The HIPAA
PDA Compliance Survey
|
Background
On January 21, 2002 we posted a message to
the major PDAs in healthcare
listservs advising our readers of a new freeware application
available for download Quote: "PocketPractitioner 2002 Lite
is a free patient tracking and note-taking program. This product
is ideal for medical practitioners in training or for those with
simple tracking and reporting needs. Major functions include 1)
tracking patients in inpatient or outpatient settings, 2) recording
patient demographic data, 3) listing patient diagnoses and medications,
4) creating patient notes, 5) maintaining a diagnosis list and medication
list and 6) creating notes in all lists, essentially replacing your
note card file. Download it here: http://www.pdacortex.com/PocketPractitioner_Download.htm
Our thanks to Jon Blackman of Pocket Informatics (www.pocketinformatics.com
) for this great addition to our list"
On January 22, 2002 a member of the PDAs in Nursing
listserv posted this query: "Can you tell me about the
security risks of the information on PocketPractitioner? I
have not tried this software yet, but I am always cautious
about medical records on my PDA."
On January 22, 2002 our response to the query was:
"There are no fail proof methods of securing data on
a PDA, or a PC for that matter. But there are a few (and free)
ways of helping secure your PDA. Go to: http://www.pdacortex.com/palm_security.htm
these apps are recommended to all users. As for how HIPAA
views this issue ......I'm staying out of that debate for
now ;-)"
...We were quickly taken to task for attempting to sidestep
the HIPAA issue ...and rightly so.
|
|
On January 26, 2002 in an attempt to stimulate debate on this
critical issue (and hopefully find some answers), the following question
was posted to the list: "How can we make our gadgets HIPAA compliant?
Is "locking" your gadget with software such as the ones
listed on this page http://www.pdacortex.com/palm_security.htm
sufficient? ... do we need to do more? ...If so what?"
--- but after 48 hours the list remained silent on this subject.
Although there were approximately 10 posting on other matters in
the same time frame. Why would that be? This is obviously an issue
that concerns us all. We are all looking for answers. We all want
to comply with HIPAA. So then, why are were there no "takers"?
Why would a very active listserv of approximately 700 informed and
knowledgeable healthcare practitioners avoid this issue?
Perhaps it is because regulatory compliance issues and the required
interpretation of the regulations are outside of our normal area
of expertise. Perhaps none of us currently feel competent to offer
opinions on such a sensitive issue in a public forum. .... a place
where our comments are on public view, and therefore if we (heaven
forbid), make a mistake and our opinions are subjected to public
criticism...and then recorded for posterity, ...well, how
can we live with that?
It is for the above reasons that we conceived of the idea of this
survey. Here you can express your thoughts (and see what your colleagues
think) by simply checking the answers in a few question fields and
then anonymously submit them. --- Your privacy is guaranteed!
In order to assist you in the answering of the questions we've
reviewed the Health Care Financing Administration and the Office
for Civil Rights wesites and attempted to provide you with a summation
of the relevant sections. (Links are also provided for those who
wish to to "dig deeper").
Please take a moment to read the summary before you go to the questions
at the bottom of this page. (Once you've submitted your answers you
will be able to view selected responses in real time)
Standards for Privacy of Individually Identifiable
Health Information
The HIPAA Privacy Rule
(The following information is quoted
verbatim from the Health Care Financing Administration website)
HIPAA contained a provision that gave Congress until August 21,
1999, to pass comprehensive privacy legislation. When Congress did
not enact privacy legislation by that date, the law required the
Department of Health and Human Services (HHS) to craft such protections
by regulation.
HHS published the final Privacy Rule on December 28,
2000. The final rule took effect on April 14, 2001. This rule gives
patients greater access to their own medical records and more control
over how their personal health information is used. The rule also
addresses the obligations of health care providers and health plans
to protect health information. By law, covered entities (health
plans, health care clearinghouses, and health care providers who
conduct certain financial and administrative transactions electronically)
have until April 14, 2003, to comply. (Small health plans have until
April 14, 2004, to comply.) See the Health
Care Financing Administration website
On July 6, 2001, the Office for Civil Rights (OCR)
issued the first in a series of guidance materials that answer some
of the questions about the new protections for consumers and requirements
for doctors, hospitals, other providers, health plans and health
insurers, and health care clearinghouses. It also clarifies some
of the confusion regarding the meaning of key provisions of the
rule. The guidance and other technical assistance materials are
posted on the OCR Privacy Web site at: http://www.hhs.gov/ocr/hipaa.
Office for Civil Rights (OCR) HIPAA Guidelines
(The following information is quoted
verbatim from the ORC website - with italics and bolding added for
clarity by the PDA cortex editorial team)
Q: What does this regulation do?
A: The Privacy Rule became effective on April
14, 2001. Most health plans and health care providers that are covered
by the new rule must comply with the new requirements by April 2003.
The Privacy Rule for the first time creates national standards to
protect individuals' medical records and other personal health information.
Q: What does this regulation require the average provider
or health plan to do?
A: For the average health care provider or health plan,
the Privacy Rule requires activities, such as:
· Providing information to patients about their privacy rights
and how their information can be used.
· Adopting clear privacy procedures for its practice, hospital,
or plan.
· Training employees so that they understand the privacy
procedures.
· Designating an individual to be responsible for seeing
that the privacy procedures are adopted and followed.
· Securing patient records containing individually identifiable
health information so that they are not readily available
to those who do not need them.
General Requirements
· Covered entities must reasonably safeguard
Protected Health Information (PHI) - including oral information
- from any intentional or unintentional use or disclosure that is
in violation of the rule. They must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of PHI.
"Reasonably safeguard" means that covered entities
must make reasonable efforts to prevent uses and disclosures not
permitted by the rule. However, we do not expect reasonable safeguards
to guarantee the privacy of PHI from any and all potential
risks. In determining whether a covered entity has provided
reasonable safeguards, the Department will take into account all
the circumstances, including the potential effects on patient care
and the financial and administrative burden of any safeguards.
· Covered entities must have policies and procedures that
reasonably limit access to and use of PHI to the minimum necessary
given the job responsibilities of the workforce and the nature of
their business. The minimum necessary standard does not apply to
disclosures, including oral disclosures, among providers for treatment
purposes. For a more complete discussion of the minimum necessary
requirements, see the fact sheet and frequently asked questions
titled "Minimum
Necessary."
· Many health care providers already make it a practice
to ensure reasonable safeguards for oral information - for instance,
by speaking quietly when discussing a patient's condition with family
members in a waiting room or other public area, and by avoiding
using patients' names in public hallways and elevators. Protection
of patient confidentiality is an important practice for many health
care and health information management professionals; covered entities
can build upon those codes of conduct to develop the reasonable
safeguards required by the Privacy Rule.
· Covered entities must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of PHI.
"Reasonable safeguards" mean that covered entities must
make reasonable efforts to prevent uses and disclosures not permitted
by the rule. The Department does not consider facility restructuring
to be a requirement under this standard. In determining what is
reasonable, the Department will take into account the concerns of
covered entities regarding potential effects on patient care and
financial burden.
For example, the Privacy Rule does not require
the following types of structural or systems changes:
· Private rooms.
· Soundproofing of rooms.
· Encryption of wireless or other emergency medical
radio communications which can be intercepted by scanners.
· Encryption of telephone systems.
Discuss this issue
in the forums
|
|