PREPARE NOW FOR HIPAA SECURITY

Recent federal HIPAA privacy rules are the most significant event in healthcare since Medicare and Medicaid because they affect so many healthcare providers and patients. Their vast coverage extends well beyond their intended "covered entities" - health plans, clearinghouses and healthcare providers (and their untold millions of patients with "new" patient rights) - and reaches companies, so called "business associates", who work for covered entities. Many unsuspecting employers were also caught up by the vast sweep of the rules.

During 2003, countless covered entities put finishing touches on policies and procedures as they worked to meet HIPAA privacy compliance deadlines. Now another major HIPAA compliance deadline looms on the horizon: April 20, 2005  but this time, it's HIPAA Security. The HIPAA Security rules are just as sweeping as HIPAA privacy and affect the same covered entities, their patients, and others. This article discusses basic HIPAA Security concepts, Standards and Implementation Specifications and offers some practical suggestions for HIPAA Security compliance efforts.

A covered entity must comply with HIPAA Security rule Standards, Implementation Specifications and other requirements when electronic protected health information ("ePHI") is involved. Generally, HIPAA Security requires a covered entity to: ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits; protect against any reasonably anticipated threats or hazards to the security or integrity of such information; protect against any reasonably anticipated uses or disclosures of such information not permitted or required under the HIPAA privacy rules; and ensure compliance with the HIPAA Security rules by its workforce. Healthcare lawyers at Ruden McClosky are available to assist covered entities in moving forward with HIPAA security compliance efforts.

HIPAA Security rules permit a covered entity to use any secure measure that allows reasonable and appropriate implementation of HIPAA Security Standards and Implementation Specifications. When deciding which security measures to use, the following factors must be taken into consideration: size, complexity and capabilities; technical infrastructure, hardware and software security capabilities; costs; and the probability and criticality of potential risks to ePHI.

HIPAA Security rules proceed from broad principles that are narrowed by Standards and further refined by Implementation Specifications. At the highest level, they are comprehensive and address all aspects of security. They are scalable and flexible, and thus can be tailored for the particular circumstances of each covered entity, and are technology neutral because they favor no specific technology.

The new rules establish Standards and "Implementation Specifications" - more detailed compliance actions - some of which are mandatory while others are "addressable". Implementation Specifications are specific ways to implement HIPAA Standards and are a prominent feature of the HIPAA Security rules. Most Implementation Specifications are required and must therefore be implemented. However, some Specifications are "addressable" and maybe implemented as reasonable and necessary. If an addressable Specification is not reasonable or is not appropriate, a covered entity must go through a documented process to either implement an equivalent measure or document that the measure is not applicable to the organization.

Documentation maintenance requirements require as-needed review and modification of security measures so that reasonable and appropriate protection of ePHI is continuously provided. Covered entities are also required to periodically review and update documentation, including policies and procedures, when circumstances affecting the security of ePHI change.

HIPAA Security rules require covered entities to develop and implement policies and procedures addressing three primary areas of emphasis, called "safeguards". Administrative safeguards are administrative actions taken to manage the selection, development, implementation and maintenance of security measures to protect ePHl and to manage the workforce in relation to protecting VFW They consist of the policies, procedures and administrative actions to maintain security measures and manage the workforce.

Physical safeguards are physical measures, plus policies and procedures, to protect a covered entity's electronic information systems and related building and equipment from natural and environmental hazards and unauthorized intrusion. The second of three major safeguards, its competing goals require a covered entity to implement policies and procedures to access to its electronic information systems, and the facility or facilities where housed on the one hand, while ensuring that only properly authorized access is allowed on the other hand. Physical safeguards prevent unauthorized access and involve workstations, computers, disasters and hazards, equipment, rooms and buildings.

Technical safeguards, the third major HIPAA safeguard, are together the technology, and the policy and procedures for its use that protect and control access to ePHI.

Although HIPAA Security policies and procedures are mandatory, a covered entity may use any security measure that allows it to reasonably and appropriately implement the HIPAA Standards and Implementation Specifications. Tactically, HIPAA Security policies and procedures guide the workforce. Strategically, they serve an important evidentiary role in demonstrating the organization's commitment and good faith compliance efforts.

Documentation of HIPAA Security policies and procedures may be tamed in written (which may be electronic} form. In terms of formulating a retention policy for HIPAA Security purposes, policies and procedures must be retained six years from the date created or last in effect, whichever is later, and must be made available to those responsible for implementing them. An Implementation Specification mandates periodic documentation reviews, and updates as needed, in response to environmental operational changes affecting the security of ePHI. Compliance with HIPAA security rules is virtually certain to require legal counsel.

HIPAA Security rules are pervasive in terms of their impact and effect because they govern so many covered entities and their patients. Covered entities can benefit by preparing policies and procedures in advance of the April 20, 2005 HIPAA Security compliance date.

Compliance Tips

 Documentation availability can be achieved electronically or in a hard copy. If electronic, the documentation must be accessible and accurate.

 A covered entity may change its HIPAA Security policies and procedures at any time. However, changes must be documented and implemented in accordance with the HIPAA Security rule.