Without giving you a full course on HIPAA and the HITECH Act, here are the most important talking points with regard to SharePoint and HIPAA. First, there are two parts to HIPAA: 1) security and 2) privacy. With regard to security, SharePoint is more than robust enough to provide adequate security to satisfied HIPAA. The best recommendation is to use SSL and role based security.
With regard to privacy, the most important aspect is the question of “accounting”. In other words, can the covered entity provide adequate reporting for who looked at protected health information. First, there are some important caveats. Accounting must happen unless it is for the following exemptions:
- To carry out treatment, payment and health care operations as provided in § 164.506
- To individuals of protected health information about them as provided in § 164.502
- Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502
- Pursuant to an authorization as provided in § 164.508
- For the facility’s directory or to persons involved in the individual’s care or other notification purposes as provided in § 164.510
- For national security or intelligence purposes as provided in § 164.512(k)(2)
- To correctional institutions or law enforcement officials as provided in § 164.512(k)(5)
- As part of a limited data set in accordance with § 164.514(e;
- That occurred prior to the compliance date for the covered entity
Now there are two options here. Option 1, develop a SharePoint governance approach that only allows access for the purpose of the above accounting exemptions. Option 2, provide accounting with the following criteria:
For a single disclosure:
- The date of the disclosure
- The name (and address, if known) of the entity or person who received the protected health information
- A brief description of the information disclosed
- A brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure)
For multiple disclosures:
- For the first disclosure, a full accounting, with the elements described above
- The frequency, periodicity, or number of disclosures made during the accounting period
- The date of the last such disclosure made during the accounting period
The big question…Can SharePoint do this?
Yes and No. SharePoint 2010 has auditing built-in. Auditing in SharePoint determines:
1. Frequency or # of disclosures
2. Date of last disclosure
What it does not give is:
- A brief description of the information (only the file name)
2. A brief statement of purpose. To over come this requirement, a request for information (RFI) form can be submitted and approved through SharePoint to satisfy the “statement of purpose”.
In addition, a required field within every content type will be a “brief description”. This description can be used for any accounting required. It is important to note that there is nothing in HIPAA that says all of this information must be collected at the same time.
When presenting a report to a patient regarding their HIPAA disclosures, the statement of purpose and brief descriptions can be added to the auditing report from SharePoint at the time of the request and does not necessarily need to be updated in real time, continuously within SharePoint. The accounting report can either be manual, from an automated workflow, or from a custom solution developed for SharePoint. It is up to the client to decide what works best for them.