Computer Technology | I Advance Senior Care Skip to content Skip to navigation

Computer Technology

May 1, 2004
by root
| Reprints
A Road Map to HIPAA Compliance by David Oatway

COMPUTER technology

A road map to HIPAA compliance As noted in my earlier article ("HIPAA Security Is Next," January 2004), now is the time to start complying with the standards of the April 21, 2005 HIPAA Security Rule deadline. Fortunately, the Security Rule is closely synchronized with the HIPAA Privacy Rule which is already in effect. Hence, some actions taken to comply with the Privacy Rule will expedite compliance with parts of the Security Rule. This article will assist facilities to plan the steps needed to comply with the Security Rule, with emphasis on what's reasonable for nursing facilities. The core language driving this regulation can be found in "The Regulatory Basis," below. All facilities are urged to download an official copy of the Final Rule at For other helpful resources, see "Information Resources," below.

The Security Rule is more limited in scope than the Privacy Rule. While the Privacy Rule covered all protected health information (PHI), paper or electronic, the Security Rule applies only to electronically stored or transmitted PHI. Like the Privacy Rule, the Security Rule emphasizes reasonableness and does not specify any specific technology to meet its requirements. It allows scaling of responses, depending on each facility's size and technologic environment. Each facility is required to assess its status and address its vulnerabilities within its own organizational framework, as long as it complies with all basic standards and evaluates, documents, and acts appropriately regarding addressable issues. To better understand the distinction between "required" and "addressable"-key to understanding this article-see "Implementation Specifications: Required versus Addressable."

Road Map to Full Compliance
Getting to compliance will necessitate a deliberate effort to identify vulnerabilities and threats to the confidentiality, integrity, and availability of electronic PHI, or ePHI. All of the following steps must be taken, but the exact order will depend on the circumstances of each facility. Each standard will be identified as being "Required" (R) or "Addressable" (A) in accordance with the Final Rule and a suggestion as to timing: "Now," or "Later." While it would be desirable to do everything now, the reality of limited resources and the need to collect and analyze data before taking some actions dictate a phased approach. The timing suggestions must be evaluated by each facility-they are not part of the rule! In some facilities, standards suggested as "Later" may already have been met. The suggestions are intended for facilities without the current capability to comply with the standard.

We suggest the facility's security official (and there must be one) use a HIPAA Security Matrix to ensure that each requirement is addressed. A comprehensive HIPAA Security Matrix is needed to document all issues related to the security of electronic PHI. Each facility will need to ensure that the security analysis they perform is comprehensive for their facility. Typically, a security matrix may be 20 pages or more. (A sample matrix for nursing facilities that can be tailored to individual facilities is available by e-mailing the author.) Documentation related to Security Rule analysis and actions is required to be maintained in a written record (which may be electronic) that includes the Risk Analysis (see below) and reports of actions, policies, and procedures. Start it now. Implementation Specifications:
Required Versus Addressable

Implementation specifications are either "required" or "addressable." If a standard includes a required implementation, the covered entity must assess the risks and must implement the safeguard specified by the rule. If a standard includes an addressable implementation specification, a covered entity must:
  1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment; and
  2. As applicable to the entity:
    1. Implement the implementation speci-fication if reasonable and appropriate; or
    2. if this is not reasonable or appropri-ate, document the reasons, and
    3. Implement an equivalent alternative measure, if reasonable and appropriate.
Assigned Security Responsibility (R, Now). Identify the security official who will be responsible to the administrator for developing and implementing the facility's required policies and procedures. Small, relatively uncomplicated facilities might need only one person part-time'perhaps the facility's Privacy Official-to fill this role; more complicated facilities might need a team or designated staff. Because this lead person will need time to research and digest the requirements, he/she must be assigned immediately.