Security Guard

Dick Thompson refers to the Health Insurance Portability and Accountability Act of 1996 as “Heinz HIPAA.” Spelling out data security requirements for patient-identifiable information, the federal health privacy law is subject to wide interpretation. “There are 57 varieties,” says Thompson, the executive director of the Quality Health Network, a regional health information organization based in Grand Junction, Colo. Last October, the RHIO began data sharing among local physicians, issuing lab, radiology and dictated reports in a collaborative effort supported by two local hospitals, an independent practice association, and a health plan.

Quality Health Network hopes to improve care by facilitating the flow of patient data among the area’s 300-plus physicians. But before QHN could activate its data exchange, its members had to agree on privacy and security principles that not only upheld HIPAA, but also respected differing community priorities, Thompson says. It was an arduous, time-consuming task that has been the group’s most difficult challenge, he says. “The debate ranged from the purely legalistic to the purely pragmatic. Physicians want no boundaries. If you’re caring for a patient, you need to see what’s in their record. You need to strike a balance between protecting privacy and providing care.”

QHN opted for a role-based access model, letting individual physician practices determine which staff members are authorized to see which data. “In a 30-physician practice, the receptionist does not need direct access to patient information,” Thompson says. “In a solo practice, they do.” In QHN’s system, notification of lab results are pushed to a physician’s electronic inbox. Using a password and an identifier, the physician then logs on to a secure Web site to retrieve the results. Prior to enrollment, physicians and their staff must complete training that spells out HIPAA privacy rules.

QHN’s data exchange runs on software from Mountain View, Calif.-based Axolotl Corp. The software maintains an audit trail of every transaction, including who logged into the system and when. Another security feature is the software’s master patient index, which matches records to the appropriate individual based on date of birth, medical record number, patient and physician name and other factors. Although physicians can only see results for their patients, they can forward the information to consulting physicians enrolled in the project.

Although he’s confident in the technology’s security features, says Thompson no system is foolproof. “The biggest security threat comes from people who are authenticated to use the system but who do not obey the basic HIPAA law. They could look for the record of a friend or relative. There is not much we can do about that. We can only react afterwards and tell a violator they will never work in healthcare again.”

—Gary Baldwin