WORM emerging as a new generation storage technology in healthcare industry
To comply with HIPAA, the healthcare organizations have to rely upon latest in information technology for the storage infrastructure to be deployed for protecting patients’ data. The transition to “filmless” digital diagnostic imaging and the need for compliance with the Health Information Portability and Accountability Act (HIPAA) have spurred medical IT departments to re-think their approach to data storage to better support these new applications and data management requirements. The American Medical Association estimates the cost of restructuring the healthcare industry as a result of HIPAA at more than $43 billion during the next few years.
One such technology which has caught attention for storing patient’s data is Write-once read many (WORM). Once the exclusive realm of write-once optical disk, a new generation of WORM storage alternatives has emerged that includes WORM disk arrays and WORM tape. Both of these WORM options provide certain advantages over traditional optical WORM, particularly with the need for higher capacities in large-scale storage applications. However, tape-based WORM is poised to become a major presence for medical storage environments by delivering more secure, scalable and versatile storage with a significantly lower total cost of ownership than disk-based WORM.
The two dominant mid-range tape technologies–Super DLTtape II and Linear Tape Open Ultrium 3 (LTO 3)–have embraced the WORM concept and both now offer WORM functionality, although each takes a different approach. Super DLTtape enables customers to use conventional Super DLT II media for WORM applications. The write-once functionality (designated as DLTIce on Quantum’s Super DLT 600 tape drives) is enabled by the tape drive as part of Quantum’s DLTSage architecture platform a suite of predictive and preventative management software tools that enable end users to diagnose, plan, and manage their tape storage investments.
Subscribe to the comments for this postUsing ‘Secure FAX’ to comply with HIPAA’s ‘SafeGuards Principle’
There are various concerns when healthcare organizations urgent need to send important and sensitive information, like protected health information (PHI) via facsimile as anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. HIPAA deals with FAXes in the “SafeGuards Principle” which states that ‘Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.’
With email, there are many physical, technical, and administrative safeguards that are easy to apply. With FAXes, the situation is very different as
* There is no easy way to secure a FAX transmission between two parties unless they are both setup with special encrypting fax machines. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
* Everyone already uses insecure FAX machines.
* FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
* FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
* FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
To combat this situation, you need to opt for “Secure FAX” services over internet. These services make your information secure in the following process:
* You access their web site using a secure (SSL) connection.
* You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
* You enter an email address and possibly a FAX number of the recipient.
* The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
* The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
* The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
* The transmission from the sender to the server is secured.
* The temporary storage is secured.
* The transmission from the server to the recipient is secured.
* An audit trail may be available to track the process, for improved compliance.
* Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX.
Is UW’s fundraising drive violating HIPAA by misusing PHI?
Though HIPAA takes all efforts to protect PHI, it allows covered entities to use or disclose to a business associate or institution-related foundation two types of protected health information (PHI) without specific permission. These include basic demographic information relating to an individual, and dates of health care provided to an individual. Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.
Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before mainly because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.
“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”
The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000 but the way it has used PHI has annoyed many. Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, was astounded when he got a call and on his unlisted telephone number seeking donation and the caller told him the information had come from patient records.
The callers were primarily students under contract to the UW and trained in HIPAA privacy rules. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, but when Finn tried, he found it wasn’t as easy as he thought it should be.
In frustration, he called the UW’s privacy office to complain and finally, when he went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”
The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.
Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.
“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”
ePharmaSolutions joins hands with iTrials for better patient recruitment process
ePharmaSolutions, a leading provider of clinical research technologies and services, has joined hands with iTrials to help improve the site selection and patient recruitment process. For this, ePharmaSolutions will integrate iTrials’ longitudinal patient database into its CRID (Clinical Research Investigator Database), linking practicing physicians and experienced research Investigators with iTrials’ patient data to provide detailed views on each Investigator’s protocol-specific patient populations from within their own practice and their established referral networks. Pharmaceutical companies will be able to contract directly with ePharmaSolutions to provide this service at the study level and/or license the SFA (Site Feasibility Application) for self-service access to the global Investigator database
“For the last 10 years iTrials has developed one of the industry’s largest HIPAA-compliant sets of longitudinal patient data, linking more than 80 million patients with over 350,000 physicians including each patient’s diagnoses, procedure events, age, gender and even original referral physician,” stated Lance Converse, CEO of ePharmaSolutions. “This data is very helpful in both protocol/site feasibility and patient recruitment campaigns and will be integrated into our Site Feasibility Application (www.epharmasolutions.com/sfa) for better site profiling and selection,” he added.
“Our new partnership will provide the pharmaceutical industry with actionable data to help improve site feasibility and patient recruitment that until now has been either too expensive or not packaged in a way that was meaningful to study teams,” stated Mike Hassell, CEO of iTrials. “We are now in a position to support our clients’ needs at both the study and enterprise level,” added Hassell.
Privacy Rule exception in case of using the PHI of a deceased subject
The Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ protected health information (PHI) in the course of that research. Among other exceptions to this rule, one exception is for the use of decedents’ PHI, after filing an appropriate certification.
When you wish to use the PHI of any deceased subject, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents, (2) you can document the death of each individual if asked to do so, and (3) the PHI is necessary to the research purposes.
The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals.
You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.
Filing a complaint with OCR for HIPAA violation
You know that a covered entity has violated or tampered with your PHI under HIPAA. But what are you supposed to do next? To redress your grievances, you have to file a complaint with the Office for Civil Rights (OCR). OCR is the authority entitled to receive and investigate complaints against covered entities related to the Privacy Rule.
The complaints to the Office for Civil Rights must:
1. Be filed in writing, either on paper or electronically;
2. Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;
3. It must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”
The violation for which the complaint is filed must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.
OCR has ten regional offices, and each regional office covers certain states. Complaints should be sent to the attention off the appropriate OCR Regional Manager.
You can submit your complaint in any written format but the complaint should include the following information:
1. Your name, full address, home and work telephone numbers, email address.
2. If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
3. Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.
4. Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?
5. Any other relevant information.
The Privacy Rule prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint with the Office for Civil Rights. You should notify OCR immediately in the event of any retaliatory action.
Former UCLA researcher sentenced to prison for violating HIPAA privacy rule
Huping Zhou, a licensed cardiothoracic surgeon in China, and a former UCLA School of Medicine researcher, becomes one of the first healthcare workers sentenced to prison for violating the HIPAA privacy rule.
Working as a researcher at the university in 2003 Mr. Zhou began accessing the medical records of his superior, his co-workers and celebrity patients in the UCLA Health System, including Tom Hanks, Drew Barrymore and Arnold Schwarzenegger. FBI reports that he accessed confidential medical records in violation of the HIPAA privacy rule a total of 323 times over a 3-week period.
Zhou has been sentenced to 4 months in federal prison, plus a fine of $2,000. The U.S. Attorney’s Office in Los Angeles said in a press release that this is the first time a healthcare worker has been given jail time for violating the HIPAA privacy rule.
Edward Robinson, attorney for Mr. Zhou, told CBS News his client had “no idea that looking at another person’s medical records was a federal criminal violation for which you could go to jail.”
Choosing the right biometric system for securing PHI
HIPAA lays special emphasis on conversion of medical records of patient from paper to electronic format and any covered entity failing to protect the patient health data as per HIPAA compliance norms is subject to strict penalties and criminal convictions.
When making health transactions on the internet, it is mandatory for health service entities to provide a very secure access system. Here, biometric technology could be of help as it deploys unique physical and behavioral characteristics like fingerprints, Iris Retina, and signature, keystroke pattern, voice print, respectively which are embedded in system to create a secure and unique identification for each and every user.
When choosing a biometric system, the health care provider should look for these features:
- It should be easily deployable. The devices should be cost effective and sport user friendly features so that users can easily access the services.
- The system should allow the service provider to quickly gather the user data and compare it to an accepted benchmark.
- There should be a provision for a proper training backup on installation, integration and optimization of such devices.
- High degree of accuracy. The false-acceptance rate (FAR) and false–rejection rate (FJR) used in the biometric measurement standards should balance each other so that the crossover error rate (CER) is less. A lower CER points to higher accuracy in the system.
- Customized to the environment. In patient admission, nursing, billing and administration fingerprint scan will work well but will fail in the clinics and labs where latex hand gloves are used.
- The system should support interoperability so that the data from the different biometric devices can be exchanged and compared with each other. This also provides a greater security assurance by integrating two or more different type of devices to create a strong and tamperproof access system.
Apptix launches Secure Mail for email protection
Apptix is the leading provider of hosted Microsoft Exchange, Microsoft SharePoint, and business VoIP services for businesses worldwide. The company has now announced the launch of Apptix Secure Mail which will provide email encryption and decryption at the desktop for secure end-to-end transmission. It will protect messages while in transit over the Internet, and at rest in the local email stores and in corporate email archives. Persons sent an encrypted message that do not subscribe to the Secure Mail service will receive a notification email with a link to retrieve the message at a secure web-based portal.
The features of Apptix Secure Mail include:
• One-click security – Users simply click a “Secure” button within the Outlook email client before sending to have the application encrypt the message.
• Send to anyone capability – Subscribers receive the encrypted mail directly in their Inbox; non-subscribers collect the messages via a secure Web portal.
• No key exchange or management required – Intelligent key lookup occurs transparently, eliminating the need for users to exchange and manage encryption keys.
• Strong encryption and authentication –Standards-based technologies such as Public Key Infrastructure (PKI), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), S/MIME and X.509 certificates establish confidentiality, message integrity, and user authentication.
“Apptix Secure Mail is a cost effective, end-to-end encryption solution for customers, particularly in healthcare and finance, to meet regulatory compliance requirements,” James Bond, Vice President of Product and Software Development with Apptix. “From within Microsoft Outlook, users can send secure messages to any email address including Gmail, Yahoo, or Hotmail accounts, even if the recipient does not subscribe to the email encryption service. In addition, customers do not have the hassle of sending shared secret passwords or negotiating certificates/encryption keys—everything is seamless and transparent.”
The role of HIPAA when you join a medical research team
Clinical trials and medical studies are fundamental to the advancement of medicine and if you join a research team, you may be asked to sign certain important forms. One of these may be an authorization form which will authorize the research team to use or share your personal health information with others for the research study such as:
* Your name and address
* Your health background
* Your health care provider’s name
* Your birthday Your medical records
* Your ethnic origin
* Your lab test results and X-rays
* Notes taken by a doctor or nurse
* Your medical diagnosis
The good news is that “patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected…The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.”
HIPAA Privacy Rule here regulates the documentation needed (i.e. the waiver that patients sign to release their information for the study).
The other entities who can see the information include “The Office for Human Research Protections (OHRP) is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the OHRP either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities…”