By Suzi Birz, contributor
Do you have HIPAA fatigue? Are you tired of hearing about it? Contrary to what some people say, HIPAA is not “done.”
The Health Insurance Portability and Accountability Act has many parts, each having different compliance dates and some final rules still to be written. On April 21, 2005, the HIPAA Security Rule will become effective. What is the security rule and how are the remediation efforts going?
We have become quite familiar with protected health information (PHI) since last April when the Privacy Rule became effective. The standards govern the electronic version of protected health information–that is data in motion (being transferred between computers) and data at rest (stored in a computer).
The final rule adopting HIPAA standards for the security of electronic health information (ePHI) was published in the Federal Register on Feb. 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
If an implementation specification is “required,” you must implement the implementation specifications. If an implementation specification is indicated as “addressable,” you must assess whether each implementation specification is a reasonable and appropriate safeguard in your environment, when analyzed with reference to the likely contribution to protecting your ePHI. If the results indicate that it is reasonable and appropriate, you must implement it. If the specification is not reasonable and appropriate, you must document why and implement an equivalent alternative measure if one is reasonable and appropriate.
The specifications are divided into three topic areas: administrative, physical and technical safeguards.
Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Physical safeguards are physical measures, policies and procedures designed to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
Appendix A of the rule includes a security standards matrix that itemizes the standards and the implementation specifications. Specific technologies are not included in the security rule because technology is moving too fast. However, as it states in the rule, “The standards do not allow organizations to make their own rules, only their own technology choices.”
Some key standards (some addressable, some required) that might be more visible to nurses and caregivers include:
(You will notice some overlap with the privacy rule)
- Implement policies and procedures to ensure that all members the workforce
have appropriate access to electronic protected health information and to
prevent those workforce members who do not have access from obtaining access
to electronic protected health information.
- Implement a security awareness and training program for all members of the
workforce (including management), to include security reminders, procedures
for guarding against, detection, and reporting malicious software (viruses),
procedures for monitoring log-in attempts and reporting discrepancies, and
procedures for creating, changing, and safeguarding passwords.
- Implement technical policies and procedures for electronic information
systems that maintain electronic protected health information to allow
access only to those persons or software programs that have been granted
access rights including: assign a unique name and/or number for
identifying and tracking user identity, establish (and implement as
needed) procedures for obtaining necessary electronic protected health
information during an emergency, implement electronic procedures that
terminate an electronic session after a predetermined time of inactivity,
and implement a mechanism to encrypt and decrypt electronic protected
health information.
These are some of the standards. So what does all this mean? What questions
might you start asking yourself and your technology support staff? Here’s a
start to complying with the HIPAA security rule:
- How are you sending claims files to your clearinghouse or payor? Is it
electronically transmitted? Is it encrypted?
- What PHI might you include in an e-mail? Is it sent securely?
- Do each of your staff have a unique user id and password? Are the
passwords tested for ease of breaking them?
- Do your systems create audit trails? Does anyone routinely review them?
Remember, all covered entities (providers, health plans, and
clearinghouses) must take reasonable and appropriate steps to safeguard the
ePHI entrusted to them.
About the author: Suzi Birz is an independent consultant working in the area of health care technology and process engineering. Prior to consulting, she spent several years as the CIO of a provider organization. Throughout her career, she has worked to deploy computer applications in a health care environment, with most of her efforts being spent in academic medical centers. She has experience in patient care, clinical research, academic medicine, health care reform initiatives, regulatory environments and application of commercial solutions. She also serves on the advisory board for NurseZone.com.
© 2004. AMN Healthcare, Inc. All Rights Reserved.