12/01/2016    

HIPAA COMPLIANCE AND DIGITAL X-RAYS

Query: If all the devices on the network and
the network itself are HIPAA-compliant, does
software that runs on the devices and has
access to ePHI need to be HIPAA-compliant?

Mark Tuccio, DPM, Jamestown, NY

Response: What does HIPAA compliance mean when
it comes to software? HIPAA - The Health
Insurance Privacy and Portability Act. When you
talk about software it is usually more the
portability portion they are talking about.

HIPAA is the acronym of the Health Insurance
Portability and Accountability Act of 1996. The
main purpose of this federal statute was to
help consumers maintain their insurance
coverage, but it also includes a separate set
of provisions called Administrative
Simplification. This section of the act is
aimed at improving the efficiency and
effectiveness of the health care system. The
key components of Administrative Simplification
include:

1. Standardized electronic transmission of
common administrative and financial
transactions (such as billing and payments)
2. Unique health identifiers for individuals,
employers, health plans, and heat care
providers
3.Privacy and security standards to protect the
confidentiality and integrity of individually
identifiable health information

Let's look at each of the three components

1 - This rule requires our billing software to
talk seamlessly with claims clearing houses and
with insurance companies. Every single EHR and
practice management program we use to day is
HIPAA-compliant or else we would not be able to
financially run our practices

2 - If you have an NPI you are complaint with
this

3 - These are the policies and procedures that
you have in your office.

When a software developer says they are HIPAA-
compliant they are ONLY talking about #1 above.
#2 requires you to get a NPI number and #3
requires you to implement physical technical
and physical safeguards to protect your data.

A software program such as a digital x-ray
system may have tools to better enable you to
implement technical security. Here are the
questions I would ask the vendor to see how
many tools they have put into place

1. Can you show me the audit logs built into
your software?
2. What type of encryption is built into your
system?
3. What type of tools are built into your
system to allow me to do backups?
4. What controls do you have in place to
require me to change my password on a regular
basis?
5. How easy is it for me to change my password?
What controls do you have in place to require
me to use strong passwords?
6. Can I deactivate a user account without
deleting it?
7. Can I set the software up to have each user
having their own username and password?

For each of the questions above:

1. If the software does not have audit logs,
then I do not see how the program can claim it
is HIPAA-compliant (EHR systems that are
CERTIFIED for Meaningful Use have the logs so
2. if you are looking at Certified EHR software
you dont have to ask this question- Digital x-
ray system are NOT certified for Meaningful
Use)
3. If the software does not have encryption
that is okay you can use third party tools to
encrypt your computer and it is not needed to
be in your software
4. If the software does not have a backup
utility but you know where the data is stored
you can use third party tools to backup your
data
5. This can be in the software of can be a
policy that you have and you can change
passwords regularly without the software
requiring it
6. Same as #5
7. This is very important to protect the
integrity of the logs (see #1)
8. This is very important to protect the
integrity of the logs (see #1)

So, my recommendation is: Call the vendor and
say, "I am very interested in seeing how your
software is HIPAA-compliant. Please demonstrate
those features to me." If they start explaining
anything STOP them and say I want to see a
demonstration in the software. Let the show you
'how' their software is HIPAA-compliant and if
the things they show you have nothing to do
with the items above I would be curious to know
what they are showing you.

Michael Brody, DPM, Commack, NY

There are no more messages in this thread.