The ABCs of HIPAA security rules
HIPAA is based on the concept of "Administrative Simplification," or the pursuit of the most effective and efficient use of modern information technology. Handheld computers, the Internet, e-mail communication, and the use of personal computers enable users to store nearly limitless amounts of data, perform timely searches and reporting, and distribute large quantities of information to a wide audience in practically no time.
The healthcare industry is now able to make patient records and image data instantaneously available at multiple locations, as well as provide summary analysis of multiple patient, facility, or regional studies with very little effort. HIPAA seeks to facilitate the greatest potential use of this modern technology, while providing common sense protections for the personal patient information reflected in the data.
The Security and Electronic Signature Standard ("Security") and the Privacy of Individually Identifiable Health Information Standard ("Privacy") together are intended to protect patient health information. Privacy defines the permissible means of access, use, and disclosure of the applicable patient information, while Security governs the operational and technical mechanisms necessary to protect the information.
Privacy was enacted in December of 2000 and must be followed by April 14, 2003. Security is in draft status and will not likely be formally enacted until at least October of this year, with a two-year compliance timeline. However, security efforts cannot be put on hold. The Privacy Rule, not to mention prudent business practice, requires covered entities to have adequate information security in place by this coming April.
What is information security?
Information security is a comprehensive system of actions taken to protect the confidentiality, integrity, and availability of an organization's electronic data, work product, information systems, and other related intellectual and physical property. These areas are defined as:
Scope of the Security Rule
Healthcare providers, health plans, and clearinghouses are charged with the legal responsibility to comply with HIPAA. The Security Rule further requires that these "covered entities" enter into chain-of-trust partner agreements (separate from business associate agreements) with third parties that will access, use, or disclose confidential information to ensure that consistent levels of security protections are maintained.
The Security Rule applies to all individually identifiable health information that is either electronically stored or transmitted. The draft regulation includes Electronic Signature requirements; however, the government has indicated that these requirements have not been sufficiently evaluated for inclusion in the final rule.
The Security Rule requires each covered entity to assess its own operations, resources, and vulnerabilities to determine what types of security measures are necessary to protect the individually identifiable health information under its control. They must conduct careful analysis of the flow of this health information throughout their organization, and they must assess the potential risk of unauthorized access, use, or distribution of the information at all points of storage and transmission. A security gap analysis must be performed to identify the controls necessary to prevent what the entity would consider to be an unacceptable risk or vulnerability.
The rule is intended to be scalable to permit organizations to custom fit the security requirements to their particular needs. Further, the regulation is written to be technology-neutral. Covered entities must determine exactly what types and levels of security technology are appropriate to meet their security needs. This also provides for the likelihood of future technology improvements and rising industry standards.
The Security Rule does not require the absolute prevention of all potential avenues of unauthorized use, access, or disclosure of protected information, only those that the covered entity determines to be unreasonable. Some that must be considered are:
The Security Rule provides a specific list of minimal requirements that a covered entity must fulfill to adequately prevent unauthorized access, use, or disclosure of individually identifiable health information.
Formal operational procedures and policies must be established to provide security guidance and instruction to all applicable personnel and to ensure that all pertinent functions are consistently performed in accordance with the organization's security needs. Procedures to put in place include:
The organization's buildings, equipment, and media must be protected with reasonable physical safeguards to prevent unreasonable threats to security. The covered entity must consider physical threats, such as disaster, physical or electronic break-in, burglary and theft, and careless physical access to individually identifiable health information.
The covered entity must install adequate physical security protections, as well as establish operational procedures to ensure effective implementation of these protections. They include:
Technical security services
Operational procedures and policies must be established to restrict access to individually identifiable health information to personnel with a justifiable need to access, use, or distribute the data. These should include:
Technical security mechanisms
Security technology must be implemented to protect information that is stored on a computer network or is otherwise electronically communicated, from unauthorized access, use, or distribution. Required mechanisms include:
Technology can pose great savings in reducing the cost of healthcare operations. However, reasonable steps must be taken to preserve patient trust, satisfy regulatory requirements, and maintain the most effective and efficient healthcare organization.
Thomas H. Faris can be reached at firstname.lastname@example.org.
This article originally appeared in the October 2002 issue of Physicians Practice.