Do you know the HIPAA monitoring rules?

Don’t look now, but HIPAA has some regulatory teeth. On second thought, please do review the following to make sure you’re in compliance and not asking for sanctions.

As you may recall, April 21, 2005, was the go-live date for implementing the Health Insurance Portability and Accountability Act (HIPAA) for most providers. Included in the regulation is the requirement that each covered entity monitor its compliance with the Act. The new Enforcement Rule gives the Office for Civil Rights the authority to investigate complaints and to require corrective action and levy penalties. The bottom line to remember is that HIPAA compliance is not a onetime event.

But first a disclaimer: This article is not intended to be legal advice, but rather the author’s interpretation and understanding of the current HIPAA Security and Enforcement Rules. Facilities should always review compliance issues with competent legal counsel. (Also, see “A Road Map to HIPAA Compliance,” May 2004, p. 65, for additional background and a glossary.)

Who Is Responsible?

HIPAA places the responsibility for compliance on the covered entity, not the individual worker. It is the organization’s responsibility to safeguard electronic protected health information (EPHI). Administrators can delegate the authority to conduct HIPAA compliance assessment, monitoring, and corrective actions, but cannot delegate the responsibility of achieving compliance.


Two major changes to the HIPAA regulatory environment occurred last year: The Centers for Medicare & Medicaid Services (CMS) issued the HIPAA Administrative Simplification: Enforcement Final Rule (February 16, 2006, 45 FR 8390), and the HIPAA Security Guidance for Remote Use of and Access to Electronic Health Information (December 28, 2006). HIPAA now has regulatory “teeth” as well as guidance capabilities regarding off-site access to your facility’s EPHI. Your organization’s compliance plan must now account for these requirements, building on its past plans. Nothing has been removed from the HIPAA requirements—if anything, because of recent high-profile losses of federal data, scrutiny has increased.

Approaches to Compliance Review

An annual focused review of the organization’s HIPAA compliance is an appropriate measure to improve compliance and to show good-faith effort. In addition, whenever new software or hardware is put into service, a risk assessment of the affected processes and systems is needed.

The scope and complexity (and cost) of compliance monitoring is expected to vary according to the covered entity’s size and complexity. However, all providers must show good-faith efforts to comply with HIPAA standards.

Four elements are needed to monitor HIPAA compliance:

  1. Designated person. This may be the administrator, deputy, health information specialist, privacy officer, or other person who reports to the administrator. This position will require dedicated time that must be budgeted for.

  2. Knowledge of the HIPAA requirements. The Department of Health and Human Services (HHS) and CMS have produced extensive educational materials to assist providers. Nursing homes, home care providers, health information professionals, and trade associations have developed checklists and training offerings for members. Private training firms may also offer training. Appropriate budget must be dedicated to ensure that the responsible people have the information to do their job. The HHS and CMS materials are free, as are many of the association and state offerings.

  3. A plan. CMS has developed a HIPAA Security Rule “Basics of Risk Analysis and Risk Management” that forms the outline of an initial plan. However, each covered entity must adapt a plan to its own unique circumstances. The plan developed for implementation a year ago may just need to be reviewed and updated. Or it may be better to simply start over.

  4. Action. The plan must be carried out and documented, and corrective actions implemented and enforced.

It may also be useful to have an outside review of HIPAA security compliance. This can be by arrangement with sister covered entities; i.e., one nursing home compliance officer reviewing the practices of another home, with reciprocity. Of course, private consultants are available from various sources.

Considerations for Post-Acute and Long-Term Care

The Security Standards were written to apply to the whole continuum of healthcare entities that create, maintain, or transmit EPHI. Nursing homes and home care agencies are in the continuum but have needs that are different from those of hospitals and ambulatory care settings.

Most nursing homes and home care agencies get their computer support from third-party vendors. Vendors and systems vary greatly in their ability to comply with HIPAA requirements. Providers must evaluate systems concerning their own compliance, demand assurances of compliance from outside elements the provider cannot evaluate, and monitor the ongoing use of their systems to ensure that the protections are used by staff and are effective. In short, policies must be developed, trained, and enforced.

New areas of emphasis that must be considered in revising Security compliance plans are:

Remote access.HHS has growing concern about systems that can be accessed remotely. CMS stresses that in situations involving the remote use of and access to EPHI, covered entities must make reasonable efforts to ensure that any such use or access is authorized and limited, as required by the HIPAA Security Rule.

Facility staff who access EPHI remotely must be trained in and use appropriate procedures to safeguard the EPHI. Requiring the use of secure communications for this should be considered, as should prohibiting access from public terminals.

Again, most nursing homes rely on third-party vendors for their software. The common practice of allowing a vendor’s programmer to dial into a system containing EPHI should be evaluated through formal risk analysis. The vendor can be set up as a business associate, with the usual certifications of compliance with HIPAA practices. In any event, the confidentiality, integrity, and availability of EPHI must be maintained. Vendor programmers should not be able to change EPHI or access information not needed to perform their system maintenance function.

All wireless access points must be protected by strong encryption and viable passwords.

Portable devices.The growing use of portable devices to access, store, and transport EPHI produces evolving challenges. Theft of laptops, PDAs, home computers, and the like can compromise EPHI. Risk analysis must be performed, followed by policy development, training, and enforcement, regarding these devices. The business case for allowing the use of portable devices should be evaluated against the risks. In many cases the risks can be mitigated through the use of strong passwords to protect laptop boot, laptop hard disk access, storage device access, and similar access techniques. Laptop computers have provisions for physical locks to make theft more difficult (that little slot on the back or side can be locked to a cable device). Some laptops promoted for healthcare uses require a keypad password to access the boot process, and some have biometric devices built in. The need for or appropriateness of any technique should be determined through your risk analysis and planning process.

The benefits of portable devices can be extensive. Thoughtful security measures can make them safe. Therefore, include portable devices and remote access in your Security assessment.


Protecting EPHI is a core organizational competency in today’s world. We all long for the time when we could leave our doors unlocked and the keys in the ignition. Those days are gone. IT security has fallen victim to the same societal changes. Start living in today’s real world.

David M. Oatway, RN, MPH, is a long-term care IT consultant based in Key West, Florida.

To send your comments to the author and editors, e-mail

Topics: Articles , Regulatory Compliance