IT & BPO Solutions develops HIPAA compliant software for doctors, physicians, hospitals and clinics. We develop electronic medical record systems (EMR), release of information systems (ROI) and complete patient information management modules. HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts.
Electronic Medical Records (EMR) and Electronic Health Records (EHR)
Electronic medical records (EMRs) and electronic health records (EHRs) are not the same thing. EMRs are computerized legal clinical records created in CDOs (care delivery organizations), such as hospitals and physician offices. EHRs represent the ability to easily share medical information among stakeholders and to allow it to follow the patient through various modalities of care from different CDOs.
EMR: An application environment composed of the clinical data repository (CDR), clinical decision support system (CDSS), controlled medical vocabulary (CMV), computerized provider order entry (CPOE), pharmacy and clinical documentation applications. The patient's electronic record is supported across inpatient and outpatient environments; is used by healthcare practitioners to document, monitor and manage care delivery within the CDO; and is owned by the CDO. The data in the EMR is the legal record of what happened to the patient during encounters at the CDO.
EHR: A subset of each CDO's EMR, presently assumed to include summaries, such as ASTM's Continuity of Care Record (CCR) and HL7's Care Record Summary (CRS), and possibly information from pharmacy benefit management firms, reference labs and other organizations about the health status of patients in the community. It contains patient input and access spanning episodes of care across multiple CDOs within a community, region, or state (or in some countries, the entire country). The patient controls access to information. In the United States, EHRs will ride on the proposed National Health Information Network (NHIN).
Before effective EHRs are possible, provider organizations must implement complete EMR systems.
Protected Health Information (PHI)
The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written).
Principles of HIPAA
HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.
HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed: Access to PHI, Correction for errors and completeness, and Knowledge of others who use PHI. Safeguarding of PHI means that the persons that hold PHI must: be accountable for own use and disclosure and have a legal recourse to combat violations.
HIPAA Implementation Process
HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.
A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about
- Threat nature (Accidental disclosure by insiders? Access for profit?),
- Source of threat (outsider or insider?),
- Means of potential threat (break in, physical intrusion, computer hack, virus?),
- Specific kind of data at risk (patient identification, financials, medical?), and
- Scale (how many patient records threatened?).
HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.
Technology Requirements for HIPAA Compliance
Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.
- To assure physical data center security, the manager must
- Lock data center
- Manage access list
- Track data center access with closed circuit TV cameras to monitor both internal and external building activities
- Protect access to data center with 24 x 7 onsite security
- Protect backup data
- Test recovery procedure
- For network security, the data center must have special facilities for
- Secure networking - firewall protection, encrypted data transfer only
- Network access monitoring and report auditing
- For data security, the manager must have
- Individual authentication - individual logins and passwords
- Role Based Access Control (see below)
- Audit trails - all access to all data fields tracked and recorded
- Data discipline - Limited ability to download data
Role Based Access Control (RBAC)
RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.
RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.
Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.
RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.
Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.
Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.