HIPAA Compliance Information
The Health Insurance Portability and Accountability Act (HIPAA) contains two rules-the Privacy Rule and the Security Rule-that have some bearing on the storage and management of patient images. Both of these rules fall under a general HIPAA category known as the Administrative Simplification Act.
As a software vendor, MIRROR™ Imaging Systems is not covered by HIPAA regulations. However, we do our best to stay informed on issues such as HIPAA that impact our customers. We have prepared this sheet to provide a brief overview of how the HIPAA Privacy and Security Rules pertain to digital image management.
The HIPAA Privacy Rule, which covers the use and disclosure of protected health information (PHI), became effective on April 14, 2001. Practices must be compliant with the Privacy Rule effective April 14, 2003.
Image management software is used to store digital images in electronic records that typically contain PHI (patient name, full-face photos, etc.). The Privacy Rule requires that practices make reasonable efforts to limit the use and disclosure of such PHI by staff members to the "minimum necessary" to perform their duties. Practices are also expected to minimize the likelihood of "incidental disclosures" to persons who have no legitimate need to view PHI. Further, practices must maintain a log of certain PHI disclosures that are not directly related to a patient's treatment.
The following are some suggestions to help ensure that your practice manages patient images in a responsible and HIPAA-compliant manner with MIRROR™, DermaGraphix™ or PhotoFile software:
Set up user accounts for your image databases that require users to log in with a password.
Always exit or log out of your imaging software when not using it.
When using imaging software in front of patients, use the "Privacy" feature to hide PHI for other patients in the Search screen.
Develop standard operating procedures (SOPs) requiring any use of the Export Patients or Export Images functions to be documented.
Don't store your complete patient database on a laptop computer that is taken outside your practice. Instead transfer only those patient records of immediate need to the laptop and remove those records from the laptop when finished with them.
Obtain a signed Business Associate Contract from MIRROR™ Imaging Systems. In the course of providing technical support for your imaging software, our technicians may have occasion to access your image database. The HIPAA Privacy Rule requires that a practice have a signed Business Associate Contract before granting such access. MIRROR™ Imaging Systems can provide a contract template as needed. Our staff are trained on HIPAA regulations and limit the use and disclosure of customer data to the minimum necessary.
The HIPAA Security Rule became effective on April 21, 2003. Medical practices have until April 21, 2005 to comply with the standards. The Security Rule is aimed at protecting the confidentiality of medical information.
The Security Rule establishes requirements that facilitate a medical practice's storage, maintenance and transmission of PHI in a "secure electronic environment." This involves administrative procedures and physical safeguards as well as technical measures to control and monitor access to PHI and to prevent unauthorized access to data during transmission.
While there is no such thing as "HIPAA-compliant" image management software, MIRROR™ Imaging Systems is making every effort to develop software that integrates easily into a HIPAA-compliant practice and to assist our customers in complying with HIPAA.