T

he Health Insurance Portability and Accountability Act of 1996 (HIPAA) will fundamentally alter the way that long-term care (LTC) facilities treat resident health information. HIPAA mandates the formats by which claims for reimbursement must comply (Electronic Data Interchange Standards, effective October, 2002). HIPAA also mandates the creation and implementation of a multitude of policies and procedures to protect resident health information and will require reams of additional documentation in the form of consents, authorizations, and related documents (Privacy Standards, effective February, 2003). But often lost in the discussion of HIPAA are the Proposed Security and Electronic Signature Standards. While these Security Standards have no deadline set in stone, their provisions should already loom large in a LTC facility's HIPAA compliance planning and implementation efforts.
       As more medical records become electronic, more data moves within a LTC facility, and more information moves externally through the Internet, wide-area networks (WANs), and virtual private networks (VPNs), resident medical information is at greater risk of improper disclosure. The already enacted HIPAA Privacy Rules contain a specific requirement that a facility "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."1 A LTC facility must also limit the access of resident health information to persons or classes of persons in the facility that need the information to perform their jobs.2 Effective information technology solutions will greatly assist a LTC facility in becoming HIPAA compliant. Inadequate computer systems will virtually guarantee noncompliance.
       The reason that the Proposed Security regulations should guide a facility's information systems planning is that the Department of Health and Human Services (HHS) says in the comment section to the Privacy Standards that the Proposed Security Standards will work in "tandem" with the Privacy Standards to protect electronic information and that the Proposed Security Standards will be "harmonized" with Privacy Standards.3 While the Privacy Standards and the Proposed Security Standards do not mandate the implementation of any specific technologies, the rules do address specific functions that a LTC facility's information system and network must contain. These can broadly be categorized as access controls, network protection, and data authentication functions. The Proposed Security Standards provide meaningful guidance regarding system requirements for access controls and network protection. The guidance offered on data authentication is less clear, but there are cost-effective methods of protecting the integrity of electronically stored medical records that a LTC facility may employ.
       Access controls are policies, procedures, and technical mechanisms that limit the availability of protected resident information to employees who require access to such information to perform their duties. The well-recognized technical measures to comply with the Privacy Standards and the Proposed Security Standards would be a unique user name and a password that each user must enter for access to the workstation. Also, a system would include a timeout function so that if the user is called away from the computer workstation, the workstation will shut down after a predetermined period of time. To provide additional security in a large, networked facility, users could only be given medical records access only for the hours when they are on duty and only for the residents for which they provide care. Consider the hypothetical example of New Covenant, a LTC facility.
       New Covenant is a skilled nursing facility with several wings. Much of the resident medical information is stored electronically on a server, and there are computer workstations on each wing. New Covenant's network is a client-server, LAN-based network. The facility determines that its nurses should have full access to all of the electronic medical information of the residents on the facility wing on which they primarily work. Nurses would not have full access to the records of residents on other wings. When nurses who primarily work on one wing are temporarily assigned to another wing, they would be given access to the electronic medical records of the wing to which they are assigned only temporarily, while they work on that different wing. To implement this access control policy, the facility develops policies and procedures that reflect this approach.
       New Covenant implements workstation access rules that provide each nurse with a unique user ID and requires that each nurse develop a secure password (not the name of a spouse, child, or pet). New Covenant considered limiting medical record access to only the regularly scheduled hours that each nurse worked and having the computer network administrator implement temporary access when a nurse works nonscheduled time. New Covenant determines that such shift-limited access would be too burdensome and difficult to administer, but the facility does wish to limit general access to only the residents on the wing where the nurse typically works. New Covenant implements a policy that if a nurse works a shift on a different wing, the network administrator will set up temporary user rights for the nurse to access the medical records of the residents on that wing. If there is an emergency situation, and a nurse is called to another wing, the policy and procedures provide that the nurse is permitted to view medical records on an "as-needed" basis. A nurse who regularly works on that wing can log onto the system, and the nurse who is responding to the emergency can view resident medical information that is relevant to the emergency situation.
       The proposed HIPAA rules also require that facilities that transmit data over open networks (such as the Internet) protect that data from interception and that facilities also protect their internal network from unauthorized access. Most of the traffic in New Covenant?s network is internal, but the facility does provide several client workstations with Internet access so that key employees may research resident care issues and access LTC-industry sites. Key employees also have e-mail accounts. Additionally, New Covenant e-mails medical information to the medical director and transmits orders to its pharmacy and other ancillary providers over the Internet. To comply with the HIPAA Privacy Standards, and the proposed Security Standards, New Covenant must put protections in place to secure its network from outside attack and to ensure the security of the medical information it transmits over the Internet.
       New Covenant realizes its internal LAN is insecure because its Internet (Web) server could allow a hacker to access the entire LAN through the web server or e-mail server. To secure the network, New Covenant installs a firewall between its LAN and the Internet. A firewall is a piece of computer hardware that contains various software functions that detect and deny unauthorized access attempts. To lower firewall maintenance costs, New Covenant outsources its firewall management to a managed service provider that specializes in firewall maintenance and security monitoring. To further protect its LAN from unauthorized access, New Covenant places its Web server and e-mail server within a DMZ (demilitarized zone). This DMZ is configured as a separate network from New Covenant's LAN, and even if a hacker could gain access to the Web server or e-mail server, the hacker is still not inside New Covenant's LAN.
       The final component of New Covenant's network security solution is an intrusion detection system that contains such Proposed Security Standard rule requirements as an alarm to warn of an unauthorized access attempt, an event-reporting function to advise of network irregularities, and an audit trail to document network access activity. Since New Covenant outsources security monitoring to a managed services provider, other intrusion detection services are also available. New Covenant's managed services provider will also immediately notify the facility of unauthorized access alarms and maintain an audit trail of unauthorized access attempts.
       New Covenant also relies on its network to transmit medical information to its medical director and to receive orders from the medical director. Additionally, it uses the Internet to relay medical orders to its pharmacy and to send orders to other ancillary suppliers. To comply with the Proposed Security Standard, the facility examines various encryption and digital signature technologies to protect the confidentiality of the medical information while in transit. It decides on 128-bit encryption of the message traffic and installs Secure Socket Layer (SSL) technology on its Web server and on the medical director's system. The ancillary vendors and the pharmacy also support SSL. To this point, New Covenant has taken well considered steps to protect its residents' medical information from improper access, both within the facility and from unauthorized access attempts from external sources. Yet another important step remains--securing and maintaining the authenticity of the medical records themselves.
       The last major system requirement of the proposed HIPAA Security Standards is the data authentication requirements. HIPAA defines "data authentication" as "corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature."4 The examples given of data authentication methodology are less instructive than the other Proposed Security Standards. These examples are more related to message transmission authenticity. Also, the comments to the proposed rule offer no additional guidance on "data authenticity" and in the other supporting material in the Proposed Security Standard refer to message authenticating methodologies.5
       Generally, however, the most efficient and effective way of ensuring that data is not improperly altered or destroyed is limiting access to the data to only those individuals who have a need to access that data and protecting the data from unauthorized access. Effective access controls and network protection technologies, which are already required by HIPAA, should effectively ensure data authenticity. But there is one more step New Covenant elects to take to protect its residents' MDS forms and Care Plans.
       As discussed earlier, New Covenant developed detailed policies and procedures regarding access to medical records and established system access controls to implement these policies and procedures. The facility gives medical record access to nurses who work on the respective wings. However, New Covenant determines that only the MDS Coordinator should be able to enter data into the MDS forms and the Care Plans. To implement this policy, the facility provides nurses "read-only" access to MDS and Care Plans. The nurses can view the data but cannot enter new data or amend existing entries. Only New Covenant's MDS Coordinator has "read-write" access to MDS and Care Plans. If changes must be made to the MDS and Care Plans for regularly scheduled MDS updates or due to significant changes in a resident's condition, only the MDS Coordinator could make those changes. This is an example of "role-based" access control that the Proposed Security Rule permits.6 New Covenant later grants "read-write" MDS and Care Plan access to the Director of Nursing in the event the MDS Coordinator is temporarily unavailable to update MDS forms and Care Plans.
       HIPAA compliance presents a daunting challenge to LTC facilities. It will require a complete review of current operations and demand the development and implementation of facility-specific policies and procedures. HIPAA compliance will not come from a book of preprinted forms or from attendance at a consultant-sponsored seminar. It demands the concentrated time and attention of already over-stretched employees and a detailed analysis of facility operations. While a software system cannot make a facility HIPAA compliant, a carefully selected, configured, and implemented information system will help a facility achieve and maintain conformance with many of the enacted Privacy Standards and many of the Proposed Security Standards. Inadequate or improperly configured systems will ensure failure.

Copyright © 2001 Achieve Software Corporation d/b/a Achieve Healthcare Information Systems. Robert C. Feightner is the HIPAA Compliance Officer at Achieve Healthcare Information Systems. Achieve Healthcare Information Systems is a long-term care information systems solutions provider headquartered in Eden Prairie, MN.