HIPAAWFUSM

1
HIPAA_at_WFUSM

• By
• Scott Rushing
• Wake Forest University School of Medicine

2
Health Insurance Portability and
Accountability Actor. Hell Imposed on
Physicians And Administrators..
3
HIPAA_at_WFUSM

• What HIPAA is to a System Manager
• What HIPAA means for us
• HIPAAs major points of concern
• What our Institution is doing
• Our first meeting with WFUSM HIPAA Reps
• What we are doing
• Conclusion

4
HIPAA_at_WFUSM

• What HIPAA is to a System Manager
• Monitoring Consents
• Verification that consents have been obtained
• Audit trails
• Audit all data access
• Documenting Disclosures
• GSPGood Security Practices
• Authentication controls, audit controls, physical
  access
• You can not afford to be relaxed in this area!

5
HIPAA_at_WFUSM

• What our Institution is doing
• Established several HIPAA committees
• EDI/Transaction processing
• Privacy
• Security
• Having routine meetings with each Department
• Updating all Security and Privacy policies
• Updating/establishing basic guidelines for
  securing data, minimum configurations for
  computerized systems
• Reviewing existing applications and application
  development practices to be sure they are in line
  with guidelines.

6
HIPAA_at_WFUSM

• Our first meeting with WFUSM HIPAA Reps
• They left overwhelmed!
• No clear understanding of research in general, or
  the impact of HIPAA on research.
• Most efforts thus far have focused on EDI
  systems, billing, organizing subsidiaries,
  Institutional wide issues, etc.
• No clear understanding of how Covered Entity
  applies to clinical research projects
• Seemed overwhelmed by the amount of data we
  manage, the number of systems we administer and
  the number of projects we contribute to.
• But they want to HELP!

7
HIPAA_at_WFUSM

• What we are doing
• Reviewing the regulations (including 21 CFR 11)
• Participating in Institutional Committees
• Your Institution has them too
• Attending applicable conferences when possible
• Refreshing to find we are no further behind than
  anyone else
• Developing a plan to identify all repositories
  that are covered under HIPAA and all points of
  access to those repositories
• How do we secure and audit all activity in these
  repositories?
• How much is enough?

8
HIPAA_at_WFUSM

• What we are doing
• Review any Institutional SOPs on Security,
  Privacy and Network Access
• Do they apply to us?
• Do we meet these guidelines?
• Update of our SOPs on Security, Privacy and
  Network Access
• If you dont have any, you probably should!
• Testing new desktop security systems
• biometric login devices
• Finger scanners/Biologin software which would be
  present on the domain.
• Password restricted screensavers tied to
  biometric devices

9
HIPAA_at_WFUSM

• What we are doing
• Asking questions
• Do I have to audit ALL access to data or just
  changes?
• If so, how do I audit developers using
  development tools such as query building tools
  that hit the DB?
• How do I audit systems and tools that dont go
  through my authentication systems? CF Studio for
  example.
• What does Anonymized data really mean?
• Trying to understand the terminology
• Covered entities, Disclosures, anonymized,

10
HIPAA_at_WFUSM

• Conclusion
• Recognize that HIPAA is NOT going away, though it
  may be changed
• Use the resources at your Institution to your
  best advantage
• Update/create appropriate SOPs
• Implement proper security and audit mechanisms
  for all data repositories, systems/servers and
  applications
• Implementation of proper physical security
• Continue to work with the Institution because
  THEY WANT TO HELP!