Monday, November 1, 2010

Trails and Trials in HIPAA

The implementation of HIPAA's security and privacy requirements has resulted in nearly every U.S. PACS having an audit trail capability that records who, where, and when the system was accessed. These audit trails have not only helped ensure patient privacy and security, they also provide a practice with an independent record of its radiologists' patient access.

Although organizations such as the IHE have sought to standardize the protocol and format of HIPAA audit trails, vendors are free to implement the requirement as they see fit. The result has been mostly incompatible application among different systems; however, administrators have learned to live with the issue. Manufacturers have begun to make improvements in making audit trail information available in a more user-friendly format, and grass-root efforts at data mining by IT-savvy PACS administrators have helped to improve the situation. 

On average, PACS administrators check their audit trails about once or twice a month--mostly to conduct a random check for unauthorized system access. These audit trail checks have uncovered the unauthorized access of patient records in several high-profile cases (typically celebrity patients), which resulted in disciplinary action against the transgressors. 

In addition to recording unauthorized access, audit trails can also be used resolve questions of authorized access. For example, I have been contacted by legal representatives of parties that needed to prove a physician saw a medical file. In one case, a patient died because a serious condition was missed by a radiologist who disputed he had accessed the image; however, the log files in the audit trail were clear about his access. 

Cases such as these are good arguments to use when trying to convince physicians never to share user names and passwords. When there is legal action, the implications of password sharing can become dramatic. 

The logging of audit trails required by HIPAA not only maintains patient privacy and security, it also makes a radiologist's patient access clearly visible—which can help a practice determine who did what and when they did it. 

Implementing Dose Recording

As low as reasonably achievable (ALARA) is a radiation dose guideline that radiologists and technologists endeavor to achieve daily. In the majority of radiologic exams, this goal is met. In addition, ongoing diagnostic imaging research, more effective post-processing algorithms, and breakthroughs in modality manufacturing are all endeavoring to lower the radiation dose delivered to the patient. 

When dose delivery goes wrong—someone gets hurt. Generally, when there is a dose accident it can be traced to a combination of human and mechanical/technological issues. For example, the recent publicity surrounding the hundreds of California patients overexposed due to the selection of incorrect CT imaging protocols. 

Pediatric radiologists are particularly keen on using the lowest possible diagnostic dose for their imaging protocols. The Image Gently Alliance, which advocates for greater radiation safety in pediatric imaging, has received enthusiastic support from every radiological professional society. 

In addition, there have been hearings in the U.S. Congress about the issue of dose reduction, as well as new legislation adopted by California requiring that patient radiation dose be recorded—all in an effort to minimize patient overexposure. 

The medical imaging industry in the U.S. was caught off-guard by the dose recording requirement. However, most of Europe has already established standard dose recording terminology and methodology, so it would not be that difficult to adopt these applications. And new extensions to the DICOM standard—in the form of Structured Reports for dose recording—have recently been added. This means that there are no practical excuses for manufacturers to not implement patient dose recording in a standard manner. 

One should note that there are alternative solutions to the DICOM Structured Report for recording dose information; however, the other options are either incomplete or do not allow for the information to be stored electronically. For example, the practice of displaying the information only on a user's screen is unacceptable beyond the immediate moment—the only mechanism to access this information electronically is by saving the screen and applying some type of optical character recognition (OCR) application in order to access the data. 

Alternate solutions to record dose by using information in the DICOM header are also incomplete as they do not record the complete exam (not every X-ray exposure results in a saved image). The same argument (an incomplete record of total exposure) applies to the use of the optional recording of dose in DICOM's Modality Performed Procedure Step (MPPS). 

Implementing new software additions, such as adding Dose Structured Reports to existing devices, is not a trivial task. There is at least a one-year lead time—which includes proper design, documentation, implementation, verification and testing, and a well organized roll-out and upgrade of the installed base. In addition to these challenges to the modification of deployed X-ray modalities, there is also an infrastructure question as to where and how dose information should be recorded and stored. Options are in the EMR, HIS, RIS, PACS, or a separate, dedicated dose recording device or software application. Also, should patient dose recording be done in a one-off, discrete manner on a per-exam basis? Or, should dose also be recorded and presented to the ordering and examining healthcare professionals on a cumulative basis? 

There is no question that dose reporting is going to be a universal requirement for X-ray modalities. The imaging industry will have to gear up quickly to implement the new DICOM additions, and also come up with solutions to record and report this vital patient safety information.