|
By Charles Rathmann, 01/17/05
By Charles Rathmann
With the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) now in place, hospitals and other health care providers are looking to internal and external legal and technology sources to ensure compliance with the sweeping regulation. The regulation was designed to improve the portability of health insurance coverage using national standards for electronic data interchange for financial transactions. But HIPAA also mandates strict standards for ensuring the privacy, confidentiality and security of health care information, and ensuring that information regarding a patient's treatment is not shared with third parties without written consent. These portions of HIPAA are driving a growth industry in specialized legal and IT consulting.
Back in 2002, HIPAA was a glimmer on the mind of Dan Patrinos, Web manager for the Medical College of Wisconsin (Milwaukee, WI; MCW). It was then Patrinos formed an internal Web Council to coordinate and plan the 100 or more departmental and other Web pages operated for MCW. HIPAA regulations affected the effort because MCW physicians serve at affiliate institutions, including Froedtert Hospital, Children's Hospital of Wisconsin and the Clement J. Zablocki VA Medical Center, which are also based in the Milwaukee area. As the Web Council and Northwoods Software Inc. (Brown Deer, WI) implemented a Content Management System (CMS) to impose order on the divergent Web presences, they developed a HIPAA-related tool that will likely be duplicated at health care institutions around the country.
"If we have a patient our physicians have treated and we would like to use thepatient's picture, we ask them to sign a photo release," Patrinos said. "Under our consent form, the patient can say ?yes you can use my picture.' But the patient also has the option to limit use of that image to, say, six months or a year, and then demand that the image be removed from the website. So, if we have numerous patient images, each with a different limit of use, how do you manage that?"
This is a question that, according to legal experts, most hospital and health care organizations have not yet asked themselves. "As things move forward, there will be more and more interest in this type of thing," Lawrence Hughes, director of medical relations for the American Hospital Association (Chicago, IL), said. "The unique situation of the Medical College likely led to their addressing this issue earlier than most health care entities."
"I have not seen those type of systems being rolled out yet, but what the Medical College is doing is what providers should be doing -- figuring out a way to get a handle on how to manage this from a time and cost standpoint," said Colleen Patzer, a member of the Health Care Practice Group at the law firm Michael Best & Friedrich (Milwaukee, WI). "I have definitely seen clients being concerned with this with regard to written promotions and in executing consent to take the photo and use the photo for purposes of promotion."
Patzer and Hughes stressed that the nature of expiration requirements contained in the HIPAA regulation are complex. The two were at odds over whether images needed to expire on a specific date.
"The authorization itself can be very general in that it can be triggered by an event," Hughes said. "It does not have to be a specific date like Saturday, Sept. 30."
"I think they extend for a period of time because that is one of the requirements of HIPAA ? to have a time period," Patzer said.
Regardless, both said similar image management systems are likely to be implemented elsewhere as provider organizations work towards compliance.
"I think it is an excellent idea," Patzer said. "It is definitely forward thinking. I have not been involved with other entities that have been at that point in the process."
"Out of necessity and operational-wise, you want to be as efficient as you can," Hughes said. "The systems hospitals use will evolve."
DATABASE-DRIVEN
"Creating an expiration date function on this vast of a website with this many images would be impossible without a robust database-driven Content Management System," said Northwoods Managing Director Rick Fessenbecker. Northwoods has developed its CMS based on standard technology in an open system. This flexible framework has been deployed for a variety of clients and is currently managing hundreds of websites.
Within this platform, Northwoods offers functionality found in high-end systems. As new modules and levels of functionality are developed for specific clients, they become available for other users of the Northwoods CMS. Regardless of the CMS platform employed, Northwoods Managing Director John Piechowski said the critical element in a HIPAA-compliant Web image management tool is a robust database platform that allows for intelligent management of images.
"All of image management data is kept in Microsoft SQL 2000 along with the rest of their CMS data," Piechowski said. "The image files themselves are not in SQL-- but all of the information about them is in SQL. It may be possible to develop an application like this in a less robust database. It depends largely on what your infrastructure looks like today. If you are already managing your infrastructure with SQL, it is easier than if you just have a static site sitting out there in HTML."
According to Piechowski, the expiration function for images was not part of the original scope of services in redeveloping MCW's site. Only after the CMS was in place did Patrinos and Piechowski begin discussing ways to manage images for general site management.
"HIPAA was a concern, but we have a lot of non-patient photos on the site as well," Patrinos said. "Let's say we have a physician who is retiring or a student who is graduating. We want to be able to automate the process of removing and updating those images."
"The first thing we did was to have a brainstorming session to help us understand all the pieces of what we needed," Piechowski said. "It was during the brainstorming session that we uncovered all the different requirements. We needed to search and categorize photos -- and expiration was very important. We wanted to be able to report and search based on expiration, and effectively manage pages with the images."
HANDS-ON APPROACH
Once a photo or other image expires, it would have been possible to replace it with another image automatically, but Patrinos and his team chose to simply have the CMS alert them so they could take action on a case-by-case basis.
"We asked if they would like to take the page offline or even replace the image, but in the end they opted for manual management," Piechowski said. "We accomplished the desired level of functionality by adding an enhancement to our existing file manager, adding search capabilities. When a user uploads a file to our CMS, the file manager senses what type of file it is. You are prompted to categorize the file by content and type -- is it a portrait, a logo, a map -- what is it? You can also enter keywords."
While some of the information is optional, Piechowski said the expiration date is not. "We put a validation in there to force them to enter expiration information. We won't let them by without setting a date. Everything except keywords is required. A number of days before an image expires, we will generate an e-mail to the MCW Webmaster telling them about the expiring image and what documents have that image in them. At that point, they can go ahead and edit that file."
Expiring images can be managed proactively by MCW staff as well. "In their reporting system, they can view all images that are going to expire before January of 2005," Piechowski said. "We will then give them a list of all the images, where they are located and links to all of the pages where the image is used so they can see it in context."
Copyright © 2005 All rights reserved.
Cygnus Interactive, a Division of Cygnus Business Media. Publishing |