|
|
|
Search
12/01/2016
HIPAA COMPLIANCE AND DIGITAL X-RAYS
Query: If all the devices on the network and the network itself are HIPAA-compliant, does software that runs on the devices and has access to ePHI need to be HIPAA-compliant?
Mark Tuccio, DPM, Jamestown, NY
Response: What does HIPAA compliance mean when it comes to software? HIPAA - The Health Insurance Privacy and Portability Act. When you talk about software it is usually more the portability portion they are talking about.
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification. This section of the act is aimed at improving the efficiency and effectiveness of the health care system. The key components of Administrative Simplification include:
1. Standardized electronic transmission of common administrative and financial transactions (such as billing and payments) 2. Unique health identifiers for individuals, employers, health plans, and heat care providers 3.Privacy and security standards to protect the confidentiality and integrity of individually identifiable health information
Let's look at each of the three components
1 - This rule requires our billing software to talk seamlessly with claims clearing houses and with insurance companies. Every single EHR and practice management program we use to day is HIPAA-compliant or else we would not be able to financially run our practices
2 - If you have an NPI you are complaint with this
3 - These are the policies and procedures that you have in your office.
When a software developer says they are HIPAA- compliant they are ONLY talking about #1 above. #2 requires you to get a NPI number and #3 requires you to implement physical technical and physical safeguards to protect your data.
A software program such as a digital x-ray system may have tools to better enable you to implement technical security. Here are the questions I would ask the vendor to see how many tools they have put into place
1. Can you show me the audit logs built into your software? 2. What type of encryption is built into your system? 3. What type of tools are built into your system to allow me to do backups? 4. What controls do you have in place to require me to change my password on a regular basis? 5. How easy is it for me to change my password? What controls do you have in place to require me to use strong passwords? 6. Can I deactivate a user account without deleting it? 7. Can I set the software up to have each user having their own username and password?
For each of the questions above:
1. If the software does not have audit logs, then I do not see how the program can claim it is HIPAA-compliant (EHR systems that are CERTIFIED for Meaningful Use have the logs so 2. if you are looking at Certified EHR software you dont have to ask this question- Digital x- ray system are NOT certified for Meaningful Use) 3. If the software does not have encryption that is okay you can use third party tools to encrypt your computer and it is not needed to be in your software 4. If the software does not have a backup utility but you know where the data is stored you can use third party tools to backup your data 5. This can be in the software of can be a policy that you have and you can change passwords regularly without the software requiring it 6. Same as #5 7. This is very important to protect the integrity of the logs (see #1) 8. This is very important to protect the integrity of the logs (see #1)
So, my recommendation is: Call the vendor and say, "I am very interested in seeing how your software is HIPAA-compliant. Please demonstrate those features to me." If they start explaining anything STOP them and say I want to see a demonstration in the software. Let the show you 'how' their software is HIPAA-compliant and if the things they show you have nothing to do with the items above I would be curious to know what they are showing you.
Michael Brody, DPM, Commack, NY
There are no more messages in this thread.
|
|
|
|