HIPAA Security Rule Deadline Approaches

The final Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which will go into effect for compliance on April 21, 2005, now has just 18, instead of the original 24, requirements (or standards) originally held by the proposed Security Rule.

“In general, the Security Rule sets parameters for protecting electronic health information — electronic medical records (EMR), e-mail communication, electronic claims transmission, etc.,” said Pamela L. Moore, Ph.D., CPC, senior editor, practice management, for Physicians Practice, The Business Journal for Physicians. “The rule does not specify technologies, but sets general standards for things like changing passwords, encrypting e-mail and so on. While the Privacy Rule says you have to protect health information, the Security Rule sets specific standards for technology,” Moore said.

The standards fall under three categories:

• Administrative (staff interaction)
• Physical (device and media control)
• Technical (control of data integrity)

For each standard, there are “required” (must be implemented) and “addressable” (options based on the outcome of a security risk analysis) specifications for the covered entity (the provider in compliance).

“Addressable does not mean optional,” said Robert M. Tennant, senior policy advisor, Health Informatics for the Medical Group Management Association (MGMA) in Washington, D.C. “It means that you look at the requirements and make a determination of whether or not that component applies to your situation. If not, then you’ll need to document why.”

When you have protected health information, you have to make sure that data is intact, said Tennant: “It’s really a business requirement for you to protect your system. It’s not like privacy, where you’re interacting with a privacy rule on a daily basis with your patients. With security, it’s virtually invisible to the patient.”

According to the American Academy of Family Physicians Web site, www.aafp.org, privacy is the patient’s right to keep the use and disclosure private within the parameters of the rule. Security defines the specific measures a health care entity must take to protect personal health information from unauthorized breaches of privacy.

The discrepancy is that the Security Rule only covers protected health information (PHI) in its electronic form. PHI is the HIPAA term for health information that personally identifies a patient, including individual paper records that have never been electronically stored or transmitted.

“Recognize that if you’re going to move toward electronic data, there needs to be a more comprehensive provision (than most practices have) in place to protect the data,” Tennant said.

It is important to conduct a risk assessment analysis in order to establish a baseline. How does that match up against the regulatory requirements? Organizations answer the following types of questions in a risk assessment:

• What event could compromise the confidentiality, integrity and availability of my practice’s patient information?
• What is the impact to my business or to the person?
• What is the probability that it will happen?

To establish a baseline, organizations need to consider the information revealed from the risk assessment analysis as well as several other factors, including:

• What is the purpose of the process/system/department?
• Is the system subject to HIPAA standards?
• What are patient/user questions about security?
• How vast are the number of users?
• Who are the types of users — internal, external, on-site, remote or contract?
• What is the type of access, level and scope of access?
• What is the frequency of information use?

Risk analysis tips
“Hire a consultant to come in and evaluate your practice to assess where you are and where you need to be in terms of regulation,” said Tennant. “The second option is to purchase a product that will assist you in doing this assessment.”

Examples can be found on the Centers for Medicare and Medicaid Services (CMS) home page at www.cms.hhs.gov/hipaa or at www.wedi.org/snip under “work products, security and privacy white papers.”

Health care providers, health care clearinghouses and health plans that electronically store or transmit PHI are covered under the new rule, enforced by CMS.

“If you’re a provider who conducts any of the standard transactions or has a third party do so on your behalf or have checked patient eligibility under HIPAA standards, you are considered a covered entity,” Tennant said.

A record of the final Security Rule and Regulations can be found at http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf.

Back to top