HIPAA Compliance for Online Radiology Reports

Patients and referring physicians increasingly enjoy the benefits of digital access to radiology reports, but the online environment raises new concerns about HIPAA compliance.  

 

It is, of course, entirely appropriate for doctors to be concerned about patient privacy online. In May of 2017, at least 7,000 medical records were leaked at a New York City hospital. In November of that year, hackers took hostage the protected health information of 7,000 patients at a Massachusetts sports medicine provider, demanding a ransom with the threat of releasing the data. The following month, news broke that an ex-employee of a San Antonio mental health provider left the job with more than 28,000 patient records downloaded to a personal computer.  

 

Data breaches happen, and when they do, health care providers could find themselves in violation of HIPAA. So how can physicians be sure that their radiology providers are adequately protecting their practices and their patients?

 

Here, we describe some of the ways that the Precise Imaging web portal does it. By following these recommended protocols, our IT systems keep out intruders, ensuring compliance with HIPAA to keep protected patient information safe and secure. First, though, we'll take a look at the letter of the law itself. What exactly does it mean for an online data-sharing system to be "HIPAA-compliant?"  

 

The Health Insurance Portability and Accountability Act of 1996 and Patient Privacy

 

According to the HIPAA Security Rule, which governs the storage and transmission of electronic protected health information (EPHI), requires covered health care providers to meet four major goals:

 

  1. The provider must keep EPHI in their possession — whether they create the information, hold it, or simply pass it along — completely private and confidential. It cannot become available to any non-approved parties.


 

  1. Within reason it is the provider's responsibility to anticipate potential threats to secure information. If they identify a threat, they must act to protect EPHI from it.


 

  1. Similarly, providers have a duty to shield EPHI within their control from "unauthorized uses or disclosures."


 

  1. Finally, these requirements extend from top administrators to the very bottom of the pay scale. Every health care provider must make sure that all employees comply with the above rules.


 

Note that the Security Rule does not dictate specific technical steps companies must take to keep EPHI safe and secure. These things are up to the providers. And the entities covered under HIPAA have strong incentives for investing in ironclad digital protections for their patients' health information: They can face fines of up to $50,000 per compromised health record, with an annual maximum limit of $1.5 million.

 

But there's an even more important reason why responsible health care providers invest heavily in protecting patient information. Organizations that devote themselves to patient-centered care don't just treat a single injury or illness and forget their patients. They concern themselves with every aspect of the patient experience, from physical and emotional comfort to mental well-being between visits, as much that's possible. Finding out that your personal information has been leaked is a stressful experience, and no self-respecting health care provider wants to bring anxiety into a patient's life. In short, we invest heavily in privacy because that's what's best for the patient.

 

HIPAA Compliance in the Radiology Web Portal

 

Precise Imaging offers a series of user-specific web portals, for patients, referring physicians, and even personal injury attorneys who may need access to diagnostic images to win a case. Each of these web portals provides best-in-class security features, clearing HIPAA requirements and protecting our users' priceless data.

 

The following is far from an exhaustive list of the security tools that protect radiology reports and other EPHI within Precise Imaging web portals. But it should make clear that these systems are robustly protected from data loss that could put patient information at risk. Here are a few of the tools that our IT systems have in place to protect EPHI and comply fully with HIPAA requirements:

 

  • All transfers of EPHI through the Precise Imaging web portals are fully protected by SSL/TLS encryption. Transport Layer Security (TLS) is the industry standard for protecting data in transit from clients to servers and back again. This is an updated version of Secure Sockets Layer encryption (SSL), but we refer to the technology as "SSL/TLS" because people still tend to use the terms interchangeably. In fact, TLS is more advanced than SSL encryption, and that's what our web portals use to encrypt data in transit.


 

 

  • Data remains secure even in a computer's local cache through AES, the Advanced Encryption Standard. This block cipher algorithm is one of only two encryption tools used by the U.S. government, and it remains a powerful lock on data. To further protect data within the local cache, these web portals purge the cache of EPHI after each session. That is, after the user logs out, there's no patient information stored locally at all.


 

 

 

  • Site administrators set strict user identifiers. Each user must have a unique login ID and password, and our systems don't allow weak passwords. We may even ask for periodic password replacements; all of these systems are designed to keep EPHI as secure as possible.


 

 

 

  • Audit trail tools track each user's activities (without storing EPHI). If, somehow, an unauthorized user gained access to one of our web portals, integrated reporting tools would flag any suspicious activity.


 

 

 

  • After a period of inactivity, sessions will logout automatically. This reduces the chances of an unauthorized viewer gaining access to EPHI when users simply forget to log off.


 

 

The servers that Precise Imaging web portals use are configured specifically to comply with HIPAA. When it comes to patient data, we don't take chance. Server rooms that host patient data are even equipped with comprehensive physical security, greatly reducing the risk of intrusion.

 

There's no reason that compliance with HIPAA should reduce the web-based functionality that so many radiologists, referring physicians, and patients rely on to create better health outcomes. At Precise Imaging, we follow advanced security protocols to protect patient information. We're able to share online radiology reports with full HIPAA compliance, which tends to reassure even the most security-conscious referring physician we work with.

 

References:

 

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider. HIPAA Journal. 28 Nov. 2017. https://www.hipaajournal.com/7000-patients-extortion-attempt-sports-medicine-provider/

 

Gefen R, Bruno M, Abunedeh H. Online portals: Gateway to patient-centered radiology. American Journal of Roentgenology. 2017 209:5, 987-991. doi.org/10.2214/AJR.17.18291

 

HIPAA Violations & Enforcement. American Medical Association. N.d. https://www.ama-assn.org/practice-management/hipaa-violations-enforcement

 

Lee, CI, Langlotz CP, Elmore JG. Implications of Direct Patient Online Access to Radiology Reports Through Patient Web Portals. Journal of the American College of Radiology. 2016 13:12PB, 1608-1614. doi.org/10.1016/j.jacr.2016.09.007

 

PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee. HIPAA Journal. 5 Dec. 2017. https://www.hipaajournal.com/phi-28000-mental-health-patients-stolen-by-healthcare-employee/

 

The Security Rule. U.S. Department of Health & Human Services Office for Civil Rights. 12 May, 2017. https://www.hhs.gov/hipaa/for-professionals/security/index.html

 

United States. (2004). The Health Insurance Portability and Accountability Act (HIPAA). Washington, D.C.: U.S. Dept. of Labor, Employee Benefits Security Administration. https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

 
1 2 3 26