HIPAA Security Is Next
|Of the three HIPAA components, the data security component is the last to be implemented-specifically, by April 21, 2005. Nursing facilities can get a head start on fulfilling these requirements and actually improve their current data practices by taking a reasonable approach to securing their electronic protected health information (ePHI). Facilities planning to acquire new software or hardware that will contain or manage ePHI should study the rule as part of the acquisition process and ensure that their selected vendor(s) can support its requirements.|
Don’t Wait, Start Now
Try to Be Reasonable
Get Your Own Copy
Next, determine whether the rule does, in fact, apply to your facility. If yours is a nursing facility, the rule applies absolutely; all nursing facilities must at least maintain computer-based MDS data and transmit those data to their state agencies. If you operate a CCRC or assisted living facility, the rule applies if you maintain residents’ health information on a computer or transmit their ePHI electronically. (Staff employment records are exempt from the rule.)
Know How to Respond
1. Required: The entity must implement the specification.
2. Addressable: The entity must: (a) assess whether the specification is a “reasonable and appropriate” safeguard for its particular environment and (b) as applicable, implement the specification, if reasonable and appropriate, or document why its implementation is not reasonable and appropriate, and document any alternatives taken as being reasonable and appropriate.
The Security Rule in Outline
1. Administrative safeguards.
Assigned security responsibility. Identify who in your facility is responsible for developing and implementing the policies and procedures of the Security Rule.
Workforce security. Develop policies for authorization and/or supervision of staff who work with ePHI, including procedures for clearance and employment termination.
Information access management. Implement policies and procedures for authorizing specific access to ePHI consistent with the applicable requirements of the Privacy Rule.
Security awareness training. Implement a security awareness and training program for all members of the workforce, including management; this includes posting security reminders, log-in monitoring, and establishing password management procedures.
Security procedures. Develop procedures for identifying and responding to suspected or known breach-of-security incidents, mitigating, to the extent practicable, any harmful effects and documenting breach-of-security incidents and their outcomes.
Contingency plan. This includes developing a data-backup plan and a disaster-recovery plan, outlining emergency-mode operational procedures, developing security policy testing and revision procedures, and performing criticality analysis of data and applications.
Evaluation. Perform a periodic technical and nontechnical evaluation based initially on the standards implemented under this rule and, subsequently, in response to any environmental or operational changes affecting the security of ePHI.
Business associate contracts. Document satisfactory assurances from business associates that they have procedures in place consistent with the organizational requirements of the rule.
2. Physical safeguards.
Workstation use. This requires policies and procedures that specify the proper functions to be performed at the workstation, the manner in which those functions are to be performed, and the physical attributes of the workstation as they pertain to these functions.
Workstation security. This requires physical safeguards for all workstations that access ePHI, aimed at restricting access to authorized users only.
Device and media controls. This requires policies for disposal and reuse of data recording media, and accountability for these, as well as data backup and storage.
3. Technical safeguards.
Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in an information system that contains or uses ePHI.
Integrity. Have safeguards to protect ePHI from improper alteration or destruction.
Person or entity authentication. Have procedures to verify the identity of the person or entity seeking access to ePHI.
Transmission security. Have safeguards to protect against unauthorized access to ePHI that is being transmitted over an electronic communications network. This includes integrity controls and encryption methods alluded to above.
4. Organizational requirements.
Group health plans. Review requirements specific to group health plans.
5. Policies/procedures/documentation requirements.
Documentation. Maintain policies and procedures, as well as reports of actions, activity, or assessment required by the rule, in a written record (which may be electronic). The documentation must be maintained for six years, be available to those persons responsible for implementing the procedures and, in the case of policies and procedures, be updated as needed in response to environmental or operational changes affecting the security of ePHI.
|David Oatway, RN, is President of CareTrack Systems, LLC, Olney, Maryland, and is Vice-Chairman of the American Association of Nurse Assessment Coordinators. He has been a consultant on healthcare automation, clinical systems development, and regulatory affairs for more than 20 years. For further information, e-mail firstname.lastname@example.org. To comment on this article, please send e-mail to email@example.com.|
| Information Resources|
American Health Information Management Association (AHIMA) www.ahima.org
Centers for Medicare and Medicaid Services (CMS)
Department of Health and Human Services (DHHS)
Healthcare Information and Management Systems Society (HIMSS) www.himss.org
Topics: Articles , Technology & IT