I recently called a general practitioner's office to schedule a
complete physical exam. I would be a new patient at this doctor's office.
They asked me to come in 30 minutes before the exam to fill out paperwork
regarding my medical history. I was concerned that I would not know all
the information requested about my family's history with diabetes,
cancer, etc., so I asked them to fax me the forms so I could consult with
my family prior to the appointment. The receptionist told me that under no
circumstances could she fax me the forms because it was against HIPAA
regulations. I fail to understand how a blank form, faxed to my private
fax in my home, could be a security or privacy issue. Can you tell me
whether or not this is true?
We are a little confused about the sharing of passwords. Is it ok to
give our computer passwords to our dept. manager or director? Or should
only someone in IS have access to it if necessary?
My company manufactures a piece of computerized equipment used in physical capacities assessment (agilities testing) facilities. The software requires user name/password access by default using an admin user name and password which my customers almost universally do not configure for individual employees. All their employees typically use the admin login to access the data. Is this something that I will have to admonish my customers for doing if they wish to be compliant?
In addition, we provide support for this equipment by remote telephone connection. The software in use does not have any form of encryption. The only “encryption” there is the normal modulation/demodulation of the 56k modem. (The stupid thing is that a modems modulation/demodulation can be in fact considered encryption under the DMCA, which apparently does not delineate the difference between strong encryption and trivial encryption mechanisms. Pig-latin as an example of being a trivial encryption is nevertheless considered encryption protected under DMCA.) Anyway, my company connects to the server by modem and performs maintenance, occasionally having to diagnose report printing problems by viewing them to the screen, or repairing a workers client file by downloading it to our office and uploading it back when repaired a few hours later. The files are access and repaired usually without ever running the application and without requiring any form of login other than the required modem software protocol which implements a trivial global password. The modem software allows only one user name/password and does not have any form of encryption above its own protocol and is shared by all our support personnel when we provide support. Is this an issue under HIPAA that must be addressed?
Lastly, the software saves the client files to disk in an
unencrypted way that anyone with a little DOS knowledge could copy off to
a floppy disk drive. The operating system is an embedded DOS which has no
inherent security of its own. The system is designed around a custom
peer-to-peer physical network protocol that links each workstation to
another workstation in the system but which cannot link to the internet or
Windows machines. Would either of these pose a problem under HIPAA?
You will, however, probably be asked to sign a business associate agreement for many of your clients. This document will certify your intent to protect any and all protected health information, either by your staff or others, as well as indicating that you will not disclose protected health information to any other persons or entities. (Posted 5/15/03)
I have a small medical transcription company. I am very overwhelmed
with all of the information out there. Could you please let me know the
BASICS in regards to regulations? I have three subcontractors and one
courier. They pick up tapes from the doctors' office, type them, and
E-mail them to me. I proof-read them and print them and deliver them to
the doctors' office. Sealed envelopes for picking up tapes and delivering
work? Patient confidentiality statement from subcontractors and courier?
Is a firewall necessary?
Sealed envelopes for deliveries and pickups are a great idea. What is done with the old tapes or documents which may be produced? Are you destroying all PHI that does not go back to the doctor’s office? The subcontractors can either be treated as your employees or business associates and either way should be protecting PHI. Are the computers dedicated to transcription services only?
You should also remember that email is never 100% secure and should take steps to protect this information such as firewalls and encryption. (Posted 5/15/03)
Where in the HIPAA Regs is there anything mentioned about shared workstations? We are a large provider clinic with a Physical Therapy Center (OHCA) where several PTs share one common workstation. They use this periodically to check their schedules and sometimes to view PHI on their patients. They do not want to have to be constantly signing on. I believe their is no way around this, since there must be an accurate audit trail. But, if they have view only, as opposed to update access, would it make a difference?
There are also a few other areas where more than one person may share a workstation. All have separate sign-ons for the specific applications, and most have their own individual accounts for the network. However, we are finding that once a user signs on the other users may be using the system under their sign-on. We do have time-outs that will knock them out of the applications, and everyone should be using a password protected screen saver. But, they are obviously sharing these passwords. Unfortunately, a Single Sign-on product is not in the picture at this time.
Any light you can shed on this is most appreciated.
View only access vs. updating capabilities does not protect the privacy of protected health information. Security and privacy may cause extra steps but it is worth it to all of us and your patients will expect the highest level your institution is capable of producing. (Posted 5/15/03)
Do you think it is necessary to do the following to effect data security in a large behavioral health network? These steps are being recommended. I think it is overkill. Please advise.
In many ways, this is a organizational call on whether to allow internet and computer capabilities of the workstation. .
I have seen these same things carried out at many organizations and it provides less field calls for information technology call desks, and in some measures, a higher form of security for the organization with less surfing of the internet, and less chance of viruses attacking the workstation. Even disabling the CD and floppy, viruses may be transmitted over the e-mail network, so anti-virus is required on EVERY computer. I feel these measures can be overkill and provide only limited protection, while giving limited use of the workstation. However, from an IT perspective, most workstations do not require the use of the floppy or CD-Rom or internet usage. But I feel the best way to control this is with policies and procedures and training of your personnel. Many times I have seen where management can surf the internet, but not the workers. Will it encourage work productivity of employees to be able to use the internet? Will allowing management to have internet capability add a have and have not attitude at your organization?
As I stated, these are organizational decisions that should be made, allowing or not allowing these capabilities. (Posted 5/15/03)
If I download unencrypted PHI over an ordinary telephone line and
modem, is this considered dedicated for HIPAA? Or is this a violation of
the rules and regulations.
Dedicated is usually referred to as a direct link from one network to another, if you are dialing direct from one modem to another computer, this would be close to dedicated, but does not completely fit the definition of a dedicated line. As you can see, the semantics involved are not easily traversed with HIPAA and each area must be looked at carefully. At any point that PHI will be traversing phone lines, e-mails, etc., then encryption should be used. (Posted 5/15/03)
My company is about to launch an encryption product and would like
to know the process for having a product certified as HIPAA-Compliant.
What costs are involved? Who test these products? What do we need to
provide to certify our product? What is the time frame involved with
certifying a product?
I suggest that a complete review of practices, software capabilities and compliancy be conducted by working with a 3rd party HIPAA consultant to deal with all the nuances regarding risks levels, scalability, etc., in reviewing your software for HIPAA issues and concerns. (Posted 5/15/03)
I would like to get some information on the proper disposal of MRI,
CT, PET, etc.. imaging films. Please advise as to where the information
can be found or who I could contact to obtain the approved guidelines.
The draft HIPAA Security Regulation has an item under access control for - Emergency access procedure (see excerpt below from the policy).
We were wondering what would constitute compliance?
(c) Technical security services to guard data integrity, confidentiality, and availability (the processes that are put in place to protect information and to control individual access to information). These services include the following requirements and implementation features:
(1) The technical security services must include all of the following requirements and the specified implementation features:
(i) Access control that includes
(A) A procedure for emergency access (documented instructions for
obtaining necessary information during a crisis)
There are several ways that this can be accomplished:
1. Can your medical application software limit users by what areas they normally have access to and not other areas? (A doctor will only have access to a patients information that is currently one of their patients).
2. A doctor requiring access could call the help desk for access. (Problems arise when your help desk is not 24 / 7 or when the need to see a patients information is imminent, such as in an emergency room).
3. This last solution is one I have seen at several hospitals. All activities are logged and then the logs are audited on a routine basis and situations are investigated where an employee has accessed records that they do not have a need to know. The problem with auditing logs is the need to consistently read volumes of logs. There are software solutions to assist with this kind of activity and some of the software applications can alert administrators when areas are accessed by personnel, they do not normally have permissions to access.
4. Further, a procedure should be developed that states what your organization has decided is the best way to provide emergency access to information. This may be one of the above solutions or simply that the IT administrator is on-call and will provide access to the employee. (This would work for a health plan or for non-emergency care and not for imminent care that must be provided). (Posted 5/15/03)