NIST Issues HIPAA Security Standards Guide
Washington Technology reports that the National Institute of Standards and Technology (NIST) has published a guide for meeting HIPAA security standards, set to go into effect April 21, 2005. Given the brief period before the law goes into effect, one would think this guide would be of little use. However, this study reports that as of a couple of months ago:
Nine percent of hospitals with 400 or more beds reported compliance with the security rule, compared with 18 percent of hospitals with less than 400 beds.
Most folks think of this as just an IT concern — it is not. The law refers to “electronic protected health information” (EPHI), i.e., patient identifiable data of any kind. This extends beyond Social Security or credit card numbers and lab results to include physiological parameters, vital signs and waveforms. Interestingly, while they define EPHI, the NIST resource guide does not mention “medical devices” once. You can read more about medical device security here.
You can download the 137 page Resource Guide here.
UPDATE: The Centers for Medicare and Medicaid Services published HIPAA enforcement procedures in the Federal Register last Friday. Details on how to file a complaint and the process that CMS will use to pursue a complaint are detailed. These procedures apply to the Security and Transaction and Code Set provisions and not the privacy portion of HIPAA, which is covered under separate procedures established and managed by the Office for Civil Rights.
The Department of Health and Human Services (HHS) has released the third of seven planned guidance papers on the Security provisions. You can get the latest HIPAA guidance and enforcement info here.
Wireless Monitoring Outside the Hospital
I've mentioned before that reducing avoidable admissions can have an impact on patient flow. Here is a story about a new wireless monitoring system developed in Europe. This new system starts with a variety of wireless sensors that can be attached to the patient. The sensors communicate via a wireless link with a mobile phone — this represents the body-LAN or personal area network (PAN). The mobile phone transmits alerts to a provider via the wireless carrier's cellular network.
The new system, which is called BodyKom, connects wireless to sensors on the patient. If dangerous changes are detected in the patients body, the hospital or health care services are automatically alerted over a secure mobile network connections.
The unit receiving the alarm will also be informed of the geographic position of the patient through the use of GPS technology.
Still vaporware, the concept will be tested this spring. The carrier, TeliaSonera, plans to sell to hospitals. The initial parameter to be measured is heart rate, with additional parameters to follow that will target diabetes, asthma, “and other diseases which may require timely interventions.” Two key benefits are touted: patient safety/quality of life, and more rapid hospital discharges to free up hospital beds.
The broad technology required for these types of products are almost available “off-the-shelf.” All wireless carriers offer secure communications. Mobile phones with Bluetooth (to talk to the sensors) and Java programmability have been on the market for a couple years. QualComm has a provisioning system that medical device vendors or disease management firms can use to manage the service. (If I recall, Sprint is the only carrier presently supporting this capability.) The technology gap is in the wireless sensors. Fortunately lots of people are working on solutions.
