Beaverlog Tips: Volume 30 - January 6, 2006

2006 Codes Module Now Available

The Codes Module has been updated for the new, changed, and removed, 2006 procedure and diagnosis codes. The procedure codes also have the updated RVU (Relative Value Units) from the federal government.

If you have not purchased the Codes Module, you can get it for $100 from customer service at (800) 895-3344. If you purchased the Codes Module for an earlier year, you can update to the current codes for $60. If your purchase was on or after October 1, 2005, you will receive the update at no charge. If the purchase was on or after July 1, 2005, it's half price, $30, if you order in January; after January 31, the price is $60. You can download the new Codes Module from http://www.beaverlog.com/therapist/download/CodeSetup.exe or you can call customer service and order it on a CD for an additional $10 shipping and handling.

 

The THERAPIST and HIPAA Security Rule

Beaverlog Tips Volume 28 addressed security in The THERAPIST and Volume 29 included a follow up. This article will attempt to describe how The THERAPIST addresses certain security issues described in the HIPAA Security Rule. The actual document is titled Health Insurance Reform: Security Standards; Final Rule and is worth reading, though it contains a lot of tedious legalese over many pages of fine print. There is a link to the document at the bottom of this article. These standards are required of covered entities. Covered entities are defined at some length in the HIPAA regulations but it basically means you, the others in your office, subcontractors, business associates (such as your insurance payers and Beaver Creek Software), and anyone else who may come into contact with Protected Health Information (PHI).

The security standards are broken down into several standards. The first, and the primary one addressed by The THERAPIST, is Access Control.

Access Control

The Security Rule defines access in as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.” Access Control therefore, is the capability to control access to electronic PHI. This includes controlling authorization to access, change, or use PHI to perform the activities necessary to their employment. Specifically, the rule states that required entities must: “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

The Security Rule does not specify access control methods or technology, only that it must be appropriate to how the PHI is used.

There are four implementation specifications for Access Control. Each is either required or addressable. If a specification is required, covered entities must implement policies and/or procedures that meet the specification requirements. Addressable specifications require covered entities to assess whether the safeguard is reasonable and appropriate in the entity’s environment. If the covered entity chooses not to implement an addressable specification, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.

Unique User Identification

“Assign a unique name and/or number for identifying and tracking user identity.”

This is a required implementation specification and is an easy one for The THERAPIST. Every time you open the program, you have to log in with a specific user name. What is important is that you also enable passwords so that someone else cannot log in as you! This is simple; just go to Setup > Security > Options and check the box for "Require login passwords". While you are there, make sure that "Use individual user security rights assignments" is also checked.

Emergency Access Procedure

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”

This is another required implementation specification. It is up to you, the covered entity, to determine what constitutes emergency situations but they usually include such things as power outages, natural disasters, crashed computers, etc. Additionally, you must decide who needs access to PHI and that the appropriate people understand the procedures for accessing the data in event of an emergency.

Automatic Logoff

“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Automatic logoff is an addressable specification and as such you have to either implement it, explain why you cannot implement it, or implement an equivalent alternative. Of course, in an ideal world, the best way to address the issue is for each user to close The THERAPIST when they leave their computer. In the real world, this is impractical. The THERAPIST can handle this one for you with a couple if settings. Go to Settings > Preferences > Program Preferences. On the General tab in Pro and the Settings tab in EZ, look for the check box labeled "Close program after a period of inactivity" and make sure it is checked. Then, in the entry for the number of minutes of inactivity before shutdown, enter a value between 1 and 120 minutes.

Windows NT, 2000, and XP as well as some screen savers can password lock the computer after a period of inactivity. On Windows 95, 98, and ME, this is of limited value since the computer can be restarted and the passwords on these operating systems are not meant for security.

Another office policy/procedure that addresses the issue should include having users close windows with PHI, especially when the computer is not in a secure location.

Encryption and Decryption

“Implement a mechanism to encrypt and decrypt electronic protected health information.”

In Volume 28 of Beaverlog Tips, it was mentioned that The THERAPIST does not encrypt its data files. Volume 29 included a tip from Dr. Paul Brinich on how to set up Windows XP to encrypt the contents of a folder. In the article, we neglected to mention that you must have administrator access rights in Windows XP in order to encrypt a folder. This fault was ours, not Dr. Brinich's.

Additional user access control uses the login password mechanism built into your computer's hardware and into Windows NT, 2000, and XP. Hardware passwords will prevent all access to your computer without the password. Windows passwords control what programs can be run and what data folders can be accessed.

NOTE: The login password in Windows 95, 98, and ME have no security functionality and only prevent others from changing your screen options such as colors, fonts, and wallpaper.

Audit Controls

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

This mandatory standard has no implementation specification; the above sentence is the entire standard. The THERAPIST EZ has no audit capability. The THERAPIST Pro, includes this ability but before version 2.5 it was included only with the Power Options add-on. With this feature, The THERAPIST Pro tracks who makes changes to critical patient and transaction records.

The questions and answers section of the final rule document recommend no particular mechanism for addressing this requirement. Indeed, it is so broadly described that having regular backups would qualify.

Integrity

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

The Security Rule defines Integrity as “the property that data or information have not been altered or destroyed in an unauthorized manner.” PHI can be compromised through human activity and non-human factors such as hard disk failures. The standard has one addressable implementation specification.

Mechanism to Authenticate Electronic Protected Health Information

“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

This specification is addressed by regular backups. The final rule document describes a situation for small offices where the issue is addressed by making paper copies of the data when an electronic copy is not practical. Regular backups are both fast and simple. Since it is possible that data corruption can occur and remain undetected for some time, a series of backups may all contain corrupted data. Beaver Creek Software is called on from time to time to recover or reconstruct damaged or missing data. The Security Rule as well as the Privacy Rule address this need through the use of a contract between the primary covered entity, you, and a business associate which becomes a subsidiary covered entity by use of the Business Associate Agreement, available for download by clicking the link.

Person or Entity Authentication

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

This is fully addressed by login with passwords in The THERAPIST. See the paragraph on Unique User Identification above for how to enable login passwords.

Transmission Security

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

This standard concerns transmission of PHI over a network. While the question and answer section of the final rule document focuses almost exclusively on actively transmitting data such as electronic health care claims, over a communications network, the actual text of the rule is not so limited. As written, the actual rule would also apply to operating a program such as The THERAPIST over a network where the data is pulled from one computer to another in the normal course of using the program.

The THERAPIST has little involvement in the active transmission of PHI over a network and then only with respect to electronic claims. The THERAPIST does not itself transmit claims; it creates an electronic file on your computer and it is up to the receiver of those claims to determine how they must be transmitted. The capability exists in The THERAPIST Pro, but not in EZ, to compress the electronic claim files it creates in a ZIP format and, optionally, to encrypt the compressed file using a password you determine. If you are using The THERAPIST EZ, You can use freely available tools, including those built into Windows XP to compress and encrypt your claim files directly. Of course, this compression/encryption only works if the receiving party agrees to it and has the same password. In any case, the encryption provided by the ZIP format is not considered secure as there are instructions available on the internet on how to break it.

None of this eliminates your responsibility to ensure that the transmission is secure, but it does mean that it is an issue outside the control of The THERAPIST. Therefore this topic will concern itself only with operating The THERAPIST over a network.

There are two scenarios to consider when using The THERAPIST on a network. The first and most common is what is known as a Local Area Network or LAN. This usually means a physical network connecting computers within a single building. This can be either a wired or wireless network.

A wired network is fairly easy to keep secured since an outsider would have to gain physical access to the network to view or alter PHI. This is not true of wireless networks where the potential exists for anyone with a wireless network card within a block of your building to log into your network and access all of your data. Wireless networks can be secured but are often not protected by default when they are installed.

There are two implementation specifications for this standard and both are addressable.

Integrity Controls

“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

The nature of modern networks, both wired and wireless, is that the network hardware and software ensures that the data sent from one computer is not altered or corrupted in transit. Data is sent in packets that include mechanisms to verify that the data has not changed en route. If a problem is found in a packet, it is discarded and the packet is resent by the originating computer.

Encryption

“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

Data packets transmitted across a network are not encrypted. While that can appear as a gap in the ability to protect access to PHI, in practice the data packets can be seen as the pieces of a paper document after it has gone through a shredder. Yes, the information on each piece of paper can be read, but it would take considerable time and effort to put it back together and obtain any useful information.

With regard to encryption of electronic claim files, this can be accomplished by using proprietary communications software provided by the claim receiver or by your internet browser if you are uploading the claim files to a secure web site. The latter uses strong encryption to protect your data and even president Bush and the NSA would have a hard time reading it.

In Summary

There are additional parts of the Security Rule that describe organizational issues and your office policies and procedures. The THERAPIST is designed to help you comply with those parts of the rule concerned with electronic PHI.

The complete text of the final Security Rule can be found on the CMS web site at http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf. A more readable summary in only 17 pages as well as other related materials can be found at http://new.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp. The summary is titled "securitytech" and is an Adobe Acrobat document.