The HIPAA PDA Compliance Survey

Background

On January 21, 2002 we posted a message to the major PDAs in healthcare listservs advising our readers of a new freeware application available for download Quote: "PocketPractitioner 2002 Lite is a free patient tracking and note-taking program. This product is ideal for medical practitioners in training or for those with simple tracking and reporting needs. Major functions include 1) tracking patients in inpatient or outpatient settings, 2) recording patient demographic data, 3) listing patient diagnoses and medications, 4) creating patient notes, 5) maintaining a diagnosis list and medication list and 6) creating notes in all lists, essentially replacing your note card file. Download it here: http://www.pdacortex.com/PocketPractitioner_Download.htm Our thanks to Jon Blackman of Pocket Informatics (www.pocketinformatics.com ) for this great addition to our list"

 

On January 22, 2002 a member of the PDAs in Nursing listserv posted this query: "Can you tell me about the security risks of the information on PocketPractitioner? I have not tried this software yet, but I am always cautious about medical records on my PDA."

On January 22, 2002 our response to the query was: "There are no fail proof methods of securing data on a PDA, or a PC for that matter. But there are a few (and free) ways of helping secure your PDA. Go to: http://www.pdacortex.com/palm_security.htm these apps are recommended to all users. As for how HIPAA views this issue ......I'm staying out of that debate for now ;-)"

...We were quickly taken to task for attempting to sidestep the HIPAA issue ...and rightly so.

On January 26, 2002 in an attempt to stimulate debate on this critical issue (and hopefully find some answers), the following question was posted to the list: "How can we make our gadgets HIPAA compliant? Is "locking" your gadget with software such as the ones listed on this page http://www.pdacortex.com/palm_security.htm sufficient? ... do we need to do more? ...If so what?"

--- but after 48 hours the list remained silent on this subject. Although there were approximately 10 posting on other matters in the same time frame. Why would that be? This is obviously an issue that concerns us all. We are all looking for answers. We all want to comply with HIPAA. So then, why are were there no "takers"? Why would a very active listserv of approximately 700 informed and knowledgeable healthcare practitioners avoid this issue?

Perhaps it is because regulatory compliance issues and the required interpretation of the regulations are outside of our normal area of expertise. Perhaps none of us currently feel competent to offer opinions on such a sensitive issue in a public forum. .... a place where our comments are on public view, and therefore if we (heaven forbid), make a mistake and our opinions are subjected to public criticism...and then recorded for posterity, ...well, how can we live with that?

It is for the above reasons that we conceived of the idea of this survey. Here you can express your thoughts (and see what your colleagues think) by simply checking the answers in a few question fields and then anonymously submit them. --- Your privacy is guaranteed!

In order to assist you in the answering of the questions we've reviewed the Health Care Financing Administration and the Office for Civil Rights wesites and attempted to provide you with a summation of the relevant sections. (Links are also provided for those who wish to to "dig deeper").

Please take a moment to read the summary before you go to the questions at the bottom of this page. (Once you've submitted your answers you will be able to view selected responses in real time)

 

Standards for Privacy of Individually Identifiable Health Information
The HIPAA Privacy Rule

(The following information is quoted verbatim from the Health Care Financing Administration website)


HIPAA contained a provision that gave Congress until August 21, 1999, to pass comprehensive privacy legislation. When Congress did not enact privacy legislation by that date, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation.

HHS published the final Privacy Rule on December 28, 2000. The final rule took effect on April 14, 2001. This rule gives patients greater access to their own medical records and more control over how their personal health information is used. The rule also addresses the obligations of health care providers and health plans to protect health information. By law, covered entities (health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically) have until April 14, 2003, to comply. (Small health plans have until April 14, 2004, to comply.) See the Health Care Financing Administration website

On July 6, 2001, the Office for Civil Rights (OCR) issued the first in a series of guidance materials that answer some of the questions about the new protections for consumers and requirements for doctors, hospitals, other providers, health plans and health insurers, and health care clearinghouses. It also clarifies some of the confusion regarding the meaning of key provisions of the rule. The guidance and other technical assistance materials are posted on the OCR Privacy Web site at: http://www.hhs.gov/ocr/hipaa.

 

Office for Civil Rights (OCR) HIPAA Guidelines

(The following information is quoted verbatim from the ORC website - with italics and bolding added for clarity by the PDA cortex editorial team)

Q: What does this regulation do?

A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003.
The Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

Q: What does this regulation require the average provider or health plan to do?

A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:
· Providing information to patients about their privacy rights and how their information can be used.
· Adopting clear privacy procedures for its practice, hospital, or plan.
· Training employees so that they understand the privacy procedures.
· Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
· Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

 

General Requirements

· Covered entities must reasonably safeguard Protected Health Information (PHI) - including oral information - from any intentional or unintentional use or disclosure that is in violation of the rule. They must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonably safeguard" means that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. In determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards.

· Covered entities must have policies and procedures that reasonably limit access to and use of PHI to the minimum necessary given the job responsibilities of the workforce and the nature of their business. The minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes. For a more complete discussion of the minimum necessary requirements, see the fact sheet and frequently asked questions titled "Minimum Necessary."

· Many health care providers already make it a practice to ensure reasonable safeguards for oral information - for instance, by speaking quietly when discussing a patient's condition with family members in a waiting room or other public area, and by avoiding using patients' names in public hallways and elevators. Protection of patient confidentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule.

· Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.

For example, the Privacy Rule does not require the following types of structural or systems changes:
· Private rooms.
· Soundproofing of rooms.
· Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners.
· Encryption of telephone systems.

 

HIPAA PDA Compliance Survey

1. Do you feel that electronic data is inherently,
More secure
Less secure
About as secure
Don't know

as traditional paper based methods of recording and storing data?


2. Do you use electronic data capture and retrieval in your practice today?

Yes
No

3. Do you currently own a PDA?

Yes
No

4. Do you currently use a PDA to record and retrieve patient information?

Yes
No

5. If you are NOT currently using a PDA for patient data capture and retrieval do you plan to do so at some time in the future?

Yes
No
Don't know

6. If you ARE planning to use your PDA for patient data capture and retrieval in the future, when do you plan to do so?

6 Months
12 Months
2 Years
I Don't know yet but I know it's coming.

7. Does your PDA meet the minimum HIPAA requirements "out of the box" That is to say as it comes to you directly from the factory with the manufacturer's built in security features?

Yes
No
Don't know

8. Do you think that the addition of an encryption algorithm application such as "CryptoPad" to a PDA meets the HIPAA minimum requirements?

Yes
No
Don't know

9. Do you think that patient data is more secure when it is:

Recorded on paper and in a locked briefcase?
Recorded in a PDA and protected by a encryption algorithm?
Recorded in a PDA with the standard factory supplied security?

10. What steps should be taken in order to secure patient data on a PDA (other than an encryption algorithm) to your satisfaction? (The answers to this question will NOT be displayed on the results page. However selected responses may be published at a later date and in another format on this website.)


Demographics. What is your professional status? Choose all that apply.
Physician
Medical Student
Nurse
Nurse Practitioner/Physician Assistant
Nursing Student
Pharmacist
Emergency Medical Services
Educator (professor/instructor etc.)
Administrator
Informaticist
Software Developer
Other

 

 

Discuss this issue in the forums

 
 
 
© 2001 PDA cortex. All Rights Reserved
IT's Cutting Edge