Home     |     News     |     Buyer's Guide     |     Features     |     Products     |     Education     |     Archives

April 2003


Legislative Watch

By George G. Olsen, JD

Just as covered entities were working assiduously to meet the April 14, 2003, compliance deadline for the Health Insurance Portability and Accountability Act (HIPAA) privacy standards (Privacy Rule), on February 20, 2003, the Department of Health and Human Services published the final HIPAA security standards (Security Rule). While compliance with the Privacy Rule may have been the front burner concern for covered entities recently, it is not too soon to begin thinking about compliance with Security Rule requirements.

Although the Security Rule does not become effective until April 2005, the Privacy Rule has a security component that must be established by the April 2003 deadline. Specifically, the Privacy Rule requires covered entities to adopt “appropriate” administrative, technical, and physical safeguards to protect the security of health information. Because such safeguards are the subjects of the Security Rule, it likely will become the benchmark by which compliance with this Privacy Rule requirement will be measured.

SECURITY RULE BASICS

The Security Rule applies to health plans, health care clearinghouses, and health care providers (including many providers of rehabilitation services) who transmit any health information in electronic form in connection with certain electronic transactions. Practitioners sometimes perceive HIPAA to cover only the medical records, but the scope of HIPAA, and the Security Rule, is indeed much broader. For example, the Security Rule may affect not only a covered entity’s security-related policies and procedures, but also the activities of its workforce, the physical environment of its facilities, the technological goals it must achieve, and its relationships with business associates.

The Security Rule generally provides guidance on security standards that must be achieved by covered entities that have access to electronic health information. Specifically, the Security Rule provides that covered entities must:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates and receives, and electronic protected health information it maintains or transmits;
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
  • Ensure compliance with the Security Rule by its workforce.
  • To implement these principles, the Security Rule includes specific administrative, physical, and technical standards designed to ensure the confidentiality, integrity, and availability of electronic protected health information.
The rule acknowledges that covered entities may use any security measures that allow the entity to reasonably and appropriately implement the standards and implementation specifications. As a result, the Security Rule is flexible, based on the available resources of the covered entity, and is less likely to be rendered obsolete by technological advances. In deciding which security measures to use, a covered entity may consider factors such as its size, complexity, and capabilities; its technical infrastructure; hardware and software security capabilities; cost of implementation; and the probability and criticality of potential risks to health information. However, it is worth noting that this leeway and flexibility should not be interpreted as convenient justification to avoid compliance. The promulgated standards must be achieved.

RAISING HIPAA CONSCIOUSNESS

The first tip for HIPAA compliance is to get everyone involved. Compliance with the Security Rule will require input and effort from each member of your organization. High-level management awareness and involvement are necessary to achieve satisfactory results. However, staff members who have access to electronic protected health information also must be trained and oriented to become sensitive to HIPAA issues. Raising everyone’s “HIPAA consciousness” is a key component of a successful compliance strategy. Second, figure out which laws apply. While HIPAA provides a comprehensive set of rules, most states have their own rules and regulations with respect to protection of health information. If state rules are more stringent than HIPAA, HIPAA will not preempt those state rules and they must be followed. Contact your state attorney general’s office to see if a preemption analysis with respect to the Security Rule is available.

The third recommendation is to assess your current security measures. Similar to good patient care, a thorough assessment is vital to successful compliance. The Security Rule requires covered entities to conduct analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of health information. Because of the Security Rule’s emphasis on the required standards but not on implementation specifications, the assessment process is vital to identifying the deficient areas and taking the most cost-effective compliance approach. For example, you should assess your system capability, criticality of specific applications, and availability of required measures that are already in place. Following the assessment, you should carefully document the assessment process and your findings.

IMPLEMENTING THE PLAN

After the assessment phase, the implementation phase of your plan may be divided into several aspects: First, assign a staff member to be your security officer to oversee the compliance process, but separate the role of the security officer from the privacy officer who oversees privacy matters under HIPAA. Second, to ensure availability of health information, develop contingency plans to respond to emergencies such as fire or natural disasters. Create data backup and disaster recovery plans to prepare for events that may prevent emergency access to health information. Third, develop policies with respect to the physical environment of any, or any class of, workstations that provide access to health information. Designate access rights to such workstations to prevent unintentional physical access. Last, describe the documentation procedures so that your organization can have a documentation trail for future reference and review.

With respect to your workforce, one of the first steps is to specify the level of access to health information of each member. The level of access should be continually modified and changed as the working environment undergoes changes. Upon termination of any workforce member, access should be promptly terminated as well. After assigning access levels, you should set up reporting mechanisms to facilitate early detection of recurring trends of security breaches. Should any security breach occur, you should undertake mitigating measures immediately. Upon review of the incident, staff members who violated security policies should be appropriately sanctioned to stop recurring violations and deter future breaches. When implementing the security measures and training programs, you should include not only the staff members who are in regular contact with health information, but also those who are likely to come across health information. To raise and maintain HIPAA consciousness among your workforce, distribute periodic newsletters relating to new HIPAA issues.

Additionally, one component of complying with the physical aspect of the Security Rule is to secure your facility from unauthorized physical access. Awareness is key to this. If members of your organization are conscious about HIPAA issues, the likelihood of health information becoming inadvertently accessible to visitors can often be reduced dramatically. Controlling access rights for visitors and staff members to certain areas of your facility sets physical boundaries and allows easy detection of inadvertent access. The other component is controlling the physical media on which health information is stored.

When disposing or preparing to reuse any media that contains protected health information, pay particular attention to ensure that prior data has been wiped clean. Create a backup copy before relocation of the physical media so that you may recover electronic protected health information should the media be destroyed during relocation. For documentation purposes, maintain records of any personnel who had physical contact with or had moved such media.

Electronic health information is subject to a host of potential risks not applicable to paper copies. To ensure proper access, assign passwords, monitor log-in, implement automatic log-off, or even track usage data when health information is accessed. Use antivirus software, security software, and encryption technologies to prevent malicious cyber-attacks. After you install the preventive measures, monitor system activities periodically to flag any issues. Authenticate data to ensure that it has not been altered without authorization and verify that the person seeking access is indeed the person he claims to be. Furthermore, devices that we use to increase efficiency often create additional administrative burden. Laptops, PDAs, and wireless network devices are all potential sources of security breach, so be sure to include security measures for these devices in your plan.

BEING FLEXIBLE TO CHANGE

You will need to monitor and modify your security plan to adapt to the changes in your workforce and your organization’s physical or technological environment, and changes in industry “best practices.” As your size, complexity and capabilities, technical infrastructure, and probability and criticality of potential risk change, you may need to revise your security measures. Other changes that may require altering your security plan include new technologies or new legal standards. All in all, you should place a significant emphasis on the evaluation process to continuously update your plans.

Finally, “business associates,” entities that create or obtain access to protected health information during the course of working with covered entities are subject to HIPAA regulation. Covered entities must receive satisfactory assurance that business associates will appropriately safeguard the health information. Specifically, business associate contracts must provide that the business associate will implement safeguards that reasonably and appropriately protect the health information that it creates, receives, maintains, or transmits on behalf of the covered entity; ensure that any agent of the business associate agrees to implement reasonable and appropriate safeguards to protect the health information; provide that the business associate will report to the covered entity any security incident of which it becomes aware; and authorize termination of the contract by the covered entity, if the entity determines that the business associate has violated a material term of the contract. These requirements are similar to, but independent from, the requirements set forth in the Privacy Rule. Covered entities and business associates should review their current form contracts to ensure compliance with these additional requirements.

CONCLUSION

Thorough assessment, keen HIPAA consciousness, and a team effort can go a long way toward successful compliance. Although the Security Rule will not become effective until April 2005, 2 years go by quickly when you have your entire staff to train and all new policies to draft. Start now and be ready. ®

W. Andrew H. Gantt, JD, MTS, is a senior associate and ManChit AuYeung, JD, BSN, is an associate with Latham & Watkins LLP, in Washington, DC.

LOOKING FOR EXPERT ADVICE?

Experts here are available to answer all your questions!
Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER

Interactive Media
Resources
Classifieds
Calendar
Consumer Resources
Media Kit
Advertiser Index
EAB
Reprints
Submit an Article
Home     |     News     |     Buyer's Guide     |     Features     |     Products     |     Education     |     Archives

ADDITIONAL ONLINE RESOURCES

Allied Healthcare
Medical Education
24X7mag
Chiropractic Products Magazine
Clinical Lab Products (CLP)
Orthodontic Products
The Hearing Industry Resource
HME Today
Rehab Management 		Physical Therapy Products
Plastic Surgery Products
Imaging Economics
Medical Imaging
RT Magazine
Sleep Review 		SynerMed Communications
IMED Communications
Practice Growth
Practice Builders
powered by:
Copyright © 2008 Ascend Media LLC | Rehab Management | All Rights Reserved.
Privacy Policy | Terms of Service