, Mass.-based Courion Corp., enabling unit managers and other leaders to handle the process of assigning usernames, passwords and role-based access.

The administration group for WellSpan's picture archiving and communication system-not the I.T. department-already has been managing day-to-day operations of the delivery system's PACS, and now manages access to the application via the provisioning software.

Decentralized provisioning gives unit leaders more control over who is accessing what information within their areas, Gillespie says. What's more, it reduces a constant headache for the I.T. department. "Our No. 1 call from users is about password problems."

Many covered entities are not resting on their laurels after weathering the privacy and security rule deadlines. Here's how several are continuing to raise the bar on their level of compliance:

A TPA's task

Just before the security rule deadline, Corporate Benefit Services of America Inc. still was implementing new technology to further protect information. The Minneapolis-based third-party administrator serving 500 employers with 400,000 covered lives viewed the deadline as a period by which covered entities should have addressed security issues to some degree, says LaForest Sherman, HIPAA project manager.

But more work remained because there's no hard and fast rule about when an organization's data is secure enough. "When do you have a garden?" Sherman asks. "Is it when you plow it? Is it when you plant carrots and potatoes?"

More Feature Articles

I.T. Spotlights