|
|
 Introduction
Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.
If your organization
is a Covered Entity
(one that must comply
with HIPAA), it is
imperative that you
understand the rule
and take the necessary
steps toward
compliance. This
article presents a
detailed overview of
the Security Rule and
key factors you should
consider when
preparing to comply
with the rule.
Overview
|
What
is it? |
The rule
applies to
electronic
protected
health
information
(EPHI),
which is
individually
identifiable
health
information
in
electronic
form and
relates to
1) an
individual's
past,
present, or
future
physical or
mental
health or
condition,
2) an
individual's
provision of
health care,
or 3) past,
present, or
future
payment for
provision of
health care
to an
individual.
The primary
objective of
the Security
Rule is to
protect the
confidentiality,
integrity,
and
availability
of EPHI when
it is
stored,
maintained,
or
transmitted.
|
|
Who
does it
apply to? |
Covered
Entities
(CE's)
must comply
with the
Security
Rule. These
are health
plans (HMOs,
group health
plans,
etc.),
health care
clearinghouses
(billing and
re-pricing
companies,
etc.), or
health care
providers
(doctors,
dentists,
hospitals,
etc.) who
transmit any
EPHI. |
|
How
do I comply? |
CE's must
maintain
reasonable
and
appropriate
administrative,
physical,
and
technical
safeguards
to protect
the
confidentiality,
integrity,
and
availability
of their
EPHI against
any
reasonably
anticipated
risks.
|
|
When
are the
deadlines? |
The final
Security
Rule became
effective as
of April 21,
2003. Most
CE's must be
in
compliance
by April 21,
2005; small
health plans
(those with
annual
receipts of
$5 million
or less)
have until
April 21,
2006. |
Penalties
CE's that do not comply with the Security Rule requirements are subject to a number of penalties. Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Though not formally
defined in HIPAA, CE's
that do not comply
with the Security Rule
could find themselves
facing other
unfavorable
consequences:
|
Negative
publicity
|
Non-compliant
organizations
may be
discussed in
public media
(newspaper,
radio,
television)
for not
adequately
protecting
their
customers'
EPHI. |
|
Loss of
Customers
|
Customers
are
increasingly
aware of
their rights
under HIPAA
and want
their EPHI
protected.
They may
refrain from
doing
business
with
organizations
they believe
do not
adequately
protect
EPHI. |
|
Loss of
Business
Partners
|
HIPAA
requires
that covered
entities
permit other
organizations
to create,
receive,
maintain, or
transmit
EPHI on
their behalf
only if
the second
organization
can
appropriately
safeguard
the
information.
CE's may be
unwilling to
exchange
EPHI with
organizations
that do not
adequately
protect
EPHI. |
|
Legal
Liability
|
Many
attorneys
are aware of
HIPAA and
are ready to
sue on
behalf of
clients
whose rights
are
violated.
For the
first time
ever, the
federal
government
has put
forth a set
of
requirements
prescribing
how EPHI
must be
protected.
Attorneys
are prepared
to use these
requirements
to file
civil suits
against
non-compliant
CE's. |
Principles
The Security Rule is
based on several
important principles.
|
Scalability
|
All sizes of
CE's must be
able to
comply with
the rule,
from the
one-person
doctor
office to
the
insurance
company with
thousands of
employees.
|
|
Comprehensiveness
|
CE's must
have a
unified
security
approach
based on the
principle of
"defense in
depth."
|
|
Technology
neutral
|
The rule
does not
require CE's
to implement
specific
security
technology
(for
example, a
specific
type of
firewall or
IDS). Each
CE must
choose the
appropriate
technology
to protect
its EPHI.
|
|
Internal and
external
security
threats
|
CE's must
protect
their EPHI
against both
internal and
external
threats.
|
|
Risk
analysis
|
CE's must
regularly
conduct
thorough and
accurate
risk
analysis.
|
Technical Safeguards
The technical
safeguards are several
requirements for using
technology to protect
EPHI, particularly
controlling access to
it. The specific
standards are:
|
Access
control
|
Policies,
procedures,
and
processes
must be
developed
and
implemented
for
electronic
information
systems that
contain EPHI
to only
allow access
to persons
or software
programs
that have
appropriate
access
rights.
|
|
Audit
controls
|
Mechanisms
must be
implemented
to record
and examine
activity in
information
systems that
contain or
use EPHI.
|
|
Integrity
|
Policies,
procedures,
and
processes
must be
developed
and
implemented
that protect
EPHI from
improper
modification
or
destruction.
|
|
Person or
entity
authentication
|
Policies,
procedures,
and
processes
must be
developed
and
implemented
that verify
persons or
entities
seeking
access to
EPHI are who
or what they
claim to be.
|
|
Transmission
security
|
Policies,
procedures,
and
processes
must be
developed
and
implemented
that prevent
unauthorized
access to
EPHI that is
being
transmitted
over an
electronic
communications
network
(e.g., the
Internet).
|
Documentation standard
CE's must maintain all documentation (e.g., policies, procedures) required by the Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, CE's must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of EPHI.
Key Factors for
Compliance
Complying with the HIPAA Security Rule can require significant time and effort. CE's must comply with 18 broad standards, many of which have specific requirements. The time and effort required will vary significantly, depending, in part, on the security policies, procedures, and processes an organization already has in effect.
If your organization
regularly conducts
risk analysis, uses a
unified, "defense in
depth" security
approach, has formal,
documented security
policies and
procedures, and
conducts regular
workforce training, it
will almost certainly
require less time and
effort to comply with
the Security Rule than
an organization who
does not. The
complexity of your
organization will also
determine the time and
effort required to
comply. A five-person
dentist's office will
likely require less
time and effort than a
highly decentralized
hospital employing
thousands.
Regardless of size or
complexity, if your
organization is a CE,
there are eight key
steps you should
consider when
preparing to comply
with the Security
Rule.
-
Obtain and
Maintain Senior
Management
Support
Because
compliance can
require
significant time,
effort, and
resources, it is
critical that
senior management
be educated about
the Security Rule
and make a clear
statement of
support for
compliance
before
compliance
efforts begin. If
possible, senior
managers should
be project
sponsors for
Security Rule
compliance
projects. If
senior managers
resist allocating
adequate
resources for
compliance
efforts, present
them with the
unpleasant
consequences of
non-compliance,
discussed
earlier. It is
reasonable to
assume that
senior managers
of CE's that do
not comply with
the Security Rule
will be the focus
of auditors,
unhappy
consumers, and
eager attorneys.
As compliance
efforts progress,
keep senior
management
informed and
up-to-date.
-
Develop and
Implement
Security Policies
Before
implementing
security
processes and
methods to
protect EPHI,
carefully
identify and
define what
security policies
you need to
develop and
implement. As
noted earlier,
the rule requires
a number of
formal,
documented
security
policies. These
will help define
your
organization's
security
strategic goals,
identify critical
assets, and
provide a
foundation for
the selection and
use of security
technologies.
Security policies
will also provide
your organization
with an overall
security
framework,
ensuring that
your security
efforts are
consistent and
integrated rather
than fragmented.
Additionally,
security policies
are a clear
mandate from
senior management
that security is
a necessary and
important part of
your
organization.
-
Conduct and
Maintain
Inventory of EPHI
It is difficult
to ensure the
confidentiality,
integrity, and
availability of
EPHI if you can't
locate it (or
worse, if you
don't even know
you have it).
Imagine one of
your senior
managers being
questioned by an
auditor or jury
and trying to
explain that some
of your
organization's
EPHI was misused
because your
organization
didn't know it
had the EPHI.
This is a risky
and unpleasant
position to be
in. You
should regularly
identify and
document the
location of your
organization's
EPHI. It is
particularly
important to
identify and
document the flow
of EPHI in, out,
and throughout
your
organization. Do
you regularly
exchange EPHI
with certain
business
partners? Does
information
system A
regularly send
EPHI to
information
system B? Does
your organization
regularly send
EPHI over the
Internet?
-
Be Aware of
Political and
Cultural Issues
Raised by HIPAA
Compliance with
the Security Rule
is not just
developing and
implementing
security
technology.
Compliance may
require
significant
changes in your
organizational
culture,
particularly in
how workforce
members interact
with EPHI. For
example, changes
to a CE's access
control policy
may mean that
workforce members
who had
unrestricted
access to EPHI
may now have only
limited access,
i.e., access only
to the EPHI
necessary to
carry out their
jobs. Another
example would be
new policies and
procedures that
require the
monitoring or
auditing of
employee actions.
Such changes can
provoke fear,
confusion,
resistance, or
political battles
within an
organization. You
can mitigate such
issues by
educating all
workforce members
about the
requirements of
the Security
Rule, why it's
important to
protect EPHI, and
the general steps
your organization
will be taking to
comply with the
rule. This should
be done early in
the compliance
process.
Soliciting
workforce member
feedback and
review on
proposed security
policies and
processes can
also help. People
are much more
likely to
understand and
comply with
security policies
and processes
they have helped
develop than
those they
haven't.
-
Conduct Regular
and Detailed Risk
Analysis
"Risk" can be
simply defined as
"the likelihood
that a specific
threat will
exploit a certain
vulnerability,
and the resulting
impact of that
event." "Risk
analysis" is a
systematic and
analytical
approach that
identifies and
assesses risks
and provides
recommendations
to reduce risk to
a reasonable and
appropriate
level.
Risk analysis
enables a CE to
identify and
define its
critical assets
and the risks to
them. Risk
analysis will
enable senior
management to
understand the
risks to your
organization's
EPHI, and to
allocate
appropriate
resources to
mitigate those
risks and
reasonably
protect that
EPHI.
-
Determine What is
Appropriate and
Reasonable
You should use
risk analysis as
the basis for
developing and
implementing
appropriate and
reasonable
protections for
your
organization's
EPHI. The
Security Rule
does not expect
CE's to protect
their EPHI
against all
possible risks or
to have "perfect"
security. Nor
does the Security
Rule assume that
CE's have
unlimited time,
money and
resources for
protecting EPHI.
Rather, the rule
expects CE's to
understand their
EPHI, the
reasonably
anticipated risks
to the EPHI, and
the CE's
capabilities to
then develop and
implement
security
measures.
-
Documentation
The Security Rule
requires CE's to
document a wide
variety of
security
policies,
procedures, and
decisions. It is
very important
that these be
formally
documented and
approved by
senior management
and regularly
reviewed and
revised as
necessary.
If your
organization is
visited by an
auditor or an
attorney, one of
the first
requests they
will likely make
is to view your
security
policies. They
will want to
compare your
security
practices against
those required by
the policies. A
CE with no or
limited
documented
security policies
will be at
significant risk.
Auditors and
attorneys will
also want to see
written
documentation of
the addressable
implementation
specification
decisions your
organization
makes. For
example, if you
determine that it
is not reasonable
and appropriate
to encrypt EPHI
when sending it
over the
Internet, it's
very important to
formally document
and approve this
decision. A CE
that does not
document such a
decision but
instead, has to
resort to telling
an auditor or
attorney, "We
don't really
remember how or
why that decision
was made. We
think the system
administrators
decided that..."
will be at
significant risk.
-
Prepare for
ongoing
compliance
CE's are expected
to comply with
the Security Rule
on an ongoing
basis. You should
develop and
implement
security
policies,
procedures,
processes, and
controls with the
understanding
that they must be
regularly
reviewed and
modified as
necessary.
In the future,
risks to EPHI and
associated
mitigation
measures are
likely to change;
you must
understand and be
prepared to
respond to these
changes.
Additionally, as
a piece of
federal
legislation, the
Security Rule is
subject to change
by the US
government or
courts. You
should regularly
monitor the rule
for changes.
Health care consumers
expect their medical
information to be
appropriately
protected. After much
delay, the HIPAA
Security Rule has
arrived in an effort
to address their
concerns. Compliance
will require CE's to
(1) identify the risks
to their EPHI and (2)
implement a wide
variety of security
best practices.
Complying with the
Security Rule can
require significant
time and resources.
Now is the time to
begin compliance
efforts.
 Click
here for more
information
Click here to sign up
now
|
|
