Background
Regulations formulated under the Health Insurance Portability and Accountability Act (HIPAA) require that any entity which creates or uses individually identifiable health information meet specific regulations in the areas of Privacy, Security, Transaction Sets, Code Sets, and Personally Identifiable Information.
A recent Thaumaturgix engagement was with a Florida hospital of 300-350 beds. The hospital offers complete health care services though its numerous in- and out-patient facilities, located on its 80-acre main campus and at outlying locations. Thaumaturgix was asked to conduct a high-level Gap Assessment of the hospital's current practices and procedures versus the compliance requirements under the HIPAA regulations, and to provide recommendations for bringing the hospital into compliance with the regulations.
Thaumaturgix's HIPAA Compliance Team utilized in-person interviews, questionnaires and surveys to assess twenty of the hospital's functional departments as well as over sixty individual systems in the hospital's Information Services department. The team's goal was to develop an understanding of the various departmental practices and information flows, and to compare the hospital's current practices to the regulations. Based on the team's findings, Thaumaturgix prepared a detailed set of recommendations for remediation. Further details regarding the results of the assessment are presented in the following sections.
Gap Assessment
Transaction and Code Sets
The hospital's transaction types were examined and compared to the published standards, and a table of compliance was prepared, sorted by transaction type. Thaumaturgix found that the hospital uses a limited number of transactions, none of which were compliant at the time of the analysis. However, scheduled systems upgrades were expected to bring about the necessary compliance with the Transactions and Code Set regulations. Thaumaturgix recommended that HIPAA-compliant upgrades be installed and tested in time to meet the original compliance deadline of October 16, 2002, so that the hospital could avoid the requirement that a compliance plan be filed with the US Department of Health and Human Services (HHS) in order to receive a one-year extension.
Privacy
Thaumaturgix evaluated the capability of the hospital's information technology systems to support the requirements of the privacy regulations and prepared a table of system compliance by regulation. Thaumaturgix found that the hospital's internal systems were capable of supporting the HIPAA Privacy regulations if used in conjunction with proper policies and procedures as defined by the hospital's legal counsel (who performed a companion detailed Privacy Assessment of policies and procedures). Thaumaturgix further found that systems could be used to augment or replace current manual procedures in the pursuit of compliance, where feasible and appropriate. HIPAA-compliant systems upgrades should also be implemented and maintained in order to bolster compliance.
Security
Thaumaturgix performed inspections and analyses to develop a "hit list" of issues to be addressed in order to bring about compliance with the proposed Security regulations. Thaumaturgix addressed security requirements in three areas: regulation awareness and education, documentation of policies and procedures, and technical remediation. Thaumaturgix presented a guide to achieve compliance in each of these three areas, including a strategy for addressing the identified areas of noncompliance and a regulation-by-regulation guide to required and recommended security practices.
Conclusions and Next Steps
Thaumaturgix presented a high-level guideline for achieving institution-wide compliance given the present state of the hospital's policies, procedures, and systems. These include guidelines to:
- Develop HIPAA-compliant policies and procedures
- Develop HIPAA-compliant business partner agreements
- Provide Employee training in HIPAA-compliant practices
- Implement technical remediation measures
Remediation
Training and Education
Thaumaturgix recommended training and education to create the proper institutional culture of patient information privacy and security. The hospital has been advised in the development and implementation of a set of specialized training sessions for:
- Educating employees at various levels and in varying roles.
- Creating HIPAA "thought-leaders" within the institution as an on-going force for promoting the privacy and security of patient information.
Thaumaturgix provides customized training and education programs in HIPAA compliance to help hospitals achieve these results. In addition, Thaumaturgix can develop and implement a comprehensive HIPAA Communication Plan utilizing a variety of resources and technologies.
Technology
Technical remediation recommendations included improved access logging and audit capabilities, deployment of easier and more secure access control technologies, and assessment and any necessary strengthening of firewall and intrusion detection/control systems. Thaumaturgix is fully conversant with the systems, network, and application technologies necessary to achieve the desired results.
For more information on the issues of access control, logging, and audit under HIPAA, please see the Thaumaturgix HIPAA Compliance Practice Group background document "Access Control, Logging, Audit, and Single Sign-On" available on this site.
About Thaumaturgix
Thaumaturgix is a technology consulting firm that specializes in systems and network security; systems administration, support and maintenance; systems integration; application development; and HIPAA compliance services. The Gap Assessment described herein was performed by the Thaumaturgix HIPAA Compliance Practice Group. The Group comprises an experienced team of consultants who specialize in security, privacy, systems and networks, and who are deeply knowledgeable about the HIPAA regulations. The HIPAA Compliance Practice Group has developed a body of proprietary knowledge and processes designed to evaluate and implement timely and cost-effective compliance solutions for Thaumaturgix's clients.
For more information, please e-mail hipaa@tgix.com or call Peter Dolch at 212-918-5025.
