Innovation for Pelvic Health

The U.S. federal government takes managing patient records for any element of healthcare very seriously. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the foundation of patient-information control, particularly—but not exclusively—when such information becomes as portable as it does in electronic form. Since the act was passed by Congress, several revisions and clarifications have been approved. Most important is the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule, in short), the final rule of which was issued by the Department of Health and Human Services, and was put into effect on October 15, 2002.*

Maintaining confidentiality

Urodynamics involves more than just the measurement of pressures and flow rates. Proper assessment of pelvic-floor disorders uses computer applications to gather judicious proportions of objective (urodynamics, patient medical history) and subjective (symptom scores, quality-of life assessments) data points. The same equipment that gathers this information also uses electronic filing systems, can be connected into networks, and often integrates into hospital information systems where electronic medical records are accessed and viewed by various parties. Thus there is a wealth of data to be managed in terms of not only clinical research but also patient confidentiality.

With regard to computer-held information, the responsibility for HIPAA compliance normally lies with an institution’s IT (information technology) department; however, if a hospital, clinic, or office does not have an IT department, that does not circumvent the need to comply with HIPAA regulations. This pertains likewise to a medical device that normally runs on its own and is not connected to a network: As long as patient information is held on that device, safeguards must be implemented so that patient confidentiality is sufficiently controlled as per the Privacy Rule. Ultimately, a healthcare provider must ensure that a patient’s medical records are properly maintained through any methods available. Electronic medical records (including test results) are highly portable, and controlling patient identification becomes much more difficult when moving, copying, and/or emailing test results. With the popularity of multicenter drug and device trials, complying with HIPAA laws while addressing test-reporting requirements of clinical-trial protocols can become a daunting task. Laborie Medical’s latest software options allow full test disclosure with regard to data points but, through encryption, specific patient identification details are masked from all but authorized viewers.

Further problems lie in electronic data-presentation technology (for example, PowerPoint) that allows for the direct importation of study results. How often do people forget to blank out a patient’s name before finalizing the presentation?

Portable computing devices, such as laptops, that contain urodynamics software can be stolen or misplaced. Desktop computers are upgraded, replaced or repaired; how is patient confidentiality retained when technicians work on equipment or the hardware is removed (even temporarily) from the clinic for any reason? Devices that store urodynamics results should have strong encryption—perhaps hardware encryption keys and proprietary binary files (as opposed to standard industry file formats)—to protect patient privacy.

Auditing your devices

Ways of complying with HIPAA are manyfold, but the best solution is to perform an audit on your devices with the help of the equipment’s manufacturers, looking for any device or software that contains patient information and could be vulnerable to access by non-authorized persons. You should be sure to audit any device that contains non-volatile memory or has a network connection. (Nonvolatile memory retains its contents even if the power to the device is switched off.) CD/ DVD drives, flash disk drives, memory sticks, external and internal hard disks, floppy drives, network connectors such as Ethernet hubs, and modems are all devices that affect storage and data access.

Such an audit is a key first step, but you should not stop there. Log-in policies, which many hospital IT departments have already established, must be applied to urodynamics equipment as well. The equipment must also be physically secure: simple hardware solutions ranging from cable locks for laptops to sophisticated biometric fingerprint readers for sensitive data repositories are some of the many offerings available today.

Asset-tracking services can even provide recovery of laptop and desktop computers should these critical pieces of equipment go missing. Asset tracking starts with the loading of a hidden program that sits on the system. Once activated, the program can be used to locate and even disable a hard disk containing sensitive information, all occurring in the instant when the stolen computer connects to the Internet.

Depending on your specific needs, a careful and appropriate selection of privacy protection solutions should be taken into consideration. Using all of the possible solutions together can hinder the normal functioning of a busy clinic.

LABORIE actively helps its clients to comply with HIPAA. Annual maintenance agreements with our service department provide for updated encryption software and hardware. You can also ask your LABORIE representative to assist in arranging an internal HIPAA audit on your equipment, even if it is not a Laborie urodynamics device. We can offer you helpful pointers as to how compliance with the law can be achieved in the most cost-effective manner, and we can provide an added layer of security for you and your patients.

* You can download the document at http:// www.hhs.gov/ocr/hipaa/privrulepd.pdf