Originally published January 2005
With HIPAA Privacy under our belts, employers now must face the next phase of HIPAA regulatory compliance: the HIPAA Security Rule. As was the case for HIPAA Privacy, all plans that provide or pay for the cost of health care are covered. This includes self-insured and fully insured plans, medical expense reimbursement accounts, and separate dental and vision plans. Covered plans must implement the Security Rule requirements by April 20, 2005 (April 20, 2006 for those health plans with $5 million or less in receipts).
What information is covered?
Your HIPAA Privacy efforts addressed all protected health information (PHI) maintained or created by or on behalf of your health plan, whether on paper, in your computer systems or communicated orally. The HIPAA Security Rule addresses a small sub-set of PHI: electronic protected health information, or e-PHI. This means information in databases, in word documents on computers, and conveyed in emails - in other words, all PHI that is maintained or transmitted electronically. Enrollment information or information about withholds in a payroll database is not considered protected health information, and so would not be considered e- PHI. If some or all of your plan's e-PHI is in the hands of your vendors or third party administrators, then your plan must enter into an appropriate contractual arrangement with the vendors and/or third-party administrators (see the discussion below regarding business associate contracts).
What does the Security Rule require?
If you maintain or transmit e-PHI, your health plan will have to satisfy all of the HIPAA Security Rule requirements. At a basic level, the Rule requires health plans to protect the confidentiality, integrity and availability of e-PHI. This goes beyond just privacy - the Security Rule is also intended to ensure health information is not improperly altered or destroyed, and that e-PHI can be accessed even in cases of emergency (system shut downs, for example). The Rule is broken down into three categories: administrative safeguards (business processes and policies for protecting e-PHI), physical safeguards (how equipment and facilities housing e-PHI are physically secured) and technical safeguards (electronic mechanisms and programs that protect hardware and software). For each category, the Rule defines specific standards and 'implementation specifications' that consist of basic security protocols. The chart on the last page of this Advisory lists each standard and all implementation specifications, and includes a brief explanation of each. Some of the implementation specifications are 'addressable,' meaning that you need to adopt them only if they are reasonable and appropriate for your health plan, but these decisions must be documented - 'addressable' does not mean 'optional.'
How do I get to HIPAA Security compliance?
Health plans that maintain and transmit e-PHI should take the following steps:
Appoint a 'Security Officer' to oversee HIPAA Security implementation. This can be the same individual that serves as your HIPAA Privacy Officer, but it should be someone familiar with your information systems and general information security practices. The Security Officer should also be someone with IT decision-making authority and responsibility in your organization.
Assemble a multi-disciplinary team to oversee implementation and to participate in the decision-making concerning identified security risks and whether additional security measures should be implemented.
Inventory all existing security policies, procedures and practices. Inventory all e-PHI and the flow of e-PHI into, out of and within your health plan by identifying the systems, hardware and software that maintain or transmit e-PHI in connection with your plan. Consider systems, hardware and software associated with lap-top use or use of personal digital assistants and maintenance and transmission of e-PHI through remote access (such as from home computers).
Conduct a 'risk analysis' that assesses the potential risks and vulnerabilities to the systems that maintain and transmit e-PHI and measures the adequacy of your existing security measures. Risk assessments are familiar concepts to information technology (IT) professionals, and your company already may have a methodology in place. IT staff should be involved in the risk assessment, but consider involving IT consultants if you do not have the appropriate in-house IT expertise. Where necessary based on the assessment, implement additional security measures to reduce unacceptable risks to a reasonable and appropriate level.
Using your risk assessment results, review compliance with the Security Rule standards and implement additional measures where necessary.
Develop policies and procedures for managing e-PHI or modify existing security policies to address changes made to your security practices. As noted below, in some cases you can modify your HIPAA Privacy policies to address security, where appropriate.
Amend your plan documents to include the required language from the HIPAA Security Rule.
Review your business associate agreements to determine whether they need to be updated to include additional HIPAA Security language.
Train benefits and HR staff that have access to e-PHI on appropriate security measures.
Practical Pointers
Most health plans will not be starting HIPAA Security from scratch - at least part of what you need probably is already in place, such as locks on the doors to your office and unique user ids and passwords to log into your computer systems. As part of HIPAA Privacy implementation, you may have already 'cleaned house' by limiting the PHI (electronic or otherwise) you receive from your vendors and TPAs. The HIPAA Privacy and Security Rules also overlap to a limited degree, and some of the work already completed to comply as part of HIPAA Privacy can be used and/or supplemented to meet your HIPAA Security compliance obligations. For instance, as part of your HIPAA Privacy compliance you should have established a sanctions policy that addresses disciplinary action for the improper use or disclosure of PHI, and implemented a training program for educating employees about the importance of protecting confidential health information. These policies can be easily modified to cover HIPAA Security.
Larger employers also may have information security programs already in place. Because the standards in the HIPAA Security Rule generally are derived from industry practices in information security, your existing program may be sufficient to meet many of the requirements. However, you still need to document what is in place, assess any additional measures that may be necessary, and document how you have complied with each of the Security Rule standards.
Conclusion
HIPAA Security compliance cannot happen without the involvement of your IT staff, but it is not a question for IT alone. Pull together a cross-disciplinary team with the appropriate knowledge base, take a step-by-step approach to compliance, and build on what you already have.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[c]2005 Wiggin and Dana LLP
Ms Maureen Weaver
Wiggin & Dana LLP
One Century Tower
P.O. Box 1832
265 Church Street
New Haven
CT 06508-1832
UNITED STATES
Tel: 2034984400
Fax: 203782-2889
E-mail: jireland@wiggin.com
URL: www.wiggin.com
Click Here for related articles
(c) Mondaq Ltd, 2005 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com
