HIPAA Security Rule Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was implemented in four different phases to ensure compliance. The latest portion of HIPAA is the SECURITY RULE, which went into effect on April 21, 2005. All providers, except for small health plans, should have been in compliance by April 20, 2005. The exception for small health plans mandates that they must be compliant no later than April 20 of 2006.
6 Main Sections
There are six main sections in the Security Rule. The sections of the rule are the administrative, physical and technical safeguards, the organizational requirements, and the policies, procedures, and documentation requirements. In the Security Rule, there are 18 Security Rule Standards containing a total of 42 implementation specifications. The Implementation Standards are made up of 20 “required” standards that must be done, and 22 “addressable” standards that must be done, and 22 “addressable” standards, which must be considered by the covered entity if they should be doing them. Most, if not all, of the addressable specifications, will be required to be completed. There is no guidance provided by the Security Rule as how to fulfill the standards and specifications.
Effective April 2005, HIPAA security rules mandates that covered entities implement certain measures to (1) physically AND electronically secure electronically protected health information (PHI) against unauthorized retrieval, (2) reliably store the electronic data, and (3) provide for emergency access to the data.
Investigations
In November 2004, the Centers for Medicare and Medicaid Services (CMS) reported that over 8100 providers had been investigated for HIPAA compliance infractions. In many ways, compliance with the HIPAA Security Rule is bigger and more complex than the HIPAA Privacy Rule. Law requires provider compliance to the security rule. Furthermore, you must document all of your implementation procedures, where and when you and your staff were trained, and if any portion of the addressable portion of the rule was not implemented, why you did not implement that portion of the rule. Have you and your staff undergone HIPAA training in the past? Has there been any new staff hired since the training? Have they been trained? Their training is not only mandated, but your documentation of training must be provided upon audit.
The first step to compliance is by performing a specified Risk Assessment. The risk assessment is required to be done by law and documented. Not all risks have an equal impact on your business. The key is to interpret which risks to mitigate, which risks insuring against, and which risks have a low impact, therefore are not worth worrying about.
I have taken a specific approach in the copyrighted risk analysis provided in class, to determine which components of your office are in place, which procedures and policies need to be created, and the action plans to create those policies and procedures.
The risk assessment components include:
- Inventory of Documents
- System Identification
- Threat Identification
- Vulnerability Identification
- Safeguard Analysis
- Risk Determination
- Procedural and Financial Impact Analysis
- Safeguard Recommendations
- Documentation of Results
After performing the risk assessment, the provider must analyze where their office falls short of the requirements. This analysis is known as the Gap Analysis. Your gap analysis is unique to your office. It provides you with the groundwork needed to come into compliance. The Security Rule has purposefully remained flexible, scalable and technologically neutral. This, however, serves as a double-edged sword. While we enjoy the fact that the government has not mandated certain technologies in our office, we also are left to seek out answers to the security risks we have discovered. I have culled through the Security Rule and technology solutions to provide you with the best use of recommendations for the implementation of safeguards. Technology suggestions are provided to help you come into compliance while trying to keep within a small practice’s budget.
Security
Consider a traditional software system, perhaps with a server and a data network right in your office. Under the new Security Rule, you will be responsible for protecting your computer-stored patient data from both physical access (break-ins, disgruntled employees, etc.) and electronic access (firewalls, complete network, and user security and hackers) Consider that the statistics reveal that the average home computer experiences 3,000-4,000 hits on its firewall daily, security is a real threat. The security threats present a great challenge for small and large practices alike, on top of the regular headaches of managing backups, software installs, and technology training. Then add backup and reliability issues, considering that some 40-50% of all in-office tape backups fail to restore properly. It’s a nightmare waiting to happen.
Based on the recommendations of the U.S. National Institute for Standards and Technology (NIST), a Risk Mitigation plan is offered in our HIPAA training.
The Mitigation Plans include:
- Prioritizing your action plans
- Evaluating available safeguard options
- Conducting a Cost to Benefit Analysis
- Identify the most probable security threats and vulnerabilities
- Implement safeguards to those threats and vulnerabilities
- Assign personnel to carry out those plans
- Develop a system to monitor continued or new threats to your office
Consider just a few of the standards the security rule requires you to document and have available:
- Secure transfer of PHI: The rule requires access policies and possible encryption to safeguard the electronic transfer of all data.
- Automatic logout: The Security Rule includes requirements that users be automatically logged out after a period of time, to prevent unauthorized access of patient records.
- User logging software: Passwords and software that automatically tracks all users logging into and out of the system for reference by a system administrator. This includes intrusion detection systems.
- Audit trail: Methods to track any changes made to PHI, so a system administrator can review those changes at any time. The Department of Health and Human Services expects in the coming months to publish four HIPAA rules, according to its new semiannual regulatory agenda.
The department also plans in the near future to publish a proposed rule to adopt initial standards for electronic prescribing under the Medicare Modernization Act.
The HIPAA rules in the pipeline are:
- A proposed rule to establish standards for electronic claims attachments, scheduled for January 2005.
- A proposed rule to enforce HIPAA’s administrative simplification provisions, scheduled for publication in February 2005.
- A proposed rule to establish a national identifier for health plans, scheduled for April 2005.
- A proposed rule to make periodic revisions to the transactions and code sets rule—which could include replacements for specific code sets—scheduled for June 2005.
Who should be trained?
A covered entity must assemble a team within their office to bring the organization into compliance by April 20, 2005. The Privacy Rule mandated that a Privacy Official and a Complaint Officer be established and documented. In addition, the Security Rule has a standard that a covered entity must assign an individual to security responsibility. The Privacy Official, Complaint Officer, and Security Official may be the same person, however, it is strongly recommended that the Security Official have some computer knowledge. All covered entities must have assigned security responsibility to an individual that is responsible for the development and implementation of policies and procedures required by the Security Rule.