HIPAA-cratic Oath

A: The use of Social Security numbers, in general from a security perspective, is bad karma. Too many identity theft criminals use that data as a jumping-off point to steal your personal information, ruin your credit and illegally acquire goods, services and products.

The identification numbering system proposed by HIPAA regulations is an effort to reach a more robust level of patient, provider, payer identification as well as streamline reporting of such information across disparate private, state and federal reporting systems and networks.

I highly recommend that if your organization is using Social Security numbers, you should discontinue that as soon as possible.

Q: How are health-care organizations addressing the overlap between the final privacy regulations and the proposed security regulations?

A: There are many crossover points between the privacy and security regulations under HIPAA. Many of the administrative and policy stipulations under privacy require a technological component to enhance the compliance requirement. The fact that the security regulations’ final implementation by Health and Human Services has been delayed numerous times since 2000, and will most likely be delayed again, doesn’t change the fact that privacy regulations must be complied with.

A close coordinated effort needs to be accomplished between security and privacy groups within health-care organizations so that security efforts don’t waste money or result in stovepiped duplicate efforts.

Q: In an environment that manages medical records, can we maintain HIPAA compliance when we are forced to grant rights to an untrusted third party by giving it access to our system?

A: No, you will be in noncompliance. However, by employing administrative and technological procedures, you can sequester such information from third parties that don’t need to know versus those that provide an application service provider service (like electronic medical records). Contractual and service level agreements can be created to protect your institution by obligating the third party to abide by patient health-care information protection requirements.

If the third party is untrusted, I question why you would give it information in the first place, but many legacy holes of this type exist. I have often heard health-care admins or nontechnical folks blindly accept a vendor statement like, “You have to do it our way.” That can’t be further from the truth. The organization I work at has compiled an extensive set of security requirements that we provide to prospective and current vendors.

If a senior executive or physician has a personal stake in a third-party relationship, there can be incredible pressures to cave in to a less secure solution. I have found that talking with the parties, educating them on how the same business can be transacted in a more secure fashion and providing such solutions is a win-win situation.

If your bosses still want to have an insecure relationship with a third party, obtain a letter signed by them saying they accept the risks and acknowledge that they are not complying with HIPAA.

A: Many health-care organizations are interpreting such privacy requirements to extend to family members, including spouses. Even to the point of not leaving detailed information on the patient’s home phone messaging service. Unless the patient specifically authorizes spouses or family members to be kept informed or to have access to such PHI, they should be excluded.

A significant revision to the privacy rules has been published this year. It states that within your institution, access to PHI can be granted to all institutional clinicians, staff and so on without the patient’s consent in order to ensure quality medical care for that patient.