Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager - - PowerPoint PPT Presentation

Role of Equipment Manager in Role of Equipment Manager in HIPAA HIPAA & & HIPAA and Medical Device Standards HIPAA and Medical Device Standards Organizations (e.g., DICOM, IHE) Organizations (e.g., DICOM, IHE)

Charles Parisot, GE Medical Systems IT Charles Parisot, GE Medical Systems IT

Role of Equipment Manager in Role of Equipment Manager in HIPAA HIPAA

Policy versus Technology Policy versus Technology

Policy & Procedure Technology

Risk Mitigation

Minimum Maximum Maximum Minimum

Example : Employee Termination Process Example : Employee Termination Process

Policy & Procedure Technology

Risk Mitigation

Minimum Maximum Maximum Minimum

Policy: Retrieve Physical Key and Manual Records of Key Ownership Technology: Lock CT Room Policy: Removal of Account at Each CT Technology: Local User Login into CT & Video Surveillance Policy: Singular Account Removal and Audit Usage Technology: Centralized User Login Policy: Singular Account Removal Technology: Biometric Finger Print Access Control to CT Scanner

Looking for HIPAA Compliant Looking for HIPAA Compliant Equipment Equipment ? ?

No vendor can make HIPAA-compliant

products,

But products can be made that make it

easier for CEs to comply with HIPAA.

If you are proposed a HIPAA Compliant

product be careful

Security and Privacy: Security and Privacy: NEMA NEMA Introduction to Introduction to HIPAA HIPAA

Key Security and Privacy Features Key Security and Privacy Features

• n Medical Devices
• n Medical Devices

Locally managed logins for all operators Password Control (size, content, pattern, age) Use Account Maintenance (disable ,onetime, reports) Auto logoff Device to device authentication (device ID and list) Log all security events, changes to configuration Access to audit logs restricted Configuration lockdown, secured operating system Integrity control on data Emergency Access to Device

What lies ahead…. What lies ahead….

An increasing number of systems become

networked

The boundary between medical devices and

medical information systems is blurring

Security/Privacy and connectivity become

significantly dependent

Security/Privacy and connectivity both require

an overall healthcare enterprise perspective

Articulating the various pieces Articulating the various pieces

Enterprise-wide Integration Frameworks e.g. IHE Medical Industry Solutions e.g. NEMA Security and Communication Standards HL7, DICOM, W3C, etc…. Product Healthcare Institution Policies

Information Management Systems (Multiple access points, large number of records)

• Permanent Network Storage
• Multiple access points
• Workflow spread around systems
• Integrated Information Systems

e.g., CT + MR + PACS Hemodynamics + Cathlab IS EKG Carts + Stress + Cardio IS

Devices (Single use, Single concurrent user, minimum number of records)

• Minimal UI
• Embedded Processor

e.g., ECG, Stress

• Standalone
• Limited network

e.g., CT, MR, US

• Standalone
• Special Purpose

e.g., Monitoring

Security/Privacy Architectures Security/Privacy Architectures

Service (Remote Interface)

• Maintenance Center Access to Systems
• Service Back-Office
• Reactive Service
• Preemptive Service

e.g., Remote CT scanner maintenance

Remote maintenace Center Hospital

Scope of NEMA Privacy and Security Scope of NEMA Privacy and Security

All systems, devices, components, and accessories : used in medical imaging informatics as described for the NEMA Medical Imaging Informatics Section

(http://www.nema.org/nema/medical/annual/9ps.asp)

with respect to health information International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America

Ensure a level of data security and data privacy in the health care sector that meets legally mandated requirements in ways that are reasonable and appropriate to reduce the costs of compliance to our customers

Mission Mission

Strategy Strategy -

• Action

Action

Publish common interpretations of data security and data privacy requirements for health care imaging systems in the EC, Japan, and US as industry positions to target consistent approaches in the global market avoid incompatibilities between institutions exchanging data guide implementation of privacy and security measures Advocate common industry positions on privacy and security issues that require interpretation Develop solution recommendations based upon industry standards

Accomplisments Accomplisments

The first white papers are published Security and Privacy - An Introduction to HIPAA (Feb. 2001)

an educational paper on HIPAA to be used for management and customer education an interpretation of data security and data privacy regulations as provided by HIPAA contains no technological specifications

Security and Privacy Requirements for Remote Servicing (Apr. 2001) Continuing with white papers on: Audit Controls Suggested allocation of security rules Modality Requirements

The Remote Servicing Problem The Remote Servicing Problem

Remote Servicing and Support of medical systems is critical:

1.

For medical devices such as imaging modalities

2.

For information systems such as PACS and RIS

3.

The downtime reduction of such systems is critical

4.

Local servicing and remote servicing are both needed Healthcare Enterprises use many such systems:

1.

Provided and Maintained by different vendors

2.

An increasing number of these systems are networked

3.

These systems create and manage patient data

4.

Regulations in many countries require that care institutions take proper measures

Facilitating remote servicing while ensuring to care institutions security and privacy of their operation.

Remote Servicing Infrastructure

Care Institution 1 Access Point Care Institution 2 Access Point Vendor A Equipment Vendor B Equipment Other Equipment Vendor B Equipment Vendor A Equipment Other Equipment Access WAN Internal Network Internal Network Care Institution 1 Care Institution 2

Remote Servicing Infrastructure

Remote Servicing Center A Remote Servicing Center B

Remote Servicing Logical Access Remote Servicing Logical Access

Remote Servicing Center A Remote Servicing Center B Care Institution 1 Access Point Care Institution 2 Access Point Vendor A Equipment Vendor B Equipment Other Equipment Vendor B Equipment Vendor A Equipment Other Equipment Access WAN Internal Network Internal Network Care Institution 1 Care Institution 2

Requirements Requirements

Remote Servicing Center and Vendor Equipement in Care Institution communicate with mutual security and privacy:

1.

Reduce overall costs by sharing remote servicing infrastructure (Access WAN, Access Point, Internal network, Procedures) for servicing equipement from multiple vendors across multiple care institutions.

2.

Define a limited number of WAN access and Internal network Technology supported.

3.

Each Remote Servicing Center shall only be provided access sessions to the equipement it services with proper access control.

4.

Each Remote Servicing session shall be logged by the remote servicing center (why, who, what, when).

5.

Policy and procedures shall be defined when vendor personnel performs remote servicing session where identifiable patient data is handled.

6.

Security measures and policies at vendor remote servicing center shall ensure isolation between care institution internal networks .

Feedback to NEMA is Feedback to NEMA is welcome: welcome: MII Section Industry Manager: MII Section Industry Manager: Vastagh Vastagh, Stephen , Stephen ste ste_ _vastagh vastagh@ @nema nema.org .org

Role of Role of Standards Standards in in HIPAA HIPAA

Communication Standards Communication Standards

HIPAA includes the definition of Claim Attachment EDI Transactions Limmited number of transactions Focussed on Hospital Insurances Many oher network exchange of patient information is needed within the hopital HIPAA will not standardized those transactions HIPAA impact need to be managed In fact there is a significant deficit of integration in most healthcare enterprises today......

Why Does Healthcare Need Why Does Healthcare Need Integration? Integration?

In the enterprise, computer systems don’t

talk to one another

Islands of data isolated in departments and

systems

Integrating disparate systems is costly and

difficult

Mandatory compliance with regulations like

HIPAA requires coordination

What are the Technical What are the Technical Challenges to Integration? Challenges to Integration?

Different standards: DICOM, HL7, etc. Different interpretations/implementations Redundancies and gaps between standards

Technical Challenges to Technical Challenges to Integration Integration

Different information models No common vocabulary for integration No agreed system boundaries Limited guarantee of interoperability of

compliant applications

What are What are the the Resulting Resulting Problems? Problems?

Disconnected information flows

Inconsistent identifiers Reliance on human links for information

exchange

What are the Resulting Problems? What are the Resulting Problems?

Disconnected workflows

Administrative information not fed into workflows

• f departments

59 steps from ordering to getting CXR report before

integration slow and prone to data entry error

Disconnected procedures

Difficult to integrate patient history, scheduling,

examination, diagnosis, reporting, billing, etc.

Workflow Workflow Radiology Radiology

• Study at Baltimore VAMC documented

59 steps in process of physician ordering chest x-ray until report back on chart!

• Can eliminate most of these by analyzing

and redesigning workflow process

Slides Courtesy of Dr E. Siegel

Radiology Workflow 1989 Radiology Workflow 1989

Clinical Scenario

– Patient with cough and fever 1 day post-

• peratively needs to be evaluated for atelectasis
• r pneumonia

The Relay Race begins! Follow the baton…

Slides Courtesy of Dr E. Siegel

1989 Workflow 1989 Workflow

59 steps are required and result

in 2-3 days from when study was requested until report was placed into chart and available for review

Slides Courtesy of Dr E. Siegel

Integrated Workflow Made Integrated Workflow Made Practical using IHE Practical using IHE Functionality Functionality

Slides Courtesy of Dr E. Siegel

Radiology Workflow Radiology Workflow IHE 2001 IHE 2001

Doc orders study on computer Doc orders study on computer Transportation of patient Transportation of patient Tech brings up pt. using modality Tech brings up pt. using modality worklist worklist at the Direct at the Direct Rad Rad system system

Tech obtains images (DR) Tech obtains images (DR) RIS updated by MPPS RIS updated by MPPS

Radiology Workflow IHE Radiology Workflow IHE

Tech Q/C’s study (PACS auto Tech Q/C’s study (PACS auto verifies receipt of study) verifies receipt of study)

Transportation Transportation

Radiologist presented with studies at Radiologist presented with studies at workstation and dictates voice workstation and dictates voice recog recog. .

Report automatically available Report automatically available for clinician review on RIS for clinician review on RIS

Impact of Workflow Redesign Impact of Workflow Redesign

Reduction from 59 to 8

workflow steps!

Reduction in time from 2-3

days to 2 hours

Increased productivity of

technologists by 40%

Slides Courtesy of Dr E. Siegel

Impact of Workflow Redesign Impact of Workflow Redesign

Increased productivity of radiologists by

more than 40%

Removal from workflow “loop” for

radiology clerk, transcriptionist, medical administration clerk, ward clerk and nurse

Slides Courtesy of Dr E. Siegel

Impact of Workflow Redesign Impact of Workflow Redesign

Elimination of need for film room clerk,

dark room tech, (transcriptionist with voice recognition) from department

Workflow steps eliminated not due to

PACS or electronic information systems but due to integration of the systems

Slides Courtesy of Dr E. Siegel

Ultimate Consequences Ultimate Consequences

Departments and healthcare providers work less

efficiently

Key data may be missing at the point of care Higher potential for medical errors Costs are higher, quality is lower Barriers to optimal patient care persist HIPAA implementation is a much more difficult

Slides Courtesy of Dr E. Siegel

IHE Offers a Solution IHE Offers a Solution

Users and vendors work together to

implement standards

Intensive process with annual cycles ending

in . . .

Public demonstrations

Provide incentive for integration work Validate integration work accomplished Promote standards-based integration to

users/purchasers

How Do Users Use IHE? How Do Users Use IHE?

IHE is not a product; it is an approach to product

development vendors use to facilitate integration

Purchasers specify support of IHE Integration

Profiles in RFPs for imaging modalities, PACS, and hospital and radiology information systems to achieve integration capabilities specified

How Do Users Use IHE? How Do Users Use IHE?

Integration Profiles group related

transactions and connect them with real- world functions

Integration Profiles allow users to focus on

high-level integration while IHE handles the details

7 IHE Integration Profiles 7 IHE Integration Profiles

Presentation of Grouped Procedures

Subset a single acquisition

Patient Information Reconciliation

Unknown patients and unscheduled

• rders

Consistent Presentation of Images

Hardcopy and softcopy grayscale and presentation state

Access to Radiology Information

Consistent access to images and reports

Key Image Notes

Exchange flagging significant images

Simple Image and Numeric Reports

Exchange simple reports with image links and, optionally, measurements

Scheduled Workflow

Admit, order, schedule, acquire images, notify of completed steps

What are the What are the HIPAA support HIPAA support plan plan for IHE for IHE

IHE by an integrated use of DICOM and HL7

transaction has focussed on the past three years in streamlining the workflow

Plans are underway to address a first set of

security features by 2002-2003.

IHE plans to leverage efforts underway by HL7

and DICOM to add security to existing standards:

e.g. Transport Encryption, Node Authentication, Digital Signature, Media Security, etc.

What are the Clinical Goals What are the Clinical Goals for IHE? for IHE?

Make all relevant patient data available as

needed for optimal care “any time” and “any place” to those with a “need to know”

Break down barriers to information sharing

within and among departments

Clinical Goals for IHE Clinical Goals for IHE

Lower the cost and time required for

systems integration

Optimize information flow and workflow to

ensure best, most efficient care

To know more on IHE : To know more on IHE :

www . rsna . org / IHE www . rsna . org / IHE