Is Your PACS HIPAA & HITECH Compliant

While the integration of technology into the healthcare industry came with a myriad of benefits including scalability, flexibility, easier communication, and cost efficiency, it also brought a plethora of security risks that compromise the safety of patients’ private information and data.

Medical images now existing in a Digital Imaging and Communications in Medicine (DICOM) format, a system that brings together sets/series of images and detailed descriptions of the patient and the method of diagnosis. It is vitally important for organizations to implement procedures and policies that guarantee the safety of this data format which is relatively large. The repository of the DICOM data is usually a Picture Archiving Communication System (PACS) which not only exist on a computer in your organization but is also accessible remotely from the Cloud.  This is why the HIPAA/HITECH laws were established.

HIPAA/HITECH refers to two separate laws: the Health Insurance Portability and Accountability Act of 1996; and the Health Information Technology for Economic and Clinical Health Act of 2009. The two seek to encourage responsible use of technology in the healthcare industry while establishing regulations and measures that guarantee security and safety of healthcare information. All entities in the healthcare sector, as well as companies or individuals that partner with them are subject to the HIPAA/HITECH regulations.  So, how can you ensure that your PACS are HIPAA & HITECH compliant?

Establish Internal and External Safeguards to Secure Medical Image Repositories

The first step to guarantee the safety and security of DICOM data in the PACS is to ensure that only personnel with appropriate credentials have access to this information. Individuals must present the necessary credentials and provide physical proof that they are who they purport to be before they are allowed to access the PACS.

Data Encryption and Use of VPNs

You can also protect PHI against unwarranted intrusion through the use of data encryptions. They ensure that your data is safe even if unauthorized personnel manage to bypass the credential stage. The encodings can be used on the data structure of the DICOM files, communication conduits, or the underlying data in individual files. A good example is the RSA 256-bit SHA2 encryption, an excellent signing-in algorithm that is resistant to various attacks and strong enough to resist factoring. You can also use powerful VPNs for your network to ensure that unauthorized persons don’t infiltrate your internal communications and online ventures.

Avoid Storing or Carrying Patient’s Information on Portable Devices

Although portable devices such as mobile phones, flash drives, CDs, and DVDs among others provide a convenient way to store and transport information, according to the Department of Health and Human Resource, they have been the leading causes of major HIPAA/HITECH health data breaches. Research indicates the data breaches are mainly due to loss or misplacement portable devices which lack a strong user password, right protection or encryptions. Therefore, it is critical that healthcare practices and their partners discourage the use of mobile devices. If they must use them, they should be restricted to the facility where they are utilized. Additionally, they should be fitted with biometric identification systems and powerful encryptions.

Educate Staff on Various Security Measures

While the organization may establish the most stringent measure to ensure that PACS is HIPAA $ HITECH compliant, if their staffs don’t have the right knowledge about data security, the stipulated rules will always prove to be futile. Employees should be trained how various aspects in the entity that can enhance safety. These include how to create complex passwords, why they should avoid using unsecured Wi-Fi and how to initiate device lockups if unauthorized individuals try to access data repositories in their presence.

Archive and Backup Patient’s Data

Although keeping data repositories secure is critical, the HIPAA/ HITECH regulations demand that healthcare entities provide DICOM backups to ensure that patient’s information is readily available in case of a catastrophe, whether natural or human-induced.  It is advisable to house your backup in a separate geographical location from the primary storage. It is also critical that organizations test the backups regularly to assert their reliability and effectiveness.

While having a backup is sufficient to comply with the set regulations, it can be a disaster when it comes to the recovery process. This is because the DICOM data format is voluminous and it must be loaded on a live PACS for it to be accessible. Therefore, it is imperative that your organization mirrors patient’s data and store it on another PACS in another location. In the case of a disaster, your system can be redirected to the mirrored PACS and acquire the data it needs within the shortest time possible.

Have Policies and Procedures that Guarantee Data Safety

These include things like:

–    Forcing logouts in non-secured locations,

–    Demanding password changes every 30-90 days

–    Using software that only displays what you want to see

–    Ensuring that partners don’t access any other information besides what they are allowed to

–    Update your computer systems and policies to keep up with the latest technology and adhere to the latest standards

–    Device ways through which customers can ask questions or voice their complaints

–    Have a privacy officer

–    You should also have an attorney on retainer in case there is an issue that needs legal redress, and finally,

–    Make sure you have a disclosure policy if patients data or information is tampered with.

Sign a Business Associate Agreement (BAA) with Partners

When sourcing services from other entities and third-party vendors, you should ensure that they sign a Business Associate Agreement (BAA). It stipulates that the vendors are aware of, and will comply with HIPPA/HITECH requirements.

Final Verdict,

It is disturbing that in this era and age we are still talking about HIPAA/HITECH breaches while a significant portion of their root causes are preventable and avoidable.  Although there are written policies and regulations that guarantee safety and protection, the violations are still occurring, and now with greater severity and frequency. However, if your organization has adopted the above-discussed measures, your PACS is HIPAA/HITECH compliant.