Columbia University Medical Center
In Vivo - The Newsletter of Columbia University Medical Center
Back Issues
Contact Us

In Vivo

HIPAA Update

CUMC Goes Above & Beyond to Protect Privacy

Jeffrey Davis and his assistant, Irina Mera

The absence of patient complaints reflects the success of the HIPAA training that Jeffrey Davis and his assistant, Irina Mera have provided to virtually the entire workforce.

By now, two years after its inauguration by the federal government, a law with the unusual acronym – HIPAA, which stands for the Health Insurance Portability and Accountability Act – has become ingrained in the lexicon of the health care community. Implementing this patient privacy law is not for the faint of heart, but the team that has been working in the HIPAA trenches for close to three years has actually ratcheted up the level of compliance from what is expected by the letter of the law.

One of the rights assured under HIPAA is that patients who believe their health information is not being adequately protected can file a complaint with an institution's privacy office – or, go straight to the U.S. government.

"Since HIPAA's inception some 9,000 privacy-related complaints have been filed with the federal government by patients around the country, but none have come from CUMC patients," say Jeffrey Davis, J.D. "Some complaints have been made directly to CUMC, but so far our administration has been able to resolve problems by meeting with the patients to explain and rectify mistakes or misunderstandings."

Enhanced IT Security

In the next, and final, phase of HIPAA compliance, by April 2005 protection of electronic patient health information on all computer servers or applications must be put in place. Soumitra Sengupta, Ph.D., security officer for CUMC and NYPH and assistant clinical professor of biomedical informatics, is charged with implementing widespread administrative, technical and physical security measures designed to protect the use and transmission of electronic health information.

More than 8,400 people at CUMC received HIPAA training over the past two years.

"There can be no privacy without security," Mr. Davis says. "Dr. Sengupta is working on encrypting patient e-mails containing health information, protecting servers from malicious attack and implementating sophisticated audit logs to track employee access to systems containing electronic health information."

Mr. Davis performs frequent audits of clinical systems access and is able to track CUMC employees' access to electronic medical records in the patient medical information system, WebCIS. These audit logs were developed by Biomedical Informatics and are also used by NYPH. Mr. Davis receives "smart audit logs" every day that flag unusual activity, such as when one person accesses a large number of records or attempts to view records of a VIP patient or employee receiving care at CUMC or at the hospital. If Mr. Davis suspects something is amiss, he interviews the employee to see why the record was viewed. Sometimes, the action triggers disciplinary procedures.

"Unauthorized access of patient medical information is not only a violation of CUMC policy and subject to sanction but is also a violation of federal law," Mr. Davis says. "It can result in the employee being suspended or fired and potentially even fined or, in rare egregious cases, criminally prosecuted by the federal government. CUMC is also subject to serious fines for privacy violations."

This audit capability likely will be extended to the clinical research area. There are preliminary plans to link Columbia's electronic research administration system, RASCAL, to WebCIS, to enable the use of smart audit tools to track researchers' use of protected medical information. "Researchers are not exempt from HIPAA rules," Mr. Davis says.

"Since HIPAA started, CUMC's privacy culture has changed for the better. People are much more aware of the importance of protecting patient privacy – even first-year students have stopped discussing patient information in the elevators."

—Matthew Dougherty