HIPAA– it’s got teeth now

Posted 7 July, 2007 in HIPAA, EHRs

teeth.jpgWithout enforcement (including audits and levied penalties), laws are essentially meaningless. In en effort to prove that the HIPAA regulations were meant to be both read and obeyed, the Department of Health and Human Service (HHS) has begun to audit medical institutions. They started this March with Atlanta’s Piedmont Hospital. I think this is great, because up until now, EHR companies and the like have been able to claim HIPAA compliance without any proof. Now is when the truth will come out.

Piedmont Hospital was given ten days to provide policies and procedures addressing the following 24 areas:

  1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
  2. Emergency access to electronic information systems.
  3. Inactive computer sessions (periods of inactivity).
  4. Recording and examining activity in information systems that contain or use ePHI.
  5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
  6. Employee violations (sanctions).
  7. Electronically transmitting ePHI.
  8. Preventing, detecting, containing and correcting security violations (incident reports).
  9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
  10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
  11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
  12. Physical access to electronic information systems and the facility in which they are housed.
  13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
  14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
  15. Internet usage.
  16. Wireless security (transmission and usage).
  17. Firewalls, routers and switches.
  18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
  19. Terminating an electronic session and encrypting and decrypting ePHI.
  20. Transmitting ePHI.
  21. Password and server configurations.
  22. Antivirus software.
  23. Network remote access.
  24. Computer patch management.

How would your EHR institution do on this quiz?

2 comments to “HIPAA– it’s got teeth now”

healthTech.accordingtome.com » How good is your hospital? (JCAHO CMS to the rescue!), July 12th, 2007 at 4:16 pm:

  • […] talked before about the importance of universal metrics: IT security metrics (see: HIPAA intro and HIPAA enforcement) and EHR functionality. Well, now that you have patient encounter data safely in your hosted EHR […]

healthTech.accordingtome.com -- IT / Information Technology perspective on healthcare, October 10th, 2007 at 9:58 am:

  • […] Actor George Clooney was admitted last month to the the Palisades Medical Center after a motorcycle accident last month. The temptation to look at Mr. Clooney’s medical file was just too much a couple dozen employees to withstand. 27 people looked. 27 people are now suspended for a month without pay according to CNN.com. HIPAA, it’s got teeth now. […]

Your comment:

You must be logged in to post a comment.


NAVIGATION

Powered by AccordingToME.
Health Blogs - BlogCatalog Blog Directory Blog Directory Blogarama Globe of Blogs Blog Listings All-Blogs.net directory blog search directory