Nearly all hospitals and other business entities in the health care field have transitioned or are currently making...
the transition to electronic records systems. While this is happening for a variety of reasons, the intended result is increased efficiency and cost savings, but an unintended result may be that it's harder to know who has accessed any particular record.
The Privacy Rule for HIPAA has always mandated that comprehensive tracking measures be in place for entities accessing an individual's medical records, but now it's the individuals themselves who can find out who accessed their records.
For that reason, a proposed change to a key portion of the Health Insurance Portability and Accountability Act (HIPAA) may soon mandate that health care organizations keep closer tabs on access to electronic records. To that end, a new set of technical measures may be needed for enterprises to remain compliant. That's what we'll cover in this tip.
For purposes of compliance with HIPAA, electronic medical records (EMR), also known as electronic health records (EHR), are usually defined as computerized legal medical records created in an organization in which the health information system allows storage, retrieval and manipulation of these respective records.
As such, these records, similar to that of hard copy medical records, must be kept in unaltered form and authenticated by the creator. Under data protection legislation such as HIPAA, the responsibility for patient records (irrespective of the form they are kept in) is always on the creator along with one of many custodians of the records, usually a health care practice, facility, or some other type of organization. With that said, the most important security tenets to keep in mind are that of the Privacy Rule and the Security Rule within the HIPAA law itself.
The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities," which include health care clearinghouses, employer-sponsored health plans, health insurers and medical service providers that engage in certain transactions. It establishes regulations for the use and disclosure of Protected Health Information (PHI).
HIPAA Privacy Rules can seem daunting to many, as it encompasses the following measures:
- Regulating the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically;
- Requiring measures to be implemented that establish a set of basic consumer protection requirements;
- Allowing any individual to file an administrative complaint for violations against the Privacy Rules;
- Allows for civil or criminal penalties to be levied.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It essentially identifies the three types of security safeguards required for compliance:
The proposed changes being put forward by the Department of Health and Human Services essentially seek to create more accountability and transparency regarding medical records. Specifically, individuals would be able to request an access report providing them with a detailed account of all organizations that have requested, obtained, and ultimately, accessed and viewed their medical records. The Privacy Rule for HIPAA has always mandated that comprehensive tracking measures be in place for entities accessing an individual's medical records, but now it's the individuals themselves who can find out who accessed their records. Many privacy advocates welcome the move as it gives individuals more information regarding their medical records, while also placing security and legal challenges and constraints for "covered entities" who hold these records.
From a security perspective, a comprehensive audit trail and logging infrastructure will have to be implemented for all medical records accessed at "covered entities" by various organizations. This requires the use of change-detection software, file integrity monitoring (FIM) tools, and various other technologies that can provide a detailed audit record of who accessed what information, when, where, why and how. Specifically, IT organizations will need to implement audit records that capture the following conditions by organizations accessing medical records at "covered entities":
- All authentication and authorization activities, such as logon attempts (both successful and unsuccessful) for both system-level and application-level platforms;
- Any creation, modification or deletion of both system-level and application-level objects (i.e., data files opened and closed and specific actions, such as reading, editing, deleting and printing);
- All actions undertaken by system administrators who have elevated privileges and access rights.
Additionally, for each event described above, the following attributes are to be captured:
- The type of event that occurred and on what system level and/or application level did it occur on;
- The date and time of the event;
- The identity of the user, such as the logon ID;
- The origination of the event;
- The outcome of the event, such as the success or failure of the event;
- The name of the affected system resource.
From a legal perspective, "covered entities" will have to ensure all their respective service-level agreements (SLA) and other contractual documentation include provisions, disclosures and requirements regarding the above stated audit records.
From an IT security perspective, a proactive risk assessment process should be immediately undertaken whereby the following issues are addressed by all "covered entities":
1. Identify all system components (i.e., network devices, servers, applications, databases) that aid, facilitate and store an individual's medical records.
2. Evaluate each system component's compliance with the above stated audit records and implementing measures, via software utilities, that the required events are being logged and sent to a secure logging server accessible by select authorized personnel only.
3. Undertake training initiative for ensuring both internal employees at "covered entities" and all third parties that have access to an individual's medical records, understand and acknowledge the proposed changes to the HIPAA Privacy Rule.
4. Implement measures internally for ensuring compliance with the proposed rule changes are being met, adhered to and maintained from an IT perspective. Specifically, systems will have to be monitored internally with quarterly audits or "surprise" assessments by an internal audit function.
Though it may be difficult to provide an exact date of when the proposed HIPAA Privacy Rule change may go into effect, it's important to understand this is just the first of many new security requirements that are being pushed out by the government regarding an individual's right to secure and private medical records. The proposal may change slightly as lawmakers, industry heavyweights and other experts weigh in, but ultimately it will come to fruition in the near term, thus "covered entities" should prepare IT departments for these changes and begin creating the necessary audit records for compliance. From a legal perspective, "covered entities" should also rework their contractual documentation to include provisions, disclosure,and requirements for these proposed changes.
About the author:
Charles Denyer is a member of NDB Accountants & Consultants, a nationally recognized boutique CPA and advisory firm specializing in Regulation AB, SAS 70, SSAE 16, ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with other regulatory compliance initiatives. Mr. Denyer is actively involved in numerous professional associations and organizations for a wide range of industries and business sectors. He is also an advanced social media expert, having spent years working in the field of search engine optimization (SEO) and various forms of online marketing and social media.
Mr. Denyer holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering. He is also currently an MBA candidate for the Johnson School of Business at Cornell University.