Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t

How Does HIPAA impact Hospitals All inter-organization standard electronic transactions have to be in compliance with HIPAA standards. These are 1.Health claims or equivalent encounter information. 2.Health claims attachments. 3.Enrollment and disenrollment in a health plan. 4.Eligibility for a health plan. 5.Health care payment and remittance advice. 6.Health plan premium payments. 7.First report of injury. 8.Health claim status. 9.Referral certification and authorization. 10.Co-ordination of benefits Security and Electronic Signature Standards Privacy and Individually Identifiable Health Information Standards Unique health identifier (based on standards) to be developed for Individuals, Employers, Health plans, and Health care providers. HIPPA Requires Key implications for Hospitals (in order of priority) Ensuring Security of all Patient Data, electronic or otherwise Ensuring Privacy of all individually identifiable health information Enabling Electronic Transactions –for referral, benefits co- ordination, billling advice for patients –for handling all insurance needs of employees

W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t Potential HIPAA Lapses at Hospitals  A university medical center employee sold a well known singer’s medical records to a tabloid  A congressional candidate sued a hospital for exposing her suicide attempt details  A banker member of a state health commission accessed a list of local cancer patients and cross- referenced it to a list of his customers. He then called in their loans Real Anecdotes Potential Lapses at HSS (based on our observations) Patient Data stored in insecure paper based format Easy access and modification Easy duplication Readily accessible by unauthorized agencies e.g. Medical Equipment suppliers, Hospital junior staff, inquiring public! No chain of trust partner agreements with other agencies needing access to patient data leading to no indemnification in case of misuse by partners No tracking of disclosures No electronic transactions capability to send or receive standard transactions Non compliance penalties Civil penalties at $100 per violation Criminal penalties – up to 10 years imprisonment and $250,000 Possible civil litigation Damage to reputation

W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t Activity List for HIPAA Security Compliance Administrative Procedures Physical Safeguards 1.Certification 2.Chain of trust partner agreement 3.Contingency plan 4.Formal mechanism for processing records 5.Internal Audit 6.Personnel Security 7.Security Configuration Management 8.Security Incident Procedures 9.Security Management Process 10.Termination process 11.Training 1.Assigned Security Responsibility 2.Media Controls 3.Physical Access Controls 4.Policy on workstation use 5.Secure Workstation location 6.Security Awareness training Technical Security Services 1.Access Control 2.Audit Control 3.Authorization Control 4.Data Authentication 5.Entity Authentication Technical Security Mechanisms 1.Communications / Network Controls 2.Alarm 3.Audit Trail 4.Encryption 5.Integrity Control 6.Message Authentication 7.Access Control Administrative Security ProceduresTechnical Security Procedures

W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t viaMD Ensures Compliance to HIPAA Technical Security Aspects Access control (Including a procedure for emergency access) Context-based access Role-based access and surrogating User-based access Encryption (optional) Authorization Control Role-based access and surrogating User-based access. Entity Authentication Automatic logoff Unique user identification AND Biometric Password PIN Telephone callback Token Technical Security Mechanisms Communications/network controls Integrity controls Message authentication Access controls Encryption Requirements for networks with external access: Alarm. Audit trail. Entity authentication. Event reporting. System designed currently for Password and Secure dynamic PIN based access. Can be upgraded to incorporate other secure access mechanisms

W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t viaMD Security Design Incorporates Elements for HIPAA Compliance viaMD Security Features Secure storage and retrieval at viaMD hosting center Identification/ Authentication and Logout System events audit Role based access control Transaction back-out capability Disclosure accounting Data encryption Minimum disclosure Restriction request De-identification Notice of Information Practices HIPAA Relevance Unique user identification, secondary authentication and automatic log-off Audit trail Role, context and user based access control Contingency plan Minimum and accounted disclosure User discretion and surrogate access Partner agreements Secured access through SecurID devices is under consideration

W e b e n a b l i n g Pa t i e n t A d m i t t i n g a n d O R M a t e r i a l s M a n a g e m e n t High Level Technical Architecture Web Server Web Application Server DB Server (Business Data) DNS Server (from data center) Internet Firewall (service from data center) Clients (Hospitals, Surgeons, other designated entities) Admin, Partners & External Services (Suppliers / viaMD hub admin) viaMD Internet Service Zone Internet SMTP (mail) Server Only Secure Connection* Logs Archives Secure & non-secure Data