Now that you have all become familiar with HIPAA’s privacy rules, to the extent you have not already done so, it is a good time to gain a basic understanding of the HIPAA Security Rule. As you may know, April 2005 is when providers who submit claims electronically must be in compliance with the Security standards. Small health plans have until 2006. As a preliminary note, while the Security rules dovetail the Privacy rules, one important difference is that the Security rules only apply to electronic protected health information (e-PHI), which is patient information that is stored on computers or transmitted electronically. The HIPAA Privacy rules apply to both e-PHI and paper records.
The focus of compliance with the HIPAA Security Rules is not merely the avoidance of possible civil and criminal penalties. While that is obviously important, equally important are the other sources of potential liability that may result from breaches of the HIPAA Security rules. Claims of a breach of duty of care to maintain the confidentiality or integrity of patient information, invasion of privacy, and the breach of a duty of care in the outsourcing of the security function are all theories that trial lawyers may assert in cases of unauthorized disclosure. The point of the Security rules is to ensure confidentiality, integrity and availability of e-PHI. If you do not comply with these rules you are compounding the trouble you will find yourself in should there be inadequate protection disclosure of e-PHI.
There is no way to discuss all of the Security issues under HIPAA here. What I will try to do is give you a sense of what the law requires and enough information to ask the right questions of whoever is in charge of making sure the practice is HIPAA compliant. As a physician or other health care provider, you should be aware that your office or practice group needs to ensure the security of the e-PHI that you maintain and transmit. What does that mean? It means that confidentiality of a patients’ physical and mental health information must be maintained at all times; the integrity of the e-PHI must be maintained; and the e-PHI must be readily available. HIPAA allows a great deal of flexibility in how this is done.
HIPAA requires that covered entities take reasonable and appropriate measures to ensure the integrity and confidentiality of e-PHI against any reasonably anticipated threats or unauthorized disclosure. This includes taking specific steps to ensure compliance by officers and employees.
HIPAA recognizes how different office settings can be and does not apply a “one size fits all approach”. Covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to confidentiality, integrity, and availability of its e-PHI, taking into account the following:
Here is what you must do to be in compliance. First, you must have a security officer who has final authority over security. This may be the same person who acts as the HIPAA privacy officer. Second, you must do a risk analysis. Do your practice’s administrative processes, physical environment, and computer systems adequately protect the e-PHI you maintain and transmit? These are the three security standards established by HIPAA. Each addresses a distinct concern. It is up to your practice to identify areas that are vulnerable and devise methods to reduce detected areas of risk. In doing so, you should identify and consider all information systems, software programs and databases that house e-PHI, including electronic medical record systems, billing systems and registration and email systems.
Each of the standards contains two kinds of specifications. There are specifications deemed required and others that are deemed addressable. Required implementation specifications must be met. Those that are addressable may be met, satisfied with an equivalent alternative or not implemented. This is one of the ways HIPAA is flexible. Note that whatever decision is made to satisfy the HIPAA Security rules must be documented.
The administrative standard deals with the office policies and procedures for the use of computers, access, staff training, passwords, etc. In short, does your office have procedures in place to ensure the confidentiality, integrity and availability of its e-PHI? Below are a few required implementation specifications:
Risk Management – you need to have sufficient security to reduce risk to a reasonable and appropriate level. This process involves undertaking a “risk assessment” and taking steps to reduce any vulnerable areas that you may have discovered.
Sanction Policy – you need sanctions for employees who fail to comply with security policies and procedures. These policies (and sanctions) should be included in your employee handbook. Employee training is required under the standards and it’s a good idea to require employees to sign agreements stating that he or she has read, understood, and will comply with both the privacy and security policies.
Information system activity review – you must conduct a regular review of security incident information. What will this uncover? You might find that someone has repeatedly tried to log into the system and been denied. You might also learn who has been accessing patient information and determining whether that access was appropriate. (If there has been a breach of security you must take immediate action.) How often you review this information will depend on your practice.
Most importantly, you must have this all documented. (45 C.F.R Section 164.316) This is critical in the event of an inadvertent disclosure because it shows you have taken reasonable and necessary steps to avoid the disclosure and will help in an effort to avoid expensive penalties and civil liability for a Security violation.
HIPAA’s physical security standards relate to how you protect access to the physical areas where you have stored e-PHI. Ask yourself: where are the computers located, who has access to that area, and when? Every covered entity must have a policy for the appropriate use and configuration of workstations that store and use e-PHI. This policy needs to include how you will add, reuse, or dispose of electronic media that contains e-PHI. (45 CFR Section 164.310)
The HIPAA technical security safeguards address access controls (such as passwords); monitoring controls (so you can document who has accessed a particular computer and when); integrity (making sure that e-PHI is not improperly altered or destroyed); authentication of user (changing passwords regularly); and transmission security (having measures in place that ensures that the e-PHI is being transmitted properly (e.g., encrypted in code) so as not to be vulnerable to interception.
There are many physicians who have left HIPAA compliance to an office manager who may outsource billing or other office management responsibilities to third parties known under HIPAA as “business associates”. Examples of work done by business associates includes: software vendors, transcription services, consulting services, or even law firms handling litigation matters or a Medicare audit. If the business associate creates, maintains or transmits e-PHI on your behalf, you must make certain the business associate has agreed to properly safeguard the e-PHI. It should be a specific provision in the business associate agreement, which may require the practice to amend the business association agreements it obtained last year, to comply with the HIPAA Privacy Rule.
The business associate agreement must do four things:
(1) It must ensure the business associate implements administrative, physical, and technical safeguards to protect the security of the e-PHI;
(2) It must ensure any agents or subcontractors of the business associate agree to implement appropriate safeguards to protect the e-PHI;
(3) It must agree to report to you any security incident (when it becomes aware of it); and
(4) It must allow the termination of the business associate agreement for a violation of any of the above.
Do not make the mistake of assuming that your practice has properly protected itself in its business associate agreement. Review and update these agreements before April 20, 2005. Compliance with the Security rules is undoubtedly not your number one priority. But in the event of an unauthorized disclosure, the failure to have complied with the Security rules will make your situation even worse. While I have discussed some of the more important aspects of the Security rule, the information in this article is a summary of complex statutes and rules and is not intended to cover all of the “fine points” or address all possible situations. Accordingly, it is not intended to be legal advice, which should always be obtained in consultation with an attorney.
End Note: See generally 45 C.F.R. Section 164.302 et seq.