There is a change going on around the world regarding Healthcare Data, specifically Patient Identifiable Healthcare Data. This change is toward a more Secure and Private environment. GE Medical Systems and GE Medical Systems – Information Technologies recognizes this new set of requirements and has charged the Global Connectivity Center with coordinating our response.
The GCC is gathering, collating, and putting a plan into action regarding regulations and best practices from around the world. Three particular regulations are the United States' Health Insurance Portability and Accountability Act (HIPAA), Europe's EC 95/46 Directive, and Japan's HPB 517. Some of the industry best practices come from the Common Criteria international initiative. In harmonizing these sources we find that although there are some specific differences, there are a core set of Security and Privacy features.
What is HIPAA?
The USA enacted the Health Insurance Portability and Accountability Act of 1996 to simplify healthcare administration by establishing national standards for healthcare e-commerce, including:
Standard electronic formats for insurance transactions - enrollment, encounters, and claims
Standard identifiers and codes for institutions, personnel, diagnoses, and treatments
Patient information confidentiality and privacy rules
Electronic patient record system security requirements
The final Department of Heath and Human Services regulations addressing transaction formats was published in August 2000, and privacy was published in December of 2000. The security rule is expected in early 2001, and additional regulations will be published over the following year or so. Each regulation will go into effect two years after publication of the final rule.
How does an institution become compliant with HIPAA privacy and security rules?
HIPAA recognizes that the largest task in compliance is administrative, not with the technical features of computer systems. That administrative task primarily involves policy and procedures - establishing a system security and information confidentiality policy, training all personnel in that policy, and appointing a security officer to monitor compliance with the policy. This is a significant challenge as it involves consideration of the fundamental operational procedures of the institution.
HIPAA also recognizes that one size does not fit all. The proposed HIPAA regulations stress "reasonable and appropriate" security measures that address the particular institution’s security needs, risks, and business requirements.
On the technical side, each institution will need to assess systems, system vulnerabilities, and evaluation of compliance to both HIPAA and to the institution’s security policy. Compliance gaps will need to be remedied prior to the effective date of the regulations.
If I buy a system today, will it be HIPAA compliant?
There is no way to assert HIPAA compliance for software or hardware products. It is the organization that is compliant - not the products. A product that may be ideal for one organization may be totally inappropriate for another one, because their needs, policies and procedures may be vastly different. Moreover, until the final regulations are published there is no way even for an organization to claim to be compliant with HIPAA security rules.
Rather than asking about HIPAA compliance for products, it may be more useful to discuss the security features of products, and how those features mesh with the institution’s security procedures.
What is happening right now?
GE Medical Systems is fully committed to complying with all laws and regulations applicable to our products and services. The Global Connectivity Center has been charged with the coordination of our efforts.
Harmonizing all relevant regulations and guidelines with security best practices
Driving Privacy and Security into all GEMS products and services,
Working with all the product leaders to assess and create action plans
GEMS seeks to reduce hospital deployment costs by taking a leadership role in defining common cross vendor approaches [NEMA Privacy and Security Initiative]. (see NEMA press release). This effort will provide a solid foundation for hospitals and vendors to establish their respective responsibilities in the potentially complex environment of information system security.
GE will be happy to discuss your security needs, and how our products enhance your ability to achieve Security and Privacy of Healthcare Data. Please reference back to this site often for the most timely information regarding the GEMS HIPAA Initiative.
By using our site or downloading materials from the site, you agree to our Privacy Policy and Terms of Use. Click above to review those policies. If you do not agree, do not use the site or download any materials from it.
