HIPAA SECURITY RULES HAVE KICKED IN - ARE YOU READY?

Federal rules governing security of electronic protected health information became effective for most health-cue providers April 20, 2005. Those who were well on their way to implementation can take comfort in those efforts. For those that haven't started or haven't completed their compliance efforts yet, this article suggests 10 immediate steps that should be taken toward HIPAA security compliance.

1)First, read and understand the rules. They are in Subpart C, Chapter 45 of the Code of Federal Regulations, beginning at Section 164.302. For quick access, type in "45 CFR 164.302" in Google. Don't have time or the interest? Engage competent counsel to brief you.

2)Second, find out if HIPAA security applies to your operations. HIPAA rules govern "Covered Entities", which are virtually all healthcare plans, all healthcare clearinghouses and health-cue providers who transmit HIPAA transactions electronically. When electronic protected health information (ePHI) is involved, a Covered Entity must comply with HIPAA security standards, implementation specifications, and the other requirements of the HIPAA security rules.

3)Third, get a risk assessment done. The HIPAA security rules require a Covered Entity to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePH1. A risk assessment should identify assets with ePH1, threats that could harm those assets, system vulnerabilities, quantification of loss and controls to protect assets.

Once the assessment (the so-called "gap analysis") is performed, areas of exposure will identify vulnerabilities and list probabilities of occurrence and losses in case of catastrophic breach. Areas to inventory in connection with a HIPAA security risk assessment include policies and procedures that affect the security of patient information, information systems, business associates, biomedical equipment containing patient information, employees with access - remote and otherwise, and vendors with access.

4)Fourth, adopt and use security measures that allow reasonable and appropriate implementation of HIPAA security standards and implementation specifications. In deciding which security measures to use, take into consideration the size, complexity and capabilities of the Covered Entity; its technical infrastructure, hardware and software security capabilities; the costs; and the probability and criticality of risks to ePHI.

5)Fifth, decide whether all HIPAA security implementation specifications need to be implemented. Some are "addressable" and need to be implemented only if reasonable and necessary. If an addressable specification is not reasonable or not appropriate, be sure to document either implementation of an equivalent measure or that the measure is no applicable to the organization. Competent counsel can be invaluable in successfully documenting addressable implementation specifications.

6)Sixth, adopt and implement administrative, physical and technical safeguards, together with accompanying required or "addressable" implementation specifications.

Administrative safeguards deal with selecting, developing and implementing security measures and consist of policies, procedures and administrative actions. Risk analysis, risk management, appointment of a security officer and training are examples of administrative safeguards. Administrative safeguards should contain provisions for maintaining security measures and managing the workforce.

Physical safeguards deal with preventing unauthorized access and involve issues such as workstations, computers, disasters and hazards. Physical safeguards involve equipment, rooms and buildings and include protecting buildings and equipment - not only from unauthorized access, but also from disasters and hazards.

Technical safeguards deal with access control mechanisms plus electronic transmission of ePHI. They involve technology issues, policies and procedures for electronic transmission and access control mechanisms such as unique user identification and emergency access procedures.

7)Seventh, make sure contracts or other arrangements between a Covered Entity and its business associates meet HIPAA security requirements. Here again, competent counsel can be invaluable in determining how this can be accomplished. For example, a Covered Entity is not in compliance if it knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation, unless the Covered Entity took certain steps to cure the breach or end the violation. Business associate agreements have several provisions that are mandatory.

8)Eighth, prepare HIPAA security policies and procedures and documentation requirements. As noted earlier, a Covered Entity may use any security measure that allows it to reasonably and appropriately implement HIPAA security standards and implementation specifications. HIPAA security policies and procedures must guide the workforce and may serve an important evidentiary role in demonstrating the organizations' commitment and good faith compliance efforts.

9)Ninth, maintain policies and procedures in written or electronic form. Under HIPAA, if an action, activity or assessment is required to be documented, maintain and retain a written record six years from the date created or last in effect, whichever is later.

10)Tenth, make your HIPAA security policies and procedures available to those responsible for implementing them. In addition, train the workforce on their use and conduct refresher training often.

For those well on their way to HIPAA security compliance, this checklist should provide assurance that a Covered Entity was in good shape April 20. For those yet to start or not yet finished, performing these 10 steps will go a long way towards bringing a Covered Entity into compliance with HIPAA security rules.