The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States fosters health insurance coverage for workers and their families, and requires national standards for electronic health care transactions.
The law’s privacy provisions include protection of information related to any individual’s health status, provision of health care, or payment for health care. There are also additional health privacy laws specific to California. Internationally, there is a patchwork of health privacy laws around the world, from Argentina to Uruguay, including laws throughout Europe, Central Asia and Australia.
Role of physical security in safeguarding data
Physical security systems can play a big role in helping to keep patient information safe and private, as required by various laws. For example, AMAG has developed new capabilities within its Symmetry family of products that allow healthcare institutes to demonstrate their compliance with HIPAA. Compliance reporting is a key area and has been a focus for AMAG, says Dave Ella, Vice President of Product Marketing, AMAG Technology.
Hospitals and healthcare facilities install AMAG’s Symmetry access control system and Symmetry CompleteView Video Management to manage and control access and provide HIPAA compliance throughout their buildings and campuses. Security plan policies and procedures need to protect a healthcare facility, says Ella. Automatically reviewing access permissions for employees, contractors and visitors on a regular basis is a key aspect of the plan, and AMAG’s Symmetry CONNECT product is designed for that purpose. Also, capabilities within the system make documentation of adds and changes to the security system more straightforward. They include the ability to add drawings, documents and notes to any device within the system.
Demanding regulatory environment
Legislation like HIPAA, which establishes U.S. standards for privacy and security, impacts hospital access control policies and procedures, says Sheila Loy, Director Healthcare Strategies, North America, HID Global. In fact, HIPAA is just one element in a demanding regulatory environment. The need to comply is complicated in hospitals by security threats in an environment with high traffic volumes and complex staffing requirements, Loy adds. For instance, in California, hospitals must report any security breach event, after which the California Department of Public Health (CDPH) checks policies, practices and audit trails, and executes inspections and assesses fines.
Today’s access control |
Often, hospital administrators must also follow federal guidelines established by the Centers for Medicare and Medicaid Services (CMS) that, at times, conflict with state rules and result in fines.
Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes; and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery. Today’s access control platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For instance, HIPAA imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.
HID Global offers comprehensive healthcare security solutions to create a safe, compliant environment for patients and employees. The company’s solutions: provide secure access to healthcare facilities and supplies; enable hospitals to identify and manage hospital visitors; provide electronic audit trails to protect patients and staff; ensure HIPAA compliance for patient records; and enable organisations to leverage existing access control cards for additional services to offer convenience and create operational efficiencies.
Need for versatile authentication platform
Health data is at least as valuable as financial data in the online banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied, says Loy. Even though patients don’t access healthcare information as frequently as do online banking customers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organisations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implement the critical five layers of security including user authentication, device authentication, transaction authentication with pattern-based intelligence, browser protection, and application security, says Loy.
With video surveillance, cameras must be positioned in such a way that they don't violate HIPAA laws |
Access control systems can be used to help protect access to patient records and other controlled materials, adds Robert Laughlin, President, Galaxy Control Systems. By using higher-security credentials for access control readers, such as biometrics, medical facilities can increase their confidence levels that they are only providing access to authorised individuals and creating an audit trail for reporting or review. Galaxy access control systems can be integrated with a wide range of readers, including high security biometric readers.
Ensuring privacy with video surveillance
Video systems are also impacted by HIPAA in the United States and by similar privacy legislation around the world. When a physical security system is installed in a healthcare environment, patients’ privacy must be protected according to HIPAA’s specific rules, says Jason Ouellette, Product Line Director – Access Control, Tyco Security Products. A patient’s PII – or personally identifiable information – must be protected. PII is any information that can be used to uniquely identify, contact or locate an individual, or that can be used with other sources to uniquely identify a person.
With video surveillance, cameras must be positioned in such a way that they don’t violate HIPAA laws, says Ouellette. If a camera is pointed to a computer screen or something else that contains a patient’s PII, there must be an option to draw a privacy window within the frame so that a patient’s sensitive information isn’t easily accessed or compromised.
HIPAA and similar |
Challenge of megapixel cameras
Furthermore, the use of megapixel cameras can increase the challenge. HIPAA and similar requirements can indirectly impact video systems in ways not thought of before the advent of megapixel surveillance cameras, says Jeff Whitney, Arecont Vision’s Vice President of Marketing. On one hand, video surveillance systems are more effective than ever at protecting medical records storage and access to other confidential information.
On the other hand, it is now equally important to consider the field of view of a high-megapixel camera, says Whitney. A camera placed over a cashier may yield images with discernible credit card numbers of a screen within the field of view, of documents, or of the credit card itself. Medical records may similarly be picked up in detail by a high megapixel camera. Therefore, it is necessary to ensure that the integrator selected to install a video surveillance system understand the objective of each area of coverage, and what should not be included.
Integrated security systems aid faster compliance
Faced with a number of local, state and national regulatory guidelines, security directors within healthcare facilities must be able to improve hospital security and insulate the organisation from potential liability claims, says Kyle Cusson, Business Development Manager, Healthcare, Pelco by Schneider Electric. “That means implementing a surveillance system that allows multiagency cooperation and response,” he says. “Keeping all of this in mind, having a video surveillance system that integrates with the necessary emergency and fire alarm systems, access control and other systems can promote an institution’s compliance with regulatory agencies by providing proof that the organisation’s assets are safe and secured.”
Finally, there is the issue of access to video. In today’s regulation-focused market, healthcare organisations must strictly control who has access to video, says Brandon Reich, Senior Director of Surveillance Solutions, Pivot3. Servers and storage are typically easier to secure because these devices are traditionally deployed in controlled locations, sometimes on closed networks and often under the supervision of IT. Client access is more difficult to control – security personnel, management and even first responders need access to video, and their devices are typically unsecured. This can translate into a potential HIPAA violation, especially if data is access by unauthorised people.
Read Part 10 of our Security in Healthcare series here