What's Your Security Risk?

The HITECH Act expansions to the HIPAA Security and Privacy Rules comprise sweeping and comprehensive changes to safeguarding electronic protected health information (ePHI). In addition to providing those incentive dollars for meaningful use of a certified EHR, the HITECH Act significantly strengthened aspects of the HIPAA Security Rule, including the penalties imposed under HHS and the Office of Civil Rights. If you are a "Covered Entity" (CE) or "Business Associate" (BA) it's time to get serious; the deadline to be fully compliant with these final HIPAA rules has now passed!

Remember, HIPAA comprises three sets of standards - transactions and code sets, privacy, and security. The goals of these regulations are to:

• Simplify the administration of health insurance claims and lower costs
• Give individuals more control over and access to their medical information
• Protect individually identifiable medical information from threats of loss or disclosure

This is not new! The HIPAA Security Final Rule was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most CEs had two full years - until April 21, 2005 - to comply with these standards. The reality is, most covered entities, especially providers, did not comply by that date and are still not HIPAA compliant today.

In general, the HIPAA Security Rule protects ePHI whether it is stored in a computer or printed from a computer. The Security Rule is comprehensive - including 18 regulation standards defining what safeguards to implement and 35 specifications that describe how those standards must be implemented. The documentation requirements for the Security Rule are daunting to say the least.

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule - and you know how much your practice has done to accommodate that. To make matters worse, most medical practices governed by the Security Rule continue to have limited staff resources to implement an initiative to comply with security requirements. And available information-security consulting expertise in many communities has been and remains limited. The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

What is new? Enter the HITECH Act, called a "game-changer" and "groundbreaking." Without a doubt, HITECH is the largest and most consequential expansion and change to the federal privacy and security rules ever. The 15 change areas comprise new federal privacy and security provisions that will have major financial, operational, and legal consequences for all medical practices, hospitals, health plans, and their "business associates."

Kathleen Sebelius, secretary of HHS, said during the announcement of the Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH "To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work."

HIPAA requires all health care CEs - that's you! - and their BAs - that's me! - to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

How would your name get in the news? HHS's Office of Civil Rights (OCR) is coming to audit your compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

What do you do? Perform a risk assessment (see examples in Table 1), establish a baseline scorecard, and track compliance progress. New penalties for violating HIPAA and HITECH Act security regulations are enormous. CEs and BAs face up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, and untold damage to their (yours and mine) reputations.

Rosemarie Nelson is a principal with the MGMA healthcare consulting group. She conducts educational seminars and provides keynote speeches on a variety of healthcare-technology and operational topics. Drawing upon her diverse experience, Nelson provides practical solutions to help medical groups succeed in their practices. She may be reached at www.mgma.com/consulting/nelson.