HIPAA COMPLIANCE

Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.

If your organization is a Covered Entity (one that must comply with HIPAA), it is imperative that you understand the rule and take the necessary steps toward compliance. This article presents a detailed overview of the Security Rule and key factors you should consider when preparing to comply with the rule.

Though not formally defined in HIPAA, CE's that do not comply with the Security Rule could find themselves facing other unfavorable consequences:

Negative publicity - Non-compliant organizations may be discussed in public media (newspaper, radio, television) for not adequately protecting their customers' EPHI.

Loss of Customers - Customers are increasingly aware of their rights under HIPAA and want their EPHI protected. They may refrain from doing business with organizations they believe do not adequately protect EPHI.

Loss of Business Partners - HIPAA requires that covered entities permit other organizations to create, receive, maintain, or transmit EPHI on their behalf only if the second organization can appropriately safeguard the information. CE's may be unwilling to exchange EPHI with organizations that do not adequately protect EPHI.

Legal Liability - Many attorneys are aware of HIPAA and are ready to sue on behalf of clients whose rights are violated. For the first time ever, the federal government has put forth a set of requirements prescribing how EPHI must be protected. Attorneys are prepared to use these requirements to file civil suits against non-compliant CE's.

Technical Safeguards

The technical safeguards are several requirements for using technology to protect EPHI, particularly controlling access to it. The specific standards are:

Access control - Policies, procedures, and processes must be developed and implemented for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights.

Audit controls - Mechanisms must be implemented to record and examine activity in information systems that contain or use EPHI.

Integrity - Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction.

Person or entity authentication - Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who or what they claim to be.

Transmission security - Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet).

If your organization regularly conducts risk analysis, uses a unified, "defense in depth" security approach, has formal, documented security policies and procedures, and conducts regular workforce training, it will almost certainly require less time and effort to comply with the Security Rule than an organization who does not. The complexity of your organization will also determine the time and effort required to comply. A five-person dentist's office will likely require less time and effort than a highly decentralized hospital employing thousands.

Regardless of size or complexity, if your organization is a CE, there are eight key steps you should consider when preparing to comply with the Security Rule.

Obtain and Maintain Senior Management Support

Because compliance can require significant time, effort, and resources, it is critical that senior management be educated about the Security Rule and make a clear statement of support for compliance before compliance efforts begin. If possible, senior managers should be project sponsors for Security Rule compliance projects. If senior managers resist allocating adequate resources for compliance efforts, present them with the unpleasant consequences of non-compliance, discussed earlier. It is reasonable to assume that senior managers of CE's that do not comply with the Security Rule will be the focus of auditors, unhappy consumers, and eager attorneys. As compliance efforts progress, keep senior management informed and up-to-date.

Develop and Implement Security Policies

Before implementing security processes and methods to protect EPHI, carefully identify and define what security policies you need to develop and implement. As noted earlier, the rule requires a number of formal, documented security policies. These will help define your organization's security strategic goals, identify critical assets, and provide a foundation for the selection and use of security technologies.  Security policies will also provide your organization with an overall security framework, ensuring that your security efforts are consistent and integrated rather than fragmented. Additionally, security policies are a clear mandate from senior management that security is a necessary and important part of your organization.

Conduct and Maintain Inventory of EPHI

It is difficult to ensure the confidentiality, integrity, and availability of EPHI if you can't locate it (or worse, if you don't even know you have it). Imagine one of your senior managers being questioned by an auditor or jury and trying to explain that some of your organization's EPHI was misused because your organization didn't know it had the EPHI. This is a risky and unpleasant position to be in.  You should regularly identify and document the location of your organization's EPHI. It is particularly important to identify and document the flow of EPHI in, out, and throughout your organization. Do you regularly exchange EPHI with certain business partners? Does information system A regularly send EPHI to information system B? Does your organization regularly send EPHI over the Internet?

Be Aware of Political and Cultural Issues Raised by HIPAA

Compliance with the Security Rule is not just developing and implementing security technology. Compliance may require significant changes in your organizational culture, particularly in how workforce members interact with EPHI. For example, changes to a CE's access control policy may mean that workforce members who had unrestricted access to EPHI may now have only limited access, i.e., access only to the EPHI necessary to carry out their jobs. Another example would be new policies and procedures that require the monitoring or auditing of employee actions. Such changes can provoke fear, confusion, resistance, or political battles within an organization. You can mitigate such issues by educating all workforce members about the requirements of the Security Rule, why it's important to protect EPHI, and the general steps your organization will be taking to comply with the rule. This should be done early in the compliance process. Soliciting workforce member feedback and review on proposed security policies and processes can also help. People are much more likely to understand and comply with security policies and processes they have helped develop than those they haven't.

Conduct Regular and Detailed Risk Analysis

"Risk" can be simply defined as "the likelihood that a specific threat will exploit a certain vulnerability, and the resulting impact of that event." "Risk analysis" is a systematic and analytical approach that identifies and assesses risks and provides recommendations to reduce risk to a reasonable and appropriate level.

Risk analysis enables a CE to identify and define its critical assets and the risks to them. Risk analysis will enable senior management to understand the risks to your organization's EPHI, and to allocate appropriate resources to mitigate those risks and reasonably protect that EPHI.

Determine What is Appropriate and Reasonable

You should use risk analysis as the basis for developing and implementing appropriate and reasonable protections for your organization's EPHI. The Security Rule does not expect CE's to protect their EPHI against all possible risks or to have "perfect" security. Nor does the Security Rule assume that CE's have unlimited time, money and resources for protecting EPHI. Rather, the rule expects CE's to understand their EPHI, the reasonably anticipated risks to the EPHI, and the CE's capabilities to then develop and implement security measures.

Documentation

The Security Rule requires CE's to document a wide variety of security policies, procedures, and decisions. It is very important that these be formally documented and approved by senior management and regularly reviewed and revised as necessary.  If your organization is visited by an auditor or an attorney, one of the first requests they will likely make is to view your security policies. They will want to compare your security practices against those required by the policies. A CE with no or limited documented security policies will be at significant risk.  Auditors and attorneys will also want to see written documentation of the addressable implementation specification decisions your organization makes. For example, if you determine that it is not reasonable and appropriate to encrypt EPHI when sending it over the Internet, it's very important to formally document and approve this decision.

Prepare for ongoing compliance

CE's are expected to comply with the Security Rule on an ongoing basis. You should develop and implement security policies, procedures, processes, and controls with the understanding that they must be regularly reviewed and modified as necessary.  In the future, risks to EPHI and associated mitigation measures are likely to change; you must understand and be prepared to respond to these changes. Additionally, as a piece of federal legislation, the Security Rule is subject to change by the US government or courts. You should regularly monitor the rule for changes.