HIPAA Security Is Next

Don’t Wait, Start Now
Fortunately, most of the changes involved in this will be low-cost and actually sensible to implement now, if you haven’t already. Others will take longer to implement and need to be started soon to meet the deadline. As with the privacy component, some of the security requirements are technical, and many are operational. Here is an overview of what you should be thinking about now.

Try to Be Reasonable
As directed by Congress, the Department of Health and Human Services (DHHS) has been careful not to specify technologies to meet the HIPAA security requirements, but rather has specified process and outcome requirements. The word “reasonable” appears 57 times in the rule, demonstrating government’s willingness to scale solutions according to facilities’ different sizes and degrees of sophistication. Consider the following factors in deciding what security measures are reasonable in your situation:

• the size, complexity, and capabilities of your organization;
• its technical infrastructure, hardware, and software security capabilities;
• what reasonable security measures might cost; and
• the probability and criticality of potential risks to the facility’s ePHI.

Get Your Own Copy
While facilities may engage consultants to assist with HIPAA compliance, each facility remains responsible for achieving this. To begin with, get a copy of the final rule at www.cms.gov/hipaa/hipaa2/regulations/security/default.asp. The good news is that the actual rule is only eight pages long, along with a preamble of analysis and responses to public comments.

Next, determine whether the rule does, in fact, apply to your facility. If yours is a nursing facility, the rule applies absolutely; all nursing facilities must at least maintain computer-based MDS data and transmit those data to their state agencies. If you operate a CCRC or assisted living facility, the rule applies if you maintain residents’ health information on a computer or transmit their ePHI electronically. (Staff employment records are exempt from the rule.)

Know How to Respond
There are two types of Security Rule spec-ifications:

1. Required: The entity must implement the specification.

2. Addressable: The entity must: (a) assess whether the specification is a “reasonable and appropriate” safeguard for its particular environment and (b) as applicable, implement the specification, if reasonable and appropriate, or document why its implementation is not reasonable and appropriate, and document any alternatives taken as being reasonable and appropriate.

The Security Rule in Outline
The following lists various compliance-related activities pertaining to the Security Rule:

1. Administrative safeguards.
Security management process. This includes formal review of information system activity, risk analysis, risk management, and development of a sanction policy.

Assigned security responsibility. Identify who in your facility is responsible for developing and implementing the policies and procedures of the Security Rule.

Workforce security. Develop policies for authorization and/or supervision of staff who work with ePHI, including procedures for clearance and employment termination.

Information access management. Implement policies and procedures for authorizing specific access to ePHI consistent with the applicable requirements of the Privacy Rule.

Security awareness training. Implement a security awareness and training program for all members of the workforce, including management; this includes posting security reminders, log-in monitoring, and establishing password management procedures.

Security procedures. Develop procedures for identifying and responding to suspected or known breach-of-security incidents, mitigating, to the extent practicable, any harmful effects and documenting breach-of-security incidents and their outcomes.

Contingency plan. This includes developing a data-backup plan and a disaster-recovery plan, outlining emergency-mode operational procedures, developing security policy testing and revision procedures, and performing criticality analysis of data and applications.

Evaluation. Perform a periodic technical and nontechnical evaluation based initially on the standards implemented under this rule and, subsequently, in response to any environmental or operational changes affecting the security of ePHI.

Business associate contracts. Document satisfactory assurances from business associates that they have procedures in place consistent with the organizational requirements of the rule.

2. Physical safeguards.
Facility access controls. This requires policies and procedures to limit physical access to electronic information systems and the facilities housing them.

Workstation use. This requires policies and procedures that specify the proper functions to be performed at the workstation, the manner in which those functions are to be performed, and the physical attributes of the workstation as they pertain to these functions.

Workstation security. This requires physical safeguards for all workstations that access ePHI, aimed at restricting access to authorized users only.

Device and media controls. This requires policies for disposal and reuse of data recording media, and accountability for these, as well as data backup and storage.

3. Technical safeguards.
Access controls. This includes a unique user identification process, emergency access procedures, automatic log-off, and measures for encryption and decryption.

Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in an information system that contains or uses ePHI.

Integrity. Have safeguards to protect ePHI from improper alteration or destruction.

Person or entity authentication. Have procedures to verify the identity of the person or entity seeking access to ePHI.

Transmission security. Have safeguards to protect against unauthorized access to ePHI that is being transmitted over an electronic communications network. This includes integrity controls and encryption methods alluded to above.

4. Organizational requirements.
Business associate contracts. Take reasonable measures to ensure that all business associates using or receiving ePHI comply with the rule’s requirements.

Group health plans. Review requirements specific to group health plans.

5. Policies/procedures/documentation requirements.
Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards. The policies may be changed at any time provided that the changes are documented and are implemented in accordance with the rule.

Documentation. Maintain policies and procedures, as well as reports of actions, activity, or assessment required by the rule, in a written record (which may be electronic). The documentation must be maintained for six years, be available to those persons responsible for implementing the procedures and, in the case of policies and procedures, be updated as needed in response to environmental or operational changes affecting the security of ePHI.

Conclusion
Obviously, the final Security Rule will take considerable time and resources to implement, even if many of its elements are already in place at your facility. Facilities need to start now to meet the April 21, 2005, deadline. NH

American Health Information Management Association (AHIMA) www.ahima.org

Centers for Medicare and Medicaid Services (CMS)
www.cms.gov/hipaa/hipaa2/regulations/security/default.asp

Department of Health and Human Services (DHHS)
www.hhs.gov/ocr/hipaa

Healthcare Information and Management Systems Society (HIMSS) www.himss.org