Notes From the Front Lines The Future of HIPAA, DICOM and Information Archiving in Cardiology

In order to facilitate HIPAA compliance, what requirements should be considered essential for a cardiology information network? HIPAA establishes standards for electronic data interchange and includes many provisions that hospitals must address. Health care providers must safeguard the confidentiality and privacy of the information they collect and use. While it was the vendors who needed to assure that their products were Y2K compliant, it is the hospitals who are responsible for assuring HIPAA compliance. That having been said, hospitals can be helped in achieving their compliance through the presence of several key features in a Cardiology Information System (CIS). These include: 1. User authentication 2. Event logging 3. Redundant off-site archival copies of the information 4. A non-volatile archival system User authentication is a key capability that helps with establishing adequate procedures to assure confidentiality and security. Systems that cannot make direct use of a hospital™s user authentication scheme should be avoided. In other words, a single point of managing and administering access rights for all users in the institution is the only practical solution that should be considered. A CIS that maintains separate user logon procedures and passwords is difficult to maintain and unlikely to conform to institutional policies, let alone HIPAA regulations. Proper user authentication will assist with identifying the specific individual using an image review workstation, which in turn is essential for the next element of HIPAA compliance tools, namely the logging of user activity (event logging). A HIPAA compliance officer needs to be able to create a report of each user who accesses a patient™s data, as a patient has the right to examine and obtain a copy of such a report. Ideally, this report can be generated from a single audit log maintained by all of the modules in the CIS. Without this capability, institutions will be unable to answer a patient™s request for an audit trail and may be subject to fines and penalties since they would not be in compliance with HIPAA regulations. One of the most commonly overlooked HIPAA requirements is the need for a disaster recovery plan. The plan should allow the CIS to be restored in a reasonable and well-understood amount of time. Restoring multiple terabytes of data from hundreds of tape backups is not reasonable, and in itself is prone to failure should there be a problem with one of the tapes (unfortunately, this is not an unlikely scenario!). Finally, this archival approach should be non-volatile and unalterable. Confidentiality may be compromised, not only by improper access to information (as discussed above), but also by the interception and alteration of the data. The repercussions in our healthcare system of having a patient™s record either purposely or inadvertently altered will be very severe. The use of non-volatile media (DVD-R) helps to prevent this from happening. DICOM, as a data interchange standard, is very important to healthcare. What are the latest developments? DICOM Structured Reporting is continuing to gain momentum. This will be the method used by all major manufacturers to exchange measurement and procedure information among their various devices, and between their equipment and the CIS. When considering new equipment purchases, I would recommend obtaining a commitment from the vendor to support DICOM SR capability in the product. For example, a hemodynamic monitoring system should be able to export its measurement and procedure log information as a DICOM SR transaction. The second exciting development is that we, the DICOM committee, will be finalizing the standards involving the specification of DVD-R as the next-generation DICOM interchange media by the end of 2002. This is critical as we are currently seeing 1024 x 1024 cath images that require up to 4 CD-Rs to interchange. Not only is this cumbersome, but it can also lead to loss of data if one of the CDs in the set is misplaced. Unfortunately, the DICOM standard does not have a way to specify concepts like disc 1 of 4, disc 2 of 4, etc. Working Group 1 has stated that it is an absolute requirement that an interchange standard must be ubiquitously readable, that is, capable of being read on any DVD-Rom reader, unlike DVD+RW, DVD-RW or DVD-Ram, which is the poorest performing and least compatible. DVD-R meets this requirement, and for the first time, the DICOM committee will have an interchange media that is already the ad hoc standard for archiving in the industry.

NULL