The Catholic Archdiocese of Boston is far from being a run-of-the-mill health care organization dealing with Health Insurance Portability and Accountability Act rules.
Or, rather, its far from being just one run-of-the-mill health care organization. In addition to its affiliation with the 1,500-bed, 12,000-employee Boston-based Caritas Christi Health Care hospital system—which undoubtedly qualifies it as a large health care organization under HIPAA rules—the archdiocese is a nonprofit organization that provides its own health insurance to a relatively small number of employees.
That qualifies it as a small health plan, under the rules of HIPAA, which places it under a different set of deadlines than Caritas Christi or other large covered organizations but ultimately holds it to the same standards for patient privacy, data security and accountability as any large organization.
"We self-insure," says Archdiocese Benefits Director Mary Regan. "If we bought an insurance product, we wouldnt have had to. So we set up a conference call with our attorneys and got a series of recommendations of what the regulation meant and what we had to do. Some of them were easy, like having a computer shut down after 15 minutes of not being used. Some of the others were more complicated."
Complicated because records for the 21 policies the archdiocese maintains to supply benefits for more than 20,000 former or current employees were computerized, but the processes required to manage them were stored in three-ring binders in the benefits office.
Not only did the archdiocese have to automate those processes, it had to comply with the electronic employer-identification numbers and health care provider identifiers called for under HIPAA and lock down the files themselves to avoid privacy and security issues, according to Dan Guerra, systems manager for the archdiocese.
HIPAA guidelines were far from clear, however, Regan says. So the archdiocese asked a law firm to come up with a book of specific recommendations based on the confusing specification. Regan and Guerra based their policy decisions and functional requirements for an RFP (request for proposal) on that set of evaluations.
"Auditing the files was the hardest part," Guerra said. "We didnt have a global policy we could apply through Active Directory that would do things like shut down the PC after 15 minutes or keep track of who could access a file. We kept looking for a tool to let us see when files were breached or kept track of who and when someone got read/write access."
After sending out RFPs to CA, Symantec and other large vendors, the archdiocese ended up beta testing and then buying a set of security and auditing tools from ScriptLogic.
ScriptLogics Enterprise Security Reporter scanned the logs and user data within NTFS (NT File System) permissions and Active Directory accounts for the 40 or so servers in the archdioceses network into a database that made it easier for the IT staff to run queries and reports on the data.
"Without something like that, you could spend weeks in log files and not find what youre looking for," Guerra says. "Its all there, but good luck finding it."
Guerra also installed the beta version of ScriptLogics now-shipping File System Auditor, which is designed to audit file activity on Windows servers and keep track of who touched which file when and on what server. It consolidates usage data and creates reports and e-mail or cell phone alerts based on criteria set by Guerra and Regan.
"When someone tries to access a file they shouldnt, [File System Auditor] puts out an e-mail; it takes the dates and times when someone tries to access a file and alerts us, and we have a process we follow to see why theyre trying to look at that file. We have monthly reports on files that were deleted or moved, with the data and time. Theyre very detailed," Guerra said.
FSA, which would cost about $7,000 without the discount the archdiocese got for beta testing the software, is a fairly easy drop-in solution to add auditable privacy and security to files on Windows servers without breaking the budget or requiring much in the way of custom programming, Guerra says.
"We kept looking for a tool that did exactly what we needed it to do," Guerra said. "They were the only vendor at the time that had a product that fit our needs, and they worked with us to put something together.
"There was no e-mail alert in the original product, but [ScriptLogic] added [that function in the shipping version]. I think they realized the importance of this, since everyone is jumping on HIPAA," Guerra said.