AMC/HIPAA Workgroup 2 Purpose

Page 1

AMC/HIPAA Workgroup

Purpose

These Guidelines provide a tool for developing policies, procedures, and best practices to assist

AMCs in efficiently and economically addressing the HIPAA security and privacy regulations.

They reference specific HIPAA regulations, provide interpretation, and make recommendations

for implementation and maintenance within healthcare organizations.

Scope

The intent of the workshop series was to provide guidance, within the context of the HIPAA

regulations, in the development of security and privacy policies and procedures that support all

activities of complex academic medical center environments. Depending on organizational

structure, this may include healthcare, research, teaching, learning, administration, and

associated interactions with external entities.

The results of these workshops will assist like-minded organizations in developing more efficient

and inclusive ways of implementing health care security and privacy arrangements. It is

intended that these guidelines be considered for adoption by relevant bodies beyond the covered

entities themselves. WEDI, as part of their role in advising HHS in matters related to HIPAA,

participated in the workshops and will take the final publication into consideration. The

combined talent and experience of the workshop participants have permitted the development of

a concise set of guidelines consistent with these purposes.

The intent of the workshop series was to provide guidance, within the context of the HIPAA

regulations, in the development of security and privacy policies and procedures that support all

activities of complex AMC environments. Depending on organizational structure, this may

include healthcare, research, teaching, learning, administration, and associated interactions with

external entities.

The results of these workshops will assist like-minded organizations in developing more efficient

and inclusive ways of implementing health care security and privacy arrangements. The

combined talent and experience of the workshop participants has permitted the development of a

concise set of guidelines to assist with HIPAA security and privacy regulations.

These guidelines recommend health information security and privacy mechanisms and strategies

for operational implementation of the HIPAA requirements. The recommended strategies are

intended to facilitate cultural change by building upon existing best practice, and are based upon

our common understanding of teaching hospital and medical school processes. This

collaborative effort also identifies implementation barriers that must be overcome, in addition to

benefits or incentives that may be leveraged to deploy adequate resources within teaching

hospitals and medical schools.

This document

does not

provide legal advice. Covered entities must work with their own legal

counsels to address appropriate institutional requirements. This document can provide

information to legal staff tasked with understanding the implications of the HIPAA regulation on

their organization. It may also serve as an aid to understanding the necessary legal actions

needed to address accreditation requirements, as well as federal and state legislation, as HIPAA

has an impact on many aspects of the organization.

Page 2

AMC/HIPAA Workgroup

In addition, this document may be of value to other segments of the healthcare industry,

particularly consultants, payor organizations, general practitioners, group practices, suppliers,

financial organizations, and other organizations that regularly interact with teaching hospitals

and medical schools. Understanding the implications of the HIPAA regulations on AMCs will

be important to many aspects of the healthcare industry.

Background

Guidelines for Academic Medical Centers on Security and Privacy

was developed through a

series of monthly workshops involving the collaborative effort of several major academic and

healthcare related organizations. Several leading teaching hospitals and medical schools had

already developed individual security and privacy policies, as well as strategies to address the

impending HIPAA regulations. No process existed, however, to facilitate the benchmarking of

good practices, policies, and procedures among institutions. Academic Medical Centers needed

to join together and identify consistencies for reasonable HIPAA compliance. Teaching

hospitals and medical schools indicated their willingness and commitment to participate in this

process by submitting a Request for Information (RFI) that was developed by the steering

committee for this activity.

Information was gathered on current security and privacy practices via responses to the RFI.

This information, in addition to the HIPAA regulation, served as the basis for the initial draft.

Finally, individuals with substantial expertise were identified and asked to contribute to the

effort.

In addition to the teaching hospitals and medical schools, a number of industry organizations

joined the group. A series of workshops was identified as the best mechanism to create model

information practices and security guidelines, with a final document (this document) to

communicate the group's recommendations.

The workshops were held from Fall 2000 to Spring 2001. On December 20, 2000, the

Department of Health and Human Services Privacy Regulations were released. When the group

first met and planned its workshops, it was impossible to determine when the draft privacy

regulation would be made final, and how the final regulation might differ from the draft. Shortly

before the fourth workshop, the final privacy regulation was issued. The group opted to hold an

additional session to address any modifications to the guidelines as a result of the final privacy

regulation.

Acknowledgements

This guideline document is the result of many individuals, those who participated in the

workshops and others who helped to facilitate the process to make this document possible. A

group with diverse expertise in security and privacy found their way through a consensus based

process to produce these guidelines. Each participant in the workshops is commended for their

tireless devotion of time and enthusiasm.

Page 3

AMC/HIPAA Workgroup

Special thanks are due to the organizations that hosted the workshops: Kaiser-Permanente, Duke

University, Texas A&M University, the National Library of Medicine, and the University of

Michigan. To all the individuals who coordinated the workshop logistics at each of the host

organizations, the participants in the workshops extend a thank you for creating extremely

productive working environments for this activity.

Thanks to the numerous individuals at each of the participating organizations who helped to

provide participants with input and content and kept the workshop participants on track, helping

its members to put their ideas and analyses into coherent prose. The workgroup is further

indebted to early reviewers of the draft guideline document. Thoughtful comments and

criticisms challenged members to strengthen and refine the guidelines.

Mike Ackerman, assistant director of the High Performance Computing Center at the NLM,

understood the need for this group to assemble. His support, dedication, and understanding

made this report a reality. Thanks to Morgan Passiment and the AAMC staff who provided

much time and attention to facilitating the production of the guidelines. Thanks also to Jim

Schuping at WEDI for help in getting the first set of interested parties together.

The guideline document is a much more readable document due to the efforts of Joseph Saul of

Communications Technology Consultancy, a security and privacy policy expert, who edited the

final version. Special thanks are due to Mike Davis for editorial leadership that kept everyone

organized and ensured that all input was incorporated into the final guidelines. Thanks are also

due to Bob Blakely, OMG, for his dedication to improving security and privacy practices. Bob's

enthusiasm, quick wit, and expert technical facilitation kept things on track, allowing discussions

to unfold when appropriate, and shutting us down when we needed to stop. Finally, Mary Kratz

and the Internet2 staff deserve praise for the great resources that they brought to this project.

The workgroup hopes that this guideline document will assist others in the healthcare industry

struggling with practical strategies for dealing with security and privacy issues and HIPAA

compliance.

Workshop Participants (alphabetical order by organization)

Duke University Health System

Dave Kirby*

Director of the Information Security Office

919-272-1157

Kirby001@mc.duke.edu

Duke University Health System

Lawrence H. Muhlbaier

Assistant Research Professor

Lawrence.muhlbaier@duke.edu

Emory University

Ron Palmich

404-727-4350

ron_palmich@emory.org

Johns Hopkins Medical Institutions

Bob Miller*

Department of Pathology

410-955-5429

rmiller@jhmi.edu

Johns Hopkins Medical

Bill Rider*

brider@jhmi.edu

Kaiser Permanente

Ted Cooper*

510-267-5659

ted.cooper@kp.org

Mayo Clinic

Lee Olson*

Information Security Officer

507-284-0594

olson.lee@mayo.edu

Oregon Health Sciences University

Jere Retzer*

Portland Research and Education Network

Chair

Internet2 Health Sciences Security Lead

503-494-3720

retzerj@ohsu.edu

Osaka Medical College

Ryuichi Yamamoto

Associate Professor Division of Medical

Informatics

+81-726-83-1221(x2265/2888)

yamamoto@art.osaka-med.ac.jp

Page 4

AMC/HIPAA Workgroup

Texas A&M University System Health Science

Center

Larry Flournoy

Interim Chief Information Officer

713-677-7434

flournoy@isc.tamu.edu

Texas A&M University

Michael W. Buckley

Director, Compliance and Administration

Office of the Vice President of Research

979-845-8585

mwbuckley@tamu.edu

Tufts School of Medicine

Davis Damassa

617-636-6603

david.damassa@tufts.edu

University of Alabama at Birmingham

Mike Waldrum*

mwaldrum@uabmc.edu

University of Arizona Medical Center

Patti Redding

HIPAA Compliance and Information

Security

520-694-4760

predding@umcaz.edu

University of Michigan Health System

Leslie H. Kamil

Deputy Compliance Officer and Privacy

Officer

734-615-4400

lkamil@med.umich.edu

University of Pennsylvania

Mary Alice Annecharico

Executive Director, Information Services

215-898-9755

mannecha@mail.upenn.edu

University of Tennessee Health Science

Center

Jack Buchanan

Acting Director, School of Biomedical

Engineering

Internet2 Medical Middleware Lead

Jbuchanan@utmem.edu

North Carolina Healthcare Information and

Communications Alliance, Inc.

W. Holt Anderson

Executive Director

919-558-9258

holt@nchica.org

UT Southwestern Medical Center

Valerie D. Meyer

Information Resources

214-648-1718

Valerie.meyer@utsouthwestern.edu

Veterans Health Administration

Mike Davis (SAIC)*

VHA Security Architect

mikedatsd@home.com

Yale University School of Medicine

Stephen Rimar, MD

Medical Director, Yale Medical Group

stephen.rimar@yale.edu

Sponsoring Organizations

Association of American Medical Colleges

Morgan Passiment*

Staff Associate

202-828-0476

mpassiment@aamc.org

The AAMC (Association of American Medical Colleges) Group on

Information Resources has identified a need for collaboration in policy

development among Academic medical centers and agreed to

participate in the development of this policy framework as a key

component of its program to support the HIPAA implementation

activities of its members.

Internet 2

Mary Kratz*

Health Science Initiatives

734-352-7004

mkratz@internet2@edu

These guidelines serve as a basis for Internet2 Medical Middleware

requirements, ultimately folding into the larger fabric of advanced

services in the emerging common campus middleware infrastructure.

National Library of Medicine

Michael J. Ackerman, PhD*

Assistant Director

301-402-4100

ackerman@nlm.nih.gov

National Library of Medicine

Carol Haberman*

301-435-3267

carol_b_haberman@nih.gov

The National Library of Medicine (NLM)

views its support for this

workshop as part of its mission with the teaching hospital and medical

school community.

<www.nlm.nih.gov>

Object Management Group

Bob Blakley*

Chief Scientist for Security, Tivoli Systems Incorporated

512-458-4037

blakley@tivoli.com

The OMG's charter includes the establishment of industry guidelines

and specifications to provide a common framework for application

development that supports a heterogeneous computing environment

across all major hardware platforms and operating systems.

Supporting Organizations

CPRI-HOST

Pat Wise*

Executive Director

pat@digitalwise.com

North Carolina Healthcare Information and Communications

Association (NCHICA)

Holt Anderson

Page 5

AMC/HIPAA Workgroup

919-558-9258

holt@nchica.org

Health Care Financing Administration

Barbara Clark

410-786-9937

bclark@hcfa.gov

Healthcare Computing Strategies, Inc.

John Parmigiani

Practice Director, Compliance Programs

410-750-2060

jcparmigiani@hcs-is.com

Southeastern University Research Association (SURA)

Sue Fratkin*

202-408-7872

sue@sura.org

Workgroup on Electronic Data Interchange (WEDI)

Jim Schuping*

Executive Vice President

703-391-2716

schups@aol.com

* Denotes members of the Steering Committee

Updates and Errata

For updates and errata, check the www.amc-hipaa.org website.

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm