Ascension Health HIPAA Web Site: Recommended Security Practices

Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131 Email: dstry@ascensionhealth.org
Section: HCFA Internet Security Policy and Encryption Methods

Updated 11/06/01

9 Best HIPAA Practices

by Tom Newton (Received 08/09/01 from HIMSS)

(Tom is the Information Security Officer for Carilion. He also directs the HIPAA Program for the organization.)

Introduction

Located in Southwest Virginia, Carilion Health System is an integrated delivery system of seven owned and three managed hospitals, long term care facilities and a health plan. Two years ago, Carilion joined in a partnership with the University of Virginia and Virginia Tech to form Carilion Biomedical Institute. It is a $175 million dollar initiative to research ideas into practical and affordable healthcare products and processes.

Therefore, Carilion must address HIPAA from a provider, payer and research perspective. Shortly after January 1, 2000 Carilion appointed the Information Security Officer as the HIPAA Project Coordinator. The Project is sponsored / overseen by the Information Technology Security and Confidentiality Committee (ITSCC), which is chaired by the Security Officer.

The Project is divided into ten teams:

__ Transactions and Codes Sets
__ Privacy – Policies and Procedures (P & P) for Use and Disclosure, Patient Rights, Minimum Necessary
__ Security:
__ Technical – Digital Signature, Encryption and Authentication
__ Data and Voice Communication – Servers, modems, Internet, E-mail
__ Vendor Issues – Software changes, new releases of software required for compliance
__ Contingency Planning – business resumption planning which includes backups and business recovery
__ Corporate Issues:
__ Legal, Notice of Privacy Practices, Consent Form(s), Business Associate Agreements
__ Awareness and Training – Work Force Training, Periodic Reminders, New Employee Orientation
__ Communications – Public Relations
__ National Identifiers

Each team has a team leader and support staff. One of the first steps was to determine where protected health information was used, stored /maintained and transmitted within the organization.

A survey was sent to each department asking the following questions:

Does you department use, store / maintain or transmit any patient identifiable information?

__ If so,
1. How does your department access patient information it uses – paper, computer (terminals and/or PC), faxed copies, other?
2. How is patient information stored /housed in your department – paper, computer storage media, other?
3. How is patient information transmitted – E-mail, Fax, Internet/Intranet?
__ If information is transmitted, who is it transmitted to?

From the survey we where able to develop a PHI Data Analysis Chart. This information will be used to follow up on use and disclosure issues, minimum necessary restrictions, protection of patient data (security) and business partners where data is being shared.

9.1 Transaction and Code Sets

When the Transaction and Code Sets regulation was issued in August 2000, the T & CS team began a lengthy process to determine how the targeted transactions were used and what application systems processed them. The efforts of the team resulted in a chart that documented:
__ Application systems that sent transactions.
__ Application systems that received transactions.
__ Type of transaction(s) processed within the application system.
__ How the transaction was sent – TCP/IP, FTP, etc.
__ Description of data sent.
__ Application system owner and contact information.
__ Who supported the application.

With some minor success, we contacted the software vendors listed in our chart. However, we quickly learned that the vendors were not very helpful and were not able to supply usable information. In our opinion, the vendor should have options to meet the regulation: re-mediate their applications in an updated release, offer a "mapping" tool specific to their application, or use external related products (which Carilion may not want to use) to provide compliance. The team did not wait on the vendor to act, instead we began to look at mapping engines that would process in bound and out bound transactions and was EHNAC certified. Money has been allocated in the budget to purchase a mapper.

9.2 Privacy

The Privacy Team began their work in February 2001. We printed the regulation from DHHS’s web site and made an attempt to read them. The regulation, as written, was difficult to follow with little letters, followed by numbers, followed by letter i(s), followed by capital letters all aligned left. Therefore, we took the text only regulation, converted it into a Word document, indented the outline according to proper English rules, and double spaced it with one inch margins. The resulting document was 143 pages with space between lines and in the margins to make notes and highlight important points. With the document in Word format, word and phase searches could be accommodated – a great time saver. It is this document the team works from and references when developing charts and P & P.

The second step in understanding the Privacy regulation was to require each Team member to read the re-formatted document twice. This process of re-formatting and required reading has proven to be a valuable tool in our HIPAA program. It has saved countess hours of debate in team meetings on what the regulation says and where is it located.

Reference No/ Page Number Requirement

164.502.e.2 / 37 Covered entity must document the satisfactory assurances that business associates will safeguard PHI.

164.506.a.3.ii /55
A covered health care provider that fails to obtain consent for treatment, payment or health care operations must document its attempt to obtain consent and the reason why consent was not obtained.

164.520.e / 114 A covered entity must document compliance with the Notice of Privacy Practices requirements by retaining copies of the notices issued by the covered entity as required.

With P & P as the primary responsibility for the Team, the Team divided the regulation into four parts to be reviewed and assessed against current organizational processes: Patient Rights, Use and Disclosure, Minimum Necessary and other. Other would include the Legal issues such as Notice of Privacy Practices, new consent form(s), Business Associate Agreements plus miscellaneous items.

Another team within the HIPAA Project handles training. Team members were assigned to each of the four parts. By brunt force – page by page – the team member reviewed the regulation over a period of several months. Each member reported at the team meeting his/her findings and recommendations on new or revised P & P. We learned that in may cases we were doing what the regulation required but it was not documented anywhere.

One thing we wanted to avoid was a whole new set of P & P just for HIPAA. We decided to fold into our existing P & P the HIPAA requirements where possible to avoid duplication of procedures, additions to an already large number of policies on record and to decrease the time required to issue a new Policy.

The following current Policies are being updated with HIPAA wording and requirements:
__ Information Security and Privacy Policy
__ Confidentiality of Patient Information (to become a procedural manual)
__ Patient Rights and Responsibilities Policy One new Policy will be issued:
__ Minimum Necessary Standard and Level Of Access for Patient Information

This Policy outlines five levels of access to patient data: Level 1 being Directory access to Level 5 full medical record access.

Reference No/ Page Number Requirement Comments
164.502.e.2 / 37 Covered entity must document the satisfactory assurances that business associates will safeguard PHI.
164.506.a.3.ii /55 A covered health care provider that fails to obtain consent for treatment, payment or health care operations must document its attempt to obtain consent and the reason why consent was not obtained.
164.520.e / 114 A covered entity must document compliance with the Notice of Privacy Practices requirements by retaining copies of the notices issued by the covered entity as required.

While the Privacy Team is proceeding with their work, Internal Audit is contacting each department within the organization to document internal departmental P & P that the department might be using that affects the handling of protected health information. These P & P’s will need to be reviewed by the Privacy Team to ensure that HIPAA requirements are not be violated by some isolated departmental procedure. As a result of the Privacy Team’s efforts, three charts were created. The first is a chart on use and disclosure on when a consent is required, when authorization is required and then neither consent nor authorization is required. The chart provides reference and page numbers to the regulation. This one page, front and back, will be used as a handout during workforce HIPAA orientation and will be available within applicable departments.

The second chart is HIPAA Privacy Documentation Requirements. It lists of places within the regulation where documentation is required. As in the first chart, reference and page numbers to the regulation are shown.

The third chart is a map of the Privacy regulation to current P & P. As an example: This chart allows us to see where current P & P relate and where we need to write new sections to insertinto P & P. In other words, this is a gap analysis on P & Ps.

9.3 Security

The NPRM Security regulation is being handled like the Privacy regulation. The regulation was divided into technical and non-technical sections. The Team looked at what we have, where we need to be, and published a Security gap analysis. For the technical section, money is budgeted to address several issues.

9.4 Summary

Below are our best practices so far:
__ Development of a project plan and gap analysis
__ Reformat the regulations into a usable and searchable document
__ Require team members to read the whole regulations, not just bits and pieces.
__ Determine where protected health information is used, stored / maintained or transmitted within the organization.
__ Document where HIPAA compliant transactions are used and how they are processed in legacy systems.
__ Separate the regulations into manageable pieces and assign individual team members to each piece.
__ Develop tools to help in understanding the regulations such as:
__ What must be documented
__ When consent / authorization is required or not required.
__ Map HIPAA requirements to current or new organizational P & P.
__ Fold HIPAA requirements in existing P & P to avoid a whole new set of polices.

This will make HIPAA part of the organization’s way of doing business instead of some unrelated information handling requirement. Through all of our team efforts, we ask this question on each issue, "Is this reasonable and right for us?" This is our guiding philosophy toward HIPAA.

END

<<Back

Reference No/ Page Number	Requirement
164.502.e.2 / 37	Covered entity must document the satisfactory assurances that business associates will safeguard PHI.
164.506.a.3.ii /55	A covered health care provider that fails to obtain consent for treatment, payment or health care operations must document its attempt to obtain consent and the reason why consent was not obtained.
164.520.e / 114	A covered entity must document compliance with the Notice of Privacy Practices requirements by retaining copies of the notices issued by the covered entity as required.