Software leads provider toward HIPAA compliance

Information security a major consideration

Health information management professionals may be counting down the days until the year 200 transition. But another countdown is expected to begin this month, too.

Sometime this month, the Department of Health and Human Services in Washington, DC, is expected to begin releasing the final standards on electronic health information, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final transactions and coding standard is due first.

The final rules on the national provider identifier, the national employer identifier, and security are expected next month. The standards are required to be implemented within two years of the effective date of the final rule, which is generally 60 days after the publication date.

Two years may seem like plenty of preparation time, but many organizations know that taking a proactive stance is a safe policy.

One example of preparing for HIPAA is United Health in Appleton, WI. The organization decided to make a complete overhaul of its information system. United Health is a corporation that includes Appleton (WI) Medical Center, Theda Clark Medical Center in Neenah, WI, and United Health of Wisconsin HMO and 800 affiliated physicians within a 100-mile radius of Appleton.

The company began the overhaul by implementing 100 stand-alone PCs and a fiber ring network between the two hospitals and corporate headquarters. It also leased a dedicated (T1) phone line from an Internet service provider in Milwaukee and extended it to other facilities. Finally, it installed a LANS (local area network server) manufactured by Novell, based in Atlanta, at each facility.

Inability to share data was a major problem

One of United Health’s technology problems was the inability of some of its best-of-breed systems to share data. To address this, the company implemented a message broker system to noninvasively exchange data between applications and to transform incoming data into the formats required by the receiving system.

United Health also lacked security inpatient information. For example, surgeons received lab results from a terminal that was always logged on to the system, leaving patient information unsecured.

In addition, if another user logged on to a different part of the system from that terminal, the surgeons would no longer be able to access the lab results. When patient information is left on a shared screen, it opens the hospital to civil liability suits, says Bill Briner, product manager for New Era of Networks (NEON) in Englewood, CO.

That’s one reason HIPAA requires an enterprisewide security policy. "This means [providers] have to define who in the whole enterprise — not just in a department — has access to patient information. And at what level do they have access? What privileges do they have?"

Another HIPAA requirement is that users of electronic health information have unique access codes and that their access is restricted to the information needed to do their jobs. "There should be no more shared IDs," Briner says. "That’s absolutely forbidden under HIPAA. There is no control of them."

Challenging road lies ahead

Health care facilities have a challenge in meeting the HIPAA security requirements. First of all, they have to manage a much larger user population than they did before, Briner notes. In addition, any system they choose must support "nomadic users," or users that move all around the facility. "Oftentimes [these users] will leave one workstation and go to another and then go back to the first workstation and pick up where they left off," Briner says.

The system must be fast, too. Users have often shared IDs because they had to wait so long for applications to load onto the PC.

Finally, they want a system that will automatically create or change user accounts in the endpoint applications when new users are added or when their roles change. "Otherwise, the system wouldn’t be removing any work from the IT department," Briner says.

To help with its security issues, United Health chose NEONsecure, software that provides each user with secure and simultaneous access to multiple applications through a single password and sign-on. When the users sign on the system, they see the icons on their desktop for the applications that they are allowed to access.

When they choose an application, they are automatically placed in the appropriate location within it, based on their job function. The system insulates users from any passwords required by the changes in applications.

All traffic generated by the users is protected, using a combination of Kerberos authentication and DES (data encryption standards) encryption. Once users have finished at their workstation, they can hit "hot keys" to instantly lock the screen.

United Health has also assigned timeouts that automatically log users out after a specified period of inactivity. Users need to realize the importance of leaving the system, Briner says. "One of the jobs of the security officer under HIPAA is that people have to be educated as to what the security ramifications are for leaving those things up on the screen."

Transmitters and smart cards

Briner says that many providers use "proximity devices" to log users on and off the system, too. One such device activates the system through a power emission sent from a radio transmitter on a user’s smart card. Another device requires that a card be placed into a slot in the PC. When the user completes the work, he or she removes the card and the system resets.

United Health employees can gain access to their applications almost instantaneously when they log on. They can access their applications from any workstation, too.

"Our physicians and nurses move around a lot each day," says Keith Livingston, United Health’s CIO. "It’s a considerable benefit for them to be able to access their personal workplace from any workstation."

The health care company’s T1 line also allows users to access the Internet at any time. "We created an icon [in the system] for the Internet. When users want Internet access, we assign that icon to them. Thus, they access the Internet the same way they access lab or radiology or anything else," Livingston says.

One of the things becoming important to providers is the transmission of patient information over the Web, whether it’s in electronic transmissions or through Web pages, Briner says. "We are providing some new capabilities for our products to tighten down and control those types of transmissions. The rules are changing and are changing fast."