I?have observed that one’s enthusiasm for the Health Insurance Portability and Accountability Act (HIPAA) depends on whether one takes the 300-mile-high view or is down in the trenches implementing. From above, HIPAA contains the antidote to a fragmented health care system, theoretically transforming a Tower of Babel into a smoothly functioning unit fluent in one-speak, with the noble intention of protecting the patient’s inalienable right to privacy. Not only does the regulation specify the standards and procedures by which it must be implemented, it even outlines a process by which providers can comply with the fuzzier security issues in a wise and responsible fashion: that is, specify baseline assessment of current operations; and perform gap analysis, risk assessment, and cost/benefit analysis.

HIPAA compliance was rated the number one concern of health care informatics executives in the Healthcare Information and Management Systems Society (HIMSS) 12th annual Leadership Survey. And compliance with HIPAA security regulations topped the executives’ list of security concerns, no doubt contributing to the fact that 63% plan to use digital certificates, Public Key Infrastructure, or biometric technologies within the next 2 years. However, HIPAA is hardly exclusive to information services.

While reviewing Soloman I. Appavu’s article on page 23, “Navigating HIPAA Challenges,” know that this is an initiative that is coming to your department in the near future if not already there. HIPAA may be an institution-wide initiative, but someone in the radiology department will be called on to take ownership and figure out how to best manage security and accountability for a specialty that has long since traversed departmental boundaries and now has global reach. The HIPAA mandate is said to be 80% administrative and 20% technology. For a very interesting look at what this could mean for radiology, go to the Web site of the Society for Computer Applications in Radiology, www.scarnet.org, where you can read the first chapter of Security Issues in the Digital Medical Enterprise, edited by Eliot L. Siegel, MD, Bruce I. Reiner, MD, and Samuel J. Dwyer III, PhD. It is a sobering and eye-opening discussion of the clinical impact of security on diagnostic imaging and underscores the idea that the way in which radiology responds to HIPAA may very well determine how broad-or narrow-will be the future of digital imaging communications.

HIPAA compliance is a topic we will continue to cover as the radiology community determines how it will meet the challenge of widening access to images while simultaneously battening down the security hatches. I encourage you to share with us your compliance strategies and anecdotes. Meanwhile, here are Appavu’s process recommendations for achieving HIPAA compliance:

1. Implement the transaction, identifier, and code set standards, and ensure that both the automated and manual systems are in compliance, and monitor their ongoing adherence.

2. Perform the baseline assessment, risk analysis, and gap analysis outlined in the regulation to determine the new policies and processes, and the operational changes required for the HIPAA compliance.

3. Based on these assessments and a cost/benefit analysis, determine the additional security measures, standards, tools, methods, technology, and audit control that would be necessary to achieve compliance.

4. Implement the identified policies, processes, security standards, and technology; establish procedures for enforcement and sanctions; continuously audit the compliance; and take corrective actions.

5. Backed by a thorough evaluation, certify the HIPAA compliance via a third party or self-certification.

May the Force be with you.

Cheryl Proval

[email protected]