Viewing one 8 minute U-tube interview with Dr. Eric Topol, author of “The Creative Destruction of Medicine” is evidence enough that the sand beneath the healthcare world we grew up in, has shifted as dramatically as though a tsunami is sweeping it along:
The reality is that wearable and embedded digital devices used to measure every sign and sense in our bodies are already in the marketplace:
- Devices to measure every vital sign and transmit results to your smartphone
- Devices to perform continuous glucose monitoring without sticking your finger
- Hand held genome mapping devices that can assure the patient will not have a negative reaction to a drug
- Cardiogram application for the smartphone so the patient can see their own heart rhythms and forward results to their doctor if needed.
We have already moved to an electronic and digital world. Patients, not the government or any incentive programs, will be the catalyst for more rapid acceptance of digital solutions in the physician office. Although the timeline for adoption of new evidence-based treatment protocols and the use of digital records by physicians has been disturbingly slow, the ease with which their patients adopt new digital technologies to manage their own health will force the move to the new electronic paradigm.
What has escalated exponentially is the need to secure the myriad digital devices that are already in use by both physicians and patients (smartphones, I-Pads, tablets, etc.). The wave of adoption of hand held digital technologies to deliver better patient care must not be discouraged, but embraced and managed as safely as any other resources used in healthcare delivery. You may be surprised to know where and how the new technologies are already being used in your organization. The goal should be to create policies and procedures to assure the safe creation and transmission of the personal health information generated by them, and not to simply fight the digital wave.
In working with covered entity clients and their business associates, who are also subject to the HIPAA Privacy and Security Rules, it is evident that there is a lot of misunderstanding about which standards and specifications must be implemented to comply with HIPAA. This snapshot is an excerpt from the CMS web site that clarifies the requirements. Some phrases and sentences are bolded for emphasis. Now that the HIPAA Omnibus Final Rule has been published, clearly business associates must implement all the same requirements as covered entities.
“To understand the requirements of the Security Rule, it is helpful to be familiar with the basic concepts that comprise the security standards and implementation specifications. The Security Rule is divided into six main sections – each representing a set of standards and implementation specifications that must be addressed by all covered entities. Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.
Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard. Implementation specifications are either required or addressable.
- A required implementation specification is similar to a standard, in that a covered entity must comply with it. For example, all covered entities including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
- For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.
Covered entities are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.
- Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.
An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.
Information Source :: Download Newsletter