Search       
 
About HME
Contact Us
Subscribe
Read Weekly eNewsletter
HOME | NEWS | CURRENT ISSUE | BUYER'S GUIDE | ARCHIVES | CALENDAR | RESOURCES | CAREERS

Legal Counsel


Issue: April 2003
Article Tools
Email This Article
Reprint This Article
Write the Editor

Is Your Data Secure?

by Timothy L. Webster, JD

The new HIPAA security standards bring some welcome changes.

WebsterWith the compliance date for the health insurance Portability and Accountability Act (HIPAA) privacy regulations already upon us, and the deadline for compliance with the transaction and code set standards only a few months away, another set of HIPAA regulations is not at the top of most providers’ wish lists. Nevertheless, here they come.

On February 20, the Centers for Medicare & Medicaid Services (CMS) published the final HIPAA security standards. It took CMS more than 4 years to finalize these regulations. (It originally published the standards in proposed form in 1998, more than a year before the publication of the proposed privacy rules.) But, despite the long delay, the new standards are generally quite similar to the original proposal. Fortunately, CMS did make some welcome changes. In particular, it harmonized the security standards with the privacy standards in several important ways.

Two Complementary Approaches
As was the case with the privacy standards, there is a 2-year compliance window for the new security rules. Providers must comply with the rules by April 21, 2005. However, advance planning will be even more important with the security rules than it was with the privacy rules. Much of the work of privacy compliance was in policy development and workforce training. The security rules, on the other hand, require many providers to make significant modifications in their information systems, and some will have to invest in hardware or software upgrades, and/or hire information security consultants as the 2005 deadline approaches.

To understand the relationship between the security rules and the privacy rules, it is helpful to think of them as representing two different (but complementary) approaches to one set of goals. The privacy regulations are concerned with health information and regulate its use and disclosure. The security standards do not deal directly with health information, but instead regulate the systems that electronically transmit, receive, and store health information. They establish security requirements for computers, computer networks, email systems, and other electronic systems and devices that store and transmit health information. Ensuring that electronic storage and transmission of health information are secure is a critical element in preventing the unauthorized use or disclosure of that information, which is the prime purpose of the privacy rules.

A Limited Scope
There is an important difference in the scope of the security regulations and the privacy regulations. The privacy regulations apply to all protected health information (PHI), no matter what form it is in. The security rules apply only to PHI that is stored or transmitted in electronic form. Paper records and oral disclosures, for example, are regulated by the privacy rules but do not come within the scope of the security rules. Information that is stored on computer hard drives, optical disks, magnetic tape, or other electronic medium, as well as information transmitted by email, the Internet, a private network, or another electronic means of transmission, is subject to both sets of rules. Telephone or fax transmission is not considered to be electronic transmission for purposes of the security rules. CMS may issue regulations on the security of PHI in nonelectronic form at a later date.

Many terms that are familiar from the privacy standards appear in the security rules as well, and are defined the same way for purposes of both sets of rules. Covered entity, health information, and business associate are among the terms shared by the security and privacy standards.

The four basic requirements of the security rules a covered entity must comply with are:

  1. Ensuring the “confidentiality, integrity, and availability” of electronic PHI that it creates, receives, maintains, or transmits.
  2. Protecting against reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
  3. Protecting against uses or disclosures of electronic PHI that are not permitted or required under the privacy rules.
  4. Ensuring that members of its workforce comply with the regulations.

Implementing Safeguards
In addition, the standards require three categories of safeguards for electronic PHI: administrative safeguards, physical safeguards, and technical safeguards. And the rules contain additional requirements regarding policies and procedures, documentation, and other matters.

Within each category of required safeguards there are “standards” and “implementation specifications.” However, the security rules generally do not mandate specific methods that providers must use to meet the standards, because rapidly evolving technology could quickly make such prescriptions obsolete. For the most part, therefore, the security regulations leave covered entities a certain amount of discretion in determining how to achieve compliance. The regulations are intended to be flexible and scalable. In deciding how to implement the standards, a covered entity may take into account factors such as its size, its technical capabilities and hardware, the cost of various security measures, and the risks to which its electronic PHI is likely to be exposed.

The administrative safeguards section of the rules deals with issues such as security management, workforce training, and contingency planning. A covered entity is required to implement procedures to prevent, detect, contain, and correct security violations. It must perform a thorough assessment of the potential vulnerabilities of its electronic systems and the risks to the confidentiality, integrity, and availability of electronic PHI in its possession, and must implement security measures to reduce those vulnerabilities and risks to “reasonable and appropriate” levels. It must assign a security official to be responsible for the development and implementation of security policies and procedures, analogous to the privacy officer required under the privacy rules, and it must put in place a security awareness and training program for all members of its workforce.

The administrative safeguards provisions also require a covered entity to develop a contingency plan for responding to system failure, fire, natural disaster, or other emergency that damages systems that contain electronic PHI. The contingency plan must include a data backup plan, a disaster recovery plan, and an emergency mode operation plan. The covered entity must also conduct periodic evaluations of its security policies and procedures.

In the category of physical safeguards, a covered entity must establish controls to limit physical access to its facilities and information systems. It must also implement physical safeguards to restrict access to workstations that access electronic PHI so that only authorized users may access the information.

Upgrading Your Systems
The technical safeguards section of the regulations is the section that will require significant system changes or upgrades on the part of some providers. Because the compliance deadline is 2 years away, many of the required changes can be implemented in the course of routine equipment acquisition and replacement, reducing the incremental costs of HIPAA compliance. To realize the potential cost savings, however, providers should become familiar with the requirements now, so they can take them into account in purchasing equipment and system upgrades over the next 2 years. Any provider who expects to acquire new data transmission capacity, develop new Internet-based services, or otherwise expand its electronic information capabilities should understand how the security standards will apply to the affected systems to avoid additional compliance costs as the 2005 deadline approaches.

The technical safeguard provisions will affect different providers in different ways. For example, the new rules require access controls that track the identity of system users. Compliance with this standard will be trivial for many large providers, whose computer networks may have required unique user names and passwords for years. However, some small providers operate with a few personal computers whose only form of access control is the lock on the office door. It will be necessary for those providers to upgrade their security capabilities.

The technical safeguard standards also require audit controls, defined as “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Existing hardware and software systems vary widely in their audit control capabilities, and achieving compliance with this standard will require coordination with hardware and software vendors. The standards also require procedures to verify that a person seeking access to PHI is who he or she claims to be. Other technical safeguards include data integrity policies and procedures and transmission security measures.

Like the privacy rules, the security standards require covered entities to execute or amend contracts with their business associates to ensure the associates also implement safeguards for electronic PHI. These provisions can be included in the same business associate contracts that are required under the privacy regulations. The security standards also require covered entities to establish policies and procedures on subjects such as information access management, handling of security breaches, workstation use, data backup and storage, and disposal of electronic media.

Achieving compliance with the security standards will require a lot of work and will undoubtedly entail some frustration and some headaches, but 2 years will be more than enough time for providers who begin planning promptly. Because the rules are focused on electronic information only, they will generally not affect as wide a range of activities as the privacy rules do. The privacy rules required some providers to make fundamental changes in the way they conduct critical activities such as marketing. The security rules will involve effort and expense, but are unlikely to have such an impact on how providers conduct their day-to-day business activities. Compliance with these standards is a large but manageable task. Don’t wait too long, though—2005 is not as far away as it sounds.

Timothy L. Webster, JD, is an attorney with the Health Care Group of Brown & Fortunato PC in Amarillo, Tex. He represents HME companies, pharmacies, and other health care providers throughout the United States. He can be reached at (806) 345-6347 or at twebster@bf-law.com.


Related Articles - Legal Counsel

Heads Up - December 2003

An Ounce of Prevention - October 2003

Playing Hardball - October 2003

Keep a Close Watch - May 2003

HIPAA's Dark Side - December 2002

Displaying 5 of 21 related articles. View all related articles.


Article Tools
Email This Article
Reprint This Article
Write the Editor
Resources
Media Kit
Editorial Advisory Board
Advertiser Index
Reprints
News | Current Issue | Buyer's Guide | Archives | Calendar | Resources | Careers
About HME | Contact Us | Subscribe | Read Weekly eNewsletter
Media Kit | Editorial Advisory Board | Advertiser Index | Reprints
Allied Healthcare
24X7 |  Chiropractic Products Magazine |  Clinical Lab Products (CLP) |  Orthodontic Products |  The Hearing Review
Hearing Products Report (HPR) |  HME Today |  Rehab Management |  Physical Therapy Products |  Plastic Surgery Products
Imaging Economics |  Medical Imaging |  RT |  Sleep Review
Medical Education
SynerMed Communications |  IMED Communications
Practice Growth
Practice Builders
Copyright © 2008 Ascend Media LLC | HME TODAY | All Rights Reserved. Privacy Policy | Terms of Service