Safeguarding resident data during electronic transmission.
If your nursing home is operating under contract with the Federal government, it is subject to the Privacy Act of 1974, which imposes controls over the disclosure of medical information collected by government agencies. The Health Insurance Portability and Accessibility Act (HIPA) of 1996 has further restrained disclosure of patient information by requiring that even more wide-ranging privacy rules be put in place by August of 1999. In addition, many states have laws regarding the distribution and disclosure of medical records and other healthcare information.
The Internet can be a wonderful tool for nursing homes - when its use is planned, controlled and monitored. But without staff usage rules and security measures, it can be a sinkhole for staff time and turn your database into a lending library for anyone with a phone line, computer and modem. A lack of usage rules will diminish productivity and efficiency as employees use on-the-job Internet access for personal reasons. Bad security could eliminate Federal and managed care revenue streams, result in fines and cost your organization its good name. Furthermore, recent legislation and court decisions have held individual employees accountable for failing to maintain patient confidentiality.
The Internet, the rapidly expanding pipeline for email and sharing data, uses an interlocking set of standards and protocols that allow anyone, anywhere, to access data. People who write programs for the Internet use Hypertext Markup Language (HTML), a language that provides the instructions for a computer to display data and graphics within a document. Similarly, they use Hypertext Transfer Protocol (HTTP), which is a protocol for the transfer of multimedia data - audio, text and video - between computers.
This standardization has made the Internet - and the more localized intranets derived from its technology - the most cost-efficient way to link computers and share data. While the Internet is a public network, intranets are private networks that use Internet standards such as HTML and HTTP. For example, HCFA uses the Netscape Navigator Web browser software to transfer MDS 2.0 data from facilities to the states. Similarly, a healthcare organization with a headquarters and 30 sites might have its own intranet for communicating and sharing data. Such healthcare intranets are commonly used to make available patient records, medical information and documents that previously required U.S. mail, private delivery service, voice telephone or fax for transmission from one location to another.
Intranets usually have an Internet connection. This allows intranet users to then have easy access to the much wider world of the Internet, as well as allowing those who are not a part of the intranet to connect easily and download data. This highly desirable access can also make it easier for unauthorized individuals or organizations to connect to a nursing home's computer system. The result can be improper disclosure of confidential resident/patient information, and that brings up the issue of security.
There are two main areas of Internet use that raise security concerns: (1) using the Internet as a medium for sending and receiving e-mail; and (2) using the Internet to link one computer system to another.
E-mail sent over the Internet is not secure, and computer systems connected to the Internet are open to unauthorized access. When you e-mail someone using the Internet, the missive is not sent directly from one computer to the other. It takes a wandering route from computer network to computer network as it looks for its destination. During that travel, the e-mail can be captured by the proverbial pimple-faced 13-year-old computer hacker testing his or her skills. It can in fact be altered, destroyed or redirected to any number of additional recipients. Just imagine an e-mail with an attached patient record having the name of the patient changed or being sent to every tort lawyer in town.
That horrific vision can be laid to rest with just one word - encryption. Encryption programs are a confidentiality safety net for e-mail. Using complex mathematical algorithms, or keys, to encode a message, they ensure that only a computer using exactly the same keys will be able to read the message. Encrypted e-mail opened by an unauthorized recipient would appear to be gibberish. Encryption may be built into programs or is available as a separate program but, in either event, your vendor should definitely be asked about it.
Then there is the issue of "firewalls." Think of your computer system as a multistory building with a keycard security system. Practically everybody will have access to the lobby. Many people may be cleared for entry to a large number of rooms on the first floor. A smaller number may hold a keycard that gives them access to certain other rooms on the first floor. Different groupings may have keycards that allow them to take the elevator to the second or other floors, and even then they may have access only to certain rooms on those floors. Computers can be equipped with similar lock-out security systems, i.e., firewalls.
A firewall consists of hardware and software, and it stands between a computer system and the outside world of people browsing the Internet. All access can be blocked or limited in degrees, just as our imaginary building's keycard system controls who will be allowed on what floor or in what room. Firewalls can require passwords, or codes imbedded in specific computers. They can look at an incoming request for data and refuse it if it seems out of line or, for some reason, inappropriate. Firewalls are to unauthorized access of a computer system what encryption is to intercepted e-mail - and, again, your vendor should be asked about them.
While not part of a firewall, an effective tool for managing access to information, both by internal and external parties, is so-called auditing software, which records who accesses a patient record and when. Some auditing software even automatically checks for anomalies such as one-time accessing or an unusual time of day for a request and flags them for immediate attention.
In this era of electronic access there is another confidentiality issue that has always been a problem but which technology has heightened. How well do third parties who need access to your patient information protect it once they have it? It is not enough to simply limit access to other healthcare providers and managers on a need-to-know basis. You need to take every step to ensure that the data are used only for previously authorized purposes and that the third party has encryption procedures and firewalls in place. Because of the legislation mentioned above, this should not be a problem with the state and Federal governments. However, you should require signed acceptance of your information-control protocols by third parties that may have access to the information and have any third party accessing it be audited in the same way you audit your own usage.
Finally, there is one more consideration regarding the protection of confidential patient information on the Internet: Do not edge your way into use of the Internet. Don't start by simply responding to the suggestion that your nursing home establish a Web site, then connecting to the Net and beginning an uncontrolled, evolutionary process of Internet use. In a word, plan. Plan how you will use the Net, who will have access to it and for what purpose, what data you will allow to be accessed by whom, what safeguards you will install, and how and when you will review your Internet practices and procedures. And "plan" means do it beforehand.
The Internet is a great opportunity for better communication and data sharing, but remember, the easier something is to use, the easier it is to misuse.
David Patterson is a contributing editor to Nursing Homes/Long Term Care Management.
|Printer friendly Cite/link Email Feedback|
|Date:||Aug 1, 1998|
|Previous Article:||Developing a facility maintenance budget.|
|Next Article:||1998 ALFA Survey highlights.|