HIPAA for IT folks

Security is always an issue with IT people and HIPAA has given another torque to the Healthcare departments – Failure to comply with HIPAA can cost your practice up to $250,000 for a single offense.

We have been reading this since years. I am working into healthcare projects since last 6 years with two top most payers in USA plus other smaller clients as well both in provider & payer spaces. Thank God! Never fallen into a situation where either me, my company or my client needs to pay those several zeroes dollars.

 Then why HIPAA? Must be a law brought by parliament person to show their congress/democratic power to the general public!!! Oh really?

 For those who are not aware with HIPAA act specially the IT guys not aware with HIPAA Title II – EDI Simplification, they are getting a periodic instructions from their IT department to protect the PHI data. HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations. PHI refers below:-Medical record number, account number or SSN, Patient demographic data, e.g., address, date of birth, date of death, sex, e-mail / web address, Dates of service, e.g., date of admission, discharge Medical records, reports, test results, appointment dates.

Last month I took a session on Healthcare 101 – A basic training. Few queries were raised by the audience on HIPAA slides. So my article here is to prove the real importance of these PHI data and hence to say why is HIPAA so important for us? Hope few case studies  borrowed from internet along with my explanation will make this topic con-vincible to you.

Case Study 1:  First victim under HIPAA violation

Huping Zhou (http://journal.ahima.org/2010/04/29/californian-sentenced-to-prison-for-hipaa-violation/) was the first person in the nation to receive jail time for a misdemeanor HIPAA offense—for accessing confidential records without a valid reason or authorization but not profiting from it through the sale or use of the information.  Zhou was in prison for four months along with a fine of $2000.  He was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.   Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients [ Wish I could list those few names here, but again it may under come HIPAA violation radar ]. He has accessed the UCLA record system 323 times during the three-week period.

 Okay so case study #1 says – it was a violation of PHI data. Still no evidence for any physical or economic damage. Let me take you to the next level of crime now.

Case Study 2: Impact on an individual if his/her Medical Record is exposed

A patient was diagnosed with HIV and he was with a physician for quite a long time for the ongoing treatment. Later on he was supposed to be transferred to another physician for continuity care. The current physician’s secretary has mistakenly faxed his medical record to the patient’s employer instead of the new physician. His employer came to know about the case and finally the he was terminated.

A similar case happened with a 30 yr. FBI veteran. He was sent on leave when the pharmacy released information about his treatment of depression without his permission.

 A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt.

Hope you understood why should not be MR exposed to everyone?

 Case Study 3:  Impact in marketing strategies

Let us assume I run a chain of hospitals in my state. I may leak a huge routine test data to particular drug company. This company put a lot of analytics and find a major percentage is impacted with cancer. Next day the drug company may launch a product claiming for the right treatment as per the need and posts a 10% discount to increase the sell.  People falling into this category may take it randomly because of their utter need instead of much analysis on the product features.

Indeed this has happened. A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol.

With a similar thought, if a banker receives this data – it may launch a new loan scheme in the market.

A survey shows 40% insurers disclose PHI data to employers, lenders, marketers without customer permission.  You might have read the privacy cases on Google or Facebook as well. Ultimately government is trying to make you safer from this digital universe as well.

 I am sure, now you will take precaution while working with any EMR database, CCR/CCD/HL7/EDI files or a DICOM images. At least I do!

Let us think – You get Citrix to work with such client, rather than working in your local environment. Is this a HIPAA rule or just a secure way of doing your work?

To explain you the HIPAA – I will recommend you to refer the Google. Cause I have a tiny knowledge on it. But in a context of IT professional – I will try to simplify it for you. Here is the HIPAA checklist – http://www.hipaanews.org/checklist.htm. Please follow them religiously and officially whenever you execute a Healthcare project.

Now answer to the question Citrix usage is required under HIPAA or not? –> Let us explore the relevant checklist item(#17 & #18) from above link.

#17Has your organization completed a Security Evaluation on the information systems used in conjunction with maintaining your current and future Protected Health Information?

#18Does your organization have virus checking software, firewalls and operating systems that provide encryption and other security measures?

So ultimately HIPAA act is nowhere telling to use the Citrix, but the act needs a secure system to be used- and hence our client provides for us. So ultimately Citrix becomes just one way of fulfilling the clause under HIPAA act. What is import to understand from this is, whenever there is a security audit (internal or external) – You have to assure that working system is 100% secure and no penetrable. This way you have to think about the entire checklist to assure that you are not violating the act anywhere knowingly or unknowingly.

Disclaimer: I have composed this topic from my understanding point of view on HIPAA. Excuse for any conceptual/grammatical/typos mistakes. There could be better ways to explain the same.

 Feel free to comment on this!

Important HL7 Segement

======= MSH =======
3 – Sending Application
4 – Sending facility
5 – Receiving App
6 – Receiving Facility
7 – Date time of msg
9.1 – Msg Type
92. – Msg Event
10 – Msg Control Id
11 – Msg Processing Id
12- HL7 Version

======= PID =======
3.1 – InternalId
5.1 – Patient Last Name
5.2 – First Name
8.1 – M/F
11.1 – 11.5 – Pat Address
18.1 – Pat Acc Number
19.1 – Pat SSN

======= GT1=======
3.1 – Insured Last Name
3.2 – First Name
81. – DOB

======= DG1 =======
3.1 – ICD Code

======= OBR =======
2.1 – Placer Order No. (Accession Id)
3.1 – Filler Order No. (Accession Id)
4.1 – Claim Order Code
4.2 – Claim Or Cod desc
7.1 – Requested Dt
10.1 – Run By
14.1 – Sampel received dt
16.1 – Extrnl Phy Id (NPI)
22.1 – Result date time
25.1 – Status

======= OBX =======
3.1 Result Code
3.2 Result description
5.1 Result Value
6.1 Res Unit
11.1 – Res Status
14.1 – Rest date time

======= IN1 =======
3.2 – Payer id
4.1 – Payer Name
5.1 – 5.5 – Payer Add
8.1 – Grp No.
15.1 – Payer Type
16.1 – Insured Last Name
17.1 – Relation
36.1 – Policy No.

Quest and Mirth – 2

Already I wrote how to send an ORM file to Quest lab. Please refer this link – Quest and Mirth – 1
Now I am going to write here how to get/receive a result file (ORU) from Quest Lab.

You may have a different requirements, but as per my need I have created 2 channels for just getting the result and processing them within our system

1. 1st Channel Name : Quest-Results Import
2. Configuration Source:     
   Connector Type : JavaScript Reader
We need to define a timeline to trigger the java script code. Based on this pulling mechanism, your mirth request will be triggered to hit the Quest server for getting the result from them. Coz as I belive, once you send an order to Quest lab, they are not going to convey you that when did they upload the result. Hence we need to automate the process.

In javascript editor box write any valid java script code otherwise leaving it blank will throw you an error. like var app = “Quest”;

3. Configuration Destination:    
Connector Type : SOAP Sender
WSDL Path: https://<UserName>:<Password>@cert.hub.care360.com:443/resultsHub/observations/hl7?wsdl
Service Endpoint URI : https://<UserName>:<Password>@cert.hub.care360.com:443/resultsHub/observations/hl7
Send Response To : Quest Result WS  [This is your 2nd Channle – why? – You will come to know]
User Persistence QueueS : No
Method : GetHL7Results
Now you need to fill up the parameters to above method carefully under “Method” block in Mirth

> Click on string endDate – right side under value fill null
> int maxMessages = 1
> startDate = null
> rest you can leave them blank

Using above method you will get the result from Quest which will be sent to the 2nd channel. But Quest sends you an encoded ORU file (not the plain HL7 ORU file). Hence our target is to decode it and get the right HL7 ORU file.

4. 2nd Channel Name : Quest-Results-WS-Decoder
5. Configuration Source: channel reader ( from 1st channel )
Use the tranformation as below:

//This transformer reads the encoded result message, decodes it, convert it into string and writes to a file.
var qstORUmsg = new XML(msg);
//var qstORUmsgSize = qstORUmsg.*::Body.*::getHL7ResultsResponse.*::result.*::HL7Messages.*.length().toString();
var qstORUmsgSize = qstORUmsg.*::Body.*::getHL7ResultsResponse.*::result.*::HL7Messages.*::HL7Message.length().toString();

var encoded = "", decoded = "", finalMsg = "", msgfileId  = "";
for(var i=0; i &lt; qstORUmsgSize; i++){
 encoded = qstORUmsg.*::Body.*::getHL7ResultsResponse.*::result.*::HL7Messages.*::HL7Message[i].*::['message'].toString();
 decoded = FileUtil.decode(encoded);
 finalMsg = Packages.java.lang.String(decoded);
 msgfileId = UUIDGenerator.getUUID();//DateUtil.getCurrentDate("hhmmss.SSS");
 FileUtil.write('C:/MedLink_IX/Quest/Results_Test/Decoded/'+msgfileId+'.hl7', false, finalMsg); 

This will be writing each HL7 ORU message into a file with unique name.

5. Message template to be used

Inbound Message Template – If you need the explanation of this envelope please let me know – rajesh4it@gmail.com

  <env:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                                                                          <controlId xsi:type="xsd:string">00000000000001043797</controlId>
                                                                          <message xsi:type="xsd:base64Binary">AnythingHere1</message>
                                                                          <controlId xsi:type="xsd:string">00000000000001066486</controlId>
                                                                          <message xsi:type="xsd:base64Binary">AnythingHere2</message>
                                                <isMore xsi:type="xsd:boolean">false</isMore>
                                                <requestId xsi:type="xsd:string">721fac9e0a801e0c112d96f02a978781</requestId>

Outbound Message Template:
Keep a valide HL7 message of ORU type. [MSH, PID, PV1 …..]
6. Configuration Destination:  
Channel Writer (Dummy destination for WS Decoder) – as you already got the file using FileUtil.write