HIPAA for IT folks

Security is always an issue with IT people and HIPAA has given another torque to the Healthcare departments – Failure to comply with HIPAA can cost your practice up to $250,000 for a single offense.

We have been reading this since years. I am working into healthcare projects since last 6 years with two top most payers in USA plus other smaller clients as well both in provider & payer spaces. Thank God! Never fallen into a situation where either me, my company or my client needs to pay those several zeroes dollars.

 Then why HIPAA? Must be a law brought by parliament person to show their congress/democratic power to the general public!!! Oh really?

 For those who are not aware with HIPAA act specially the IT guys not aware with HIPAA Title II – EDI Simplification, they are getting a periodic instructions from their IT department to protect the PHI data. HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations. PHI refers below:-Medical record number, account number or SSN, Patient demographic data, e.g., address, date of birth, date of death, sex, e-mail / web address, Dates of service, e.g., date of admission, discharge Medical records, reports, test results, appointment dates.

Last month I took a session on Healthcare 101 – A basic training. Few queries were raised by the audience on HIPAA slides. So my article here is to prove the real importance of these PHI data and hence to say why is HIPAA so important for us? Hope few case studies  borrowed from internet along with my explanation will make this topic con-vincible to you.

Case Study 1:  First victim under HIPAA violation

Huping Zhou (http://journal.ahima.org/2010/04/29/californian-sentenced-to-prison-for-hipaa-violation/) was the first person in the nation to receive jail time for a misdemeanor HIPAA offense—for accessing confidential records without a valid reason or authorization but not profiting from it through the sale or use of the information.  Zhou was in prison for four months along with a fine of $2000.  He was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.   Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients [ Wish I could list those few names here, but again it may under come HIPAA violation radar ]. He has accessed the UCLA record system 323 times during the three-week period.

 Okay so case study #1 says – it was a violation of PHI data. Still no evidence for any physical or economic damage. Let me take you to the next level of crime now.

Case Study 2: Impact on an individual if his/her Medical Record is exposed

A patient was diagnosed with HIV and he was with a physician for quite a long time for the ongoing treatment. Later on he was supposed to be transferred to another physician for continuity care. The current physician’s secretary has mistakenly faxed his medical record to the patient’s employer instead of the new physician. His employer came to know about the case and finally the he was terminated.

A similar case happened with a 30 yr. FBI veteran. He was sent on leave when the pharmacy released information about his treatment of depression without his permission.

 A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt.

Hope you understood why should not be MR exposed to everyone?

 Case Study 3:  Impact in marketing strategies

Let us assume I run a chain of hospitals in my state. I may leak a huge routine test data to particular drug company. This company put a lot of analytics and find a major percentage is impacted with cancer. Next day the drug company may launch a product claiming for the right treatment as per the need and posts a 10% discount to increase the sell.  People falling into this category may take it randomly because of their utter need instead of much analysis on the product features.

Indeed this has happened. A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol.

With a similar thought, if a banker receives this data – it may launch a new loan scheme in the market.

A survey shows 40% insurers disclose PHI data to employers, lenders, marketers without customer permission.  You might have read the privacy cases on Google or Facebook as well. Ultimately government is trying to make you safer from this digital universe as well.

 I am sure, now you will take precaution while working with any EMR database, CCR/CCD/HL7/EDI files or a DICOM images. At least I do!

Let us think – You get Citrix to work with such client, rather than working in your local environment. Is this a HIPAA rule or just a secure way of doing your work?

To explain you the HIPAA – I will recommend you to refer the Google. Cause I have a tiny knowledge on it. But in a context of IT professional – I will try to simplify it for you. Here is the HIPAA checklist – http://www.hipaanews.org/checklist.htm. Please follow them religiously and officially whenever you execute a Healthcare project.

Now answer to the question Citrix usage is required under HIPAA or not? –> Let us explore the relevant checklist item(#17 & #18) from above link.

#17Has your organization completed a Security Evaluation on the information systems used in conjunction with maintaining your current and future Protected Health Information?

#18Does your organization have virus checking software, firewalls and operating systems that provide encryption and other security measures?

So ultimately HIPAA act is nowhere telling to use the Citrix, but the act needs a secure system to be used- and hence our client provides for us. So ultimately Citrix becomes just one way of fulfilling the clause under HIPAA act. What is import to understand from this is, whenever there is a security audit (internal or external) – You have to assure that working system is 100% secure and no penetrable. This way you have to think about the entire checklist to assure that you are not violating the act anywhere knowingly or unknowingly.

Disclaimer: I have composed this topic from my understanding point of view on HIPAA. Excuse for any conceptual/grammatical/typos mistakes. There could be better ways to explain the same.

 Feel free to comment on this!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s