Security Rule Blues

More than a month beyond the date when physicians were supposed to have met new requirements for security of health information, compliance appears to be lagging. If you are among those dragging your feet, are you aware of the risks you are taking by delaying compliance?

April 20, 2005 was the deadline for all healthcare entities covered by HIPAA (except for small health plans) to have complied with the security portion of the law. The privacy rule has been in effect since 2003. The security rule safeguards against the unauthorized use or disclosure of patients' protected health information (PHI) that is electronically transmitted or maintained.

If you are not yet compliant, don't panic. You are not alone. A recent survey by a healthcare information group and a consulting organization showed only three-fourths of providers expected to be compliant by the deadline. It is important, however, to start your efforts now and have a plan to get the job done in the shortest possible time. The penalties for noncompliance can be severe, and evidence indicates that tough security measures are needed. A full 40 percent of provider respondents to the survey noted they had experienced at least one data security breach since June 2004.

Understanding what's required

Many providers, including physician practices, likely have found the security regulation more difficult to implement than the privacy rule because there has been less guidance and fewer sample documents available from the Centers for Medicare and Medicaid Services (CMS).

Yet compliance with the security regulation goes hand-in-hand with privacy. The privacy rule itself mandates a certain level of physical security for all PHI, and the security rule adds to that burden by requiring any provider who transmits or stores patients' PHI electronically (and these days, the majority of providers do) to safeguard that electronic PHI (e-PHI) from unauthorized access, use, or disclosure.

The security rule requires providers and other covered entities to "ensure" the integrity, confidentiality, and availability of e-PHI, protect e-PHI from any "reasonably anticipated" threats or hazards, and mandates that their officers and employees will comply with the security regulation. "Integrity" in this context means that the e-PHI has not been altered or destroyed in an unauthorized manner; "availability" means that people who are authorized to access the e-PHI can do so when appropriate.

At this point, we don't really know what "ensure" and "reasonably anticipated" mean. Until courts have an opportunity to define these terms, healthcare providers will have to make their best efforts to achieve compliance with these standards.

In general, the security rule specifies a broad array of administrative, physical, and technical standards, but these are divided into "required" and "addressable." Don't be misled by the apparent voluntary nature of the word "addressable."

Addressability means that your practice has some discretion in how to solve any problems that exist in a particular area. Addressability does not mean that you can ignore the standard altogether, or that you can base your decision on how to achieve compliance solely on the cost of the solution.

If the only available solution is expensive, but "reasonable and appropriate" in your individual circumstances, you will still have to spend the money. In cases of addressability, treat your analytical process like a fifth-grade math assignment -- show your work. The regulators will want to see why you made the choices you did and what alternatives you considered and discarded on your way to your selected compliance solution. If you don't, you're likely to place yourself at risk for second-guessing (and potential sanctions).

At a minimum, you must do the following:

Appoint a security official. This may be the same person who is your privacy official. This individual is the point person for all policy development, training, and security compliance activities. Most physician practices assign this responsibility to the office manager or, if a large practice, to the person in charge of information technology. The security rule does not mandate any particular level of training or expertise.

Assess the key security risks to your practice. These risks likely will include potential loss of cash flow; loss or corruption of e-PHI due to a hacker, virus, or disaster; temporary loss or unavailability of records due to a system or power outage; and unauthorized access to or disclosure of e-PHI that results in a patient complaint to your practice and, potentially, to CMS. Identify the relative likelihood of these risks based on your practice's individual history and situation. This process, called a "risk assessment," simply requires you to determine whether it is more likely that your information systems will be compromised by, for example, flooding than by a hacker or an angry ex-employee.

Implement safeguards to minimize the occurrence of the most likely events. This effort must be customized to your practice's own circumstances -- borrowing someone else's "checklist" of problems will not be sufficient. Most practices are going to have to think about natural disasters, power outages, hackers, disgruntled employees, and the like. However, if you have remote access to a hospital's information database (such as a PACS system, for example), or if you have a piece of diagnostic equipment that the vendor can access by modem, you're going to have to consider security risks created by these systems, also.

Physically safeguard your information assets. This includes keeping printers and fax machines out of patient or high-traffic areas, keeping rooms containing sensitive assets locked, destroying paper and electronic information when no longer needed, and only allowing certain individuals access to sensitive areas or data applications.

Train the workforce on security compliance issues. Inform everyone of their information security responsibilities, which will vary depending upon what amount of access to e-PHI each workforce member may have. Don't make distinctions purely on pay status or work hours --  it is the level of access that drives the training and compliance burden. Finally, document each training session and those present, and make training a condition of continued employment.

Implement a reminder program about security. This may include e-mail alerts, posters, log-on notices, memos, or other methods. Such reminders should address problems that have arisen, as well as those the practice hopes to avoid.

Create policies and procedures addressing the weak points you uncovered in your risk assessment. Tailor these policies and procedures to your practice's operations, and make these documents available to all personnel.

Develop appropriate sanctions for security violations, and apply them evenly. Any sale of patient information should result in immediate dismissal; all other violations can have a scale of penalties from a letter of reprimand to suspension without pay for a period of time. Document any disciplinary action, and make sure you don't discriminate in punishment for the same offenses. Repeat offenders must be punished more severely. Don't forget to hold any professional managers in the practice accountable for upholding their security responsibilities as well.

Encrypt information where appropriate. Laptops with wireless modems and PDAs are particularly vulnerable to intrusion, as are data transmissions over the Internet. If you must send data out of the practice electronically, you will need to encrypt this data somehow. Depending upon your practice's financial and personnel resources, you may also wish to encrypt information on PCs and servers (this may not be required if you have taken other security measures, such as password protection or limiting access to certain functions) or discontinue certain electronic transactions (such as sending patient reports and correspondence by e-mail).

Remember, unless you are required by law or contract to send e-PHI electronically, you are not required to, and discontinuing such transmissions might be the easiest way to create a secure environment.

Important next steps

You now have a basic level of security in place in your practice, and are ready to move forward with more complicated compliance tasks. You'll need to:

Create a process to respond to, contain, investigate, and mitigate the damage caused by security incidents. Apply this process to security incidents of all types, including those involving employees, business associates, physicians, vendors, and others. Keep records of actions you take and the results.

Develop a contingency plan. What if the worst happens, and your systems go down or a natural disaster interrupts your access to electronic information? Identify the most vulnerable systems and data and then create a backup plan for disasters, as well as an emergency operations plan. Train personnel and test these plans to see if they will be effective when needed.

Regularly review your program's effectiveness. Because technology and employees change, your security compliance program should be checked and tweaked at least once a year. Most practices won't have the resources in-house to verify whether your technology is doing what it is supposed to, so you'll likely need an outside expert to assess this aspect of your program. For procedural aspects, you might consider staging a "mock" disaster or a day of in-service to review your program. Be careful that your review doesn't ignore issues that people think "aren't a big deal."

Remember that physical security issues (workstation access, secure areas for e-PHI, etc.) also form a part of your privacy compliance program, so make sure that your privacy official participates in the review and evaluation of these aspects of your security solution.

The price of noncompliance

As with violations of the privacy regulation, providers can receive stiff penalties if they violate the security requirements of HIPAA. Although the federal enforcement authorities have stated that they want to promote education and voluntary compliance during the first few months following the compliance deadline, investigations will be conducted into each complaint received and civil and criminal penalties still can be imposed for violations found.

Civil penalties include a $100 fine per violation, up to $25,000 for repeated violations of the same requirement. Criminal penalties, which can be imposed for a willful disregard of the statutes and regulations, range from a fine of up to $50,000, imprisonment for up to one year, or both to a fine of up to $250,000, imprisonment for up to 10 years, or both for an offense committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Nonmonetary consequences of HIPAA violations include possible negative media publicity about the provider, loss of patients, loss of business associates who do not wish to be associated with organizations that are noncompliant, and possible liability occasioned by civil suits brought by plaintiffs' attorneys. However, the most damaging sanction that could be imposed is exclusion from the Medicare system due to failure to comply with HIPAA's mandates.

Patients are becoming more educated about their rights under HIPAA and state medical privacy laws. If your practice does not take security compliance seriously and a patient asks questions about your program, or if a security breach occurs that results in a publicized violation, the practice will learn very quickly that noncompliance may in fact be more costly and unpleasant than the cost of implementing a reasonable compliance solution.

Barry Herrin is an attorney and partner in the Atlanta office of Smith Moore LLP, and is board certified in healthcare management by the American College of Healthcare Executives. He can be reached at (877) 404-7466, barry.herrin@smithmoorelaw.com, or editor@physicianspractice.com.

Trish Markus is an attorney and partner in the Raleigh office of Smith Moore LLP, and is the immediate past president of the North Carolina Society of Healthcare Attorneys. She can be reached at (800) 569-5740, trish.markus@smithmoorelaw.com, or editor@physicianspractice.com.

This article originally appeared in the May 2005 issue of Physicians Practice.