Alis Technology - Is your center complaint with the HIPAA security rule

April 21, 2005 was the deadline for implementing the HIPAA Security Rule. If you have complied, then read no further. However, if there is still work to be done, here’s a primer and some suggestions as to how to proceed.

The Security Rule applies to health care providers, but only to protected health care information that is: (i) maintained in electronic media (computer hard drives and any form of removable/transportable digital memory medium, or (ii) transmitted by electronic media (i.e. internet, extranet, leased lines, dial up lines, private network and the physical movement of removable /transportable electronic storage media.). Such health care information is referred to as electronic protected health information (EHI). Note that the Security Rule applies only to individually identifiable health information, so that if the information is depersonalized and cannot be connected to the individual to whom it relates, the Security Rule does not apply. But there are very specific requirements as to what must be done to depersonalize EHI.

The Security Rule mandates that health care providers (i) ensure the confidentiality, integrity and availability (to authorized users) of EHI they create, receive, maintain or transmit. (ii) protect against any reasonably anticipated threats or hazards to the security or integrity of such information (iii) protect against any reasonably anticipated uses or disclosures of such information that are not required or permitted by the (Privacy and Security) rule and (iv) ensure compliance with the Security Rule by their work force.

In order to ensure that these mandates are met, the Security Rule, like the Privacy Rule (i) establishes three broad categories of safeguards that must be considered (administrative, physical, and technical), sets minimum standards that must be met under each category and establishes specifications for implementing these standards. A matrix of all the mandated standards (and implementation specifications) is attached to this article.

Beside each implementation specification is either an “R” or an “A”. An “ R” means you must implement that specification—it is required. An “A” means that the implementation specification is addressable or to put it another way, an addressable implementation specification is only a suggestion. While you must implement each standard, you may consider whether any addressable implementation specification is reasonable and appropriate in the context of your environment given its likely contribution to protecting your EHI. If you feel it is inappropriate, document your reasoning but make sure you have an alternative in place, which satisfies the standard.

The good news is that the Security Rule embraces the concept of flexibility. You can choose to use any security measures so long as they allow you to reasonably and appropriately implement the required standards and specifications. So, in deciding what security measures you wish to put in place to meet a required standard, you can consider the (i) the size, complexity and capabilities of your organization (ii) your technical infrastructure (iii cost and (iv) the probability and criticality of the risk to EHI. A small organization with a limited number of personnel should be able to achieve compliance with a more modest set of safeguards and at less cost than would be required of a large enterprise.

A quick look at the matrix indicates that there are nine standards grouped under Administrative Safeguards, four standards grouped under Physical Safeguards and 5 standards grouped under Technical Safeguards and that most of the standards have proscribed implementation specifications, some of which are required, some addressable.

Where to start? Here is the approach we would take. Familiarize yourself with the Security Rule in its entirety including the definitions; time consuming, but necessary. You may even want to read the official comments to each section, which elaborate on the Security Rule.

There is no required order for addressing the required standards. However, it makes sense to first address the Administration Safeguards section of the matrix. Of the nine required standards that must be met, begin by completing the first two; namely establishing a Security Management Process and Assigning Security Responsibility. Implementing these two standards will establish a foundation that will allow you to deal more readily with the Security Rule as a whole.

Assigning Security Responsibility is straightforward. Appoint a security official who will be responsible for the development and implementation of the policies and procedures required under the Administration Safeguard Section of the rule. We believe the same person should be responsible for coordinating the overall effort with respect to compliance with the Security Rule, although that person will have to work others (IT, management, techs, HR, etc). That person could be the person previously selected to be your privacy officer under the Privacy Rule since he or she should already have a working knowledge of HIPAA and an understanding of and an ability to work with your entire organization.

Establishing a Security Management Process is more involved. That standard requires you to implement policies and procedures to prevent, detect, contain and correct security violations, and while the standard has four required implementation specifications (Risk Analysis, Risk Management, Sanction Policy and Information System Activity) we will only address the first two in any detail.

Before you can develop policies and procedures to prevent, detect, contain and correct security violations, you must first determine what security risks currently exist in your organization which could affect the confidentiality, availability and integrity of EHI.

Consequently, as you would expect, the Risk Analysis implementation specification directs that you conduct an accurate and thorough assessment of the potential risks and vulnerabilities existing in your organization that could compromise your EHI. To do this, you must go through the organization (i.e. inventory equipment, systems, software, work flow, personnel) and (i) map out how and where EHI is currently created, received, maintained and transmitted (ii) review your existing policies and procedures pertaining to the protection of health information in whatever form it exists and finally (iii) compare the results of this review to the standards required by the Security Rule. This is referred to as gap analysis, i.e. determining the gap between what currently exists in your organization and what is required to protect the confidentiality, integrity and availability of EHI. Then rate each risk factor on a scale (highly probable/unlikely;critical/not so critical) which will assist you in prioritizing your efforts and allocating resources.

Having identified the gaps between what exists and what needs to be, the second required implementation specification (Risk Management) directs that you develop policies and procedures and implement security measures sufficient to reduce the risks and vulnerabilities that you have identified to reasonable and appropriate levels that meet the mandates of the Security Rule identified in paragraph 5 of this article. All policies and procedures must be documented in writing, reviewed periodically to make sure they remain current and all documentation relating to the development of the policies and procedures preserved for six years.

The remaining two implementation specifications required by the first Administrative safeguard relate to (i) establishing a Sanction policy for workforce members who fail to follow policies and procedures and (ii) establishing a procedure to regularly review records of information system activity.

We have tried to give you an overall picture of the Security Rule and some idea as to how to get started with the implementation process. For illustration purposes, we only addressed the first two administrative safeguards (there are nine in all) and we haven’t addressed any of the physical safeguards (physical measures to protect EHI and related buildings and equipment from natural and environmental hazards and unauthorized intrusion) or any of the technical safeguards (technology to protect EHI and control access to it) that are required. We will leave that to you, hoping that this article has helped to get you started.

One final point to remember. Your Business Associate agreements must be amended so that your associates agree to meet the standards required by the Security Rule with respect to your EHI.

Alis Technology is a consulting company that specializes in helping implement and manage technology to improve the operations and efficiency of outpatient centers. Please contact us if you need assistance implementing the HIPAA Security Rule or to discuss any of our other services.