As the HIPAA privacy compliance deadline passes, Jon Bogen highlights the top action points for the new security rules
The anxious wait endured by health care organizations ended when the final Security Rules for the Health Insurance Portability and Accountability Act (HIPAA) were released in February.
For most, the news was confirmation that their improved secure infrastructures conformed with HIPAA's directives, which require large entities to put in place various security and privacy protocols to safeguard confidential patient data and other critical information.
Although the required compliance date for the Security Rules is April 21, 2005, health care organizations have been tasked with developing security-based procedures to coincide with the Privacy Rule, which comes into effect this month. Simply put, one cannot achieve privacy without security. (See our March edition Special Report.)
Accounting for revisions
In reviewing the number of final revisions for the security mandates put forth in HIPAA, there is some good news for smaller health care organizations, including provider offices. There was a sincere attempt to make the final security requirements scalable to the type of covered entity. The final rules are also more aligned to previously released privacy rules, and are far from heavy handed in demanding specific technological solutions to comply with the Act. Of course, this latter tactic may be unwelcome news to many technology vendors that were hoping HIPAA would prove to be the next Y2K.
Who must comply with HIPAA security requirements? First, if you submit one of the nine mandated HIPAA transactions in an electronic format, and you are considered a covered entity, then you must comply with the Security Rules. The HIPAA transaction and code set requirements are covered under the Administrative Simplification Act transaction and code set rules.
The HIPAA Security Rules apply only to electronic protected health information (PHI), including some types of fax transmissions. In HIPAA-speak, PHI includes medical or non-medical information that is individually identifiable. If the information can be encrypted or scrambled to remove unique identifiers, then it would not be considered PHI. In some cases this may be more difficult in a non-digital format, such as a paper record or a photograph.
The final HIPAA rules provide a more commonsense approach to implementing recommended and required security procedures. According to DHHS, it is a recommended technology-neutral floor of security procedures and controls. That is, a minimum level that might satisfy compliance but not necessarily prevent lawsuits or cyberthreats (e.g., denial-of-service). Security technology will provide at least this minimum level of compliance, but also provide extra protection over and above the HIPAA standard.
Documentation will be a key aspect of any HIPAA compliance plan, and should include compliance plans, policies and procedures and training routines as a minimum. In the world of healthcare accreditation - if it is not documented it is not performed.
The top action items
The Security Rules have introduced a new concept for many of the standards as 'addressable' versus 'required.' This distinction allows health care providers to develop a plan for dealing with many of the standards without requiring a specific implementation method. For example, the final rules make encryption for transmitting PHI addressable, whereas authentication is required.
With a limited or non-existent HIPAA budget, where does one start? You need to triage the programs. You should start with areas of the Security Rule needed to comply with the section of the Privacy Rules mentioned above.
Below are some recommendations that are based on a number of HIPAA assessments for health care organizations. The key is to start immediately on these programs if they are not already in place, recognizing that they represent ongoing processes and culture change.
The security management process includes risk analysis, risk management, sanctions policy and information systems activity review. From a HIPAA context, risk analysis means that you have determined the possible security problems and risk of occurrence.
Risk management is the process of dealing with the concerns identified in the risk analysis. Sanctions policy refers to applying sanctions to the workforce for violations of security. Information systems activity review is a process where audit logs may be reviewed and security incident reports are examined. You are required to have policies and procedures to address security incidents.
Visitor identification and sign-in procedures are a second area. While I waited to be assigned a badge at an urban health care facility in Boston, I often wandered past the security desk and was never asked for my visitors badge. I would often enter the boardroom for meetings unapproached by staff. I suggest that an anonymous team conduct walk-throughs of the facility without an ID to see if they are stopped by staff.
We all know that health care organizations emphasize not discussing individual patients in public areas. What about PHI being left out in the open and computer screens left on and positioned for all to see? I have been in health care institutions with stacks of medical records sitting in hallways and piled high on chairs in offices. Staff need access, but why not lock up the PHI when it is unattended?
Workstation use and security is a fourth area. Inventory all workstations and implement physical safeguards to restrict access. Make sure that the screens are turned away from non-users and that time-based password protected screen savers are activated. Automatic logoff should also be a requirement. When users are away from computers, access needs to be turned off after a short period of inactivation.
These next few programs will take longer to develop and implement after those already mentioned. Nonetheless action on these will get you going well onto the proper path.
First is security and privacy training. Lack of training may represent the greatest security threat, while training may have the greatest impact on risk mitigation. Health care companies that do not provide proper training on computer use risk lawsuits.
When it comes to contingency planning HIPAA mandates three requirements: a data backup plan, a disaster recovery plan and, lastly, an emergency mode operation. A disaster recovery plan should be one of the highest priorities. Even if you already have one, it needs to be updated. Evaluate which systems are mission-critical and which systems' extended downtime can be tolerated. In the post-9/11 world, we are all acutely aware of the importance of contingency planning. It is no longer enough just to have an emergency response plan. You must fine tune it and test it to ensure it really works.
Access control is another citical area. Determine who needs access to particular systems and restrict others that do not require unrestricted access. While our company HealthCIO has developed a number of very granular assessments of access roles for health care organizations, it has been frustrating, since most medical systems do not have the proper access controls in place to restrict access or to 'view only.'
Barring natural disasters, your greatest concern should be internal threats to information security, according to CIOs. A recent poll of more than 280 health care CIOs conducted by HIMSS revealed that 50 percent of these professionals ranked internal breaches of security as their top concern.
You must fill the critical role of security officer, whether part-time, full-time or outsourced. The security officer needs to work closely with the privacy officer. The security rules require a security officer or team, just as the privacy rules require a privacy officer.
Note that the final rules have eliminated the Chain of Trust agreement in favor of a Business Associate contract. It only applies to business associates performing a function on behalf of the covered entity and, in this case, it must involve electronic PHI. This is a process of identifying business associates as part of the Privacy Rule. The contract must require that the business associate implement administrative, physical and technical safeguards to protect electronic PHI.
The recent theft of computer equipment containing more than 100,000 health records at TriWest highlights the need for security measures aside from HIPAA. If HIPAA was in effect now, the potential fine would be insignificant compared to the loss of a multi-million dollar contract. The loss of computer data may be replaceable, but the public's trust is much harder to restore. n
Jon Bogen MSPH, MbA, is managing principal, HealthCIO, Inc. (www.healthcio.com)
Top 7 tips for compliance
1. Conduct a risk analysis. The new rules place an emphasis on
understanding what you are doing and how it puts patient
information in danger to exposure.
2. Close the holes. Although 98 percent of hospitals have firewalls,
the security of many of these organizations is hindered by the
decentralized nature of IT. Different clinics, departments and
practices have demanded application access through the firewall,
creating a Swiss cheese security policy. Now is the time to
explain why there needs to be better control.
3. Segment off sensitive information. In any given hospital, there
will be dozens of independent practices working. A perimeter
firewall is not enough - segmenting off critical systems such as
billing with an additional firewall will improve the ability to follow
4. Reduce security transaction costs for affiliated practices.
Physicians care about one thing - caring for their patients. By
helping these independent practices identify, purchase and
manage security solutions, the healthcare organization can help
educate their physicians while lowering their own public exposure.
5. Pilot official remote access and wireless LAN projects - with
security. Remote access and wireless LANs are going to happen
in a health care environment. By piloting them securely, using
tools such as personal firewalls, VPNs and firewalls between the
wireless LAN and hospital network, health care IT provides a
valuable service to their physicians without compromising
6. Look at SSL-based VPN. Patients are demanding better access to
their medical records. In fact, the privacy rules grant them better
access. SSL-based VPNs provide an effective, secure method to
grant them access to scheduling and other applications.
7. Make security an enabler. In the end, the rules are general
enough that health care organizations can use them to improve
business practices. Rather than looking for the minimum
necessary to comply, figure out how to use it to improve patient
care and physicians' access to information.
Bill Jensen is health care marketing manager for Check Point Software (www.checkpoint.com)