A road map to HIPAA compliance.As noted in my earlier article ("HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, Security Is Next," January 2004, p. 37), now is the time to start complying with the standards of the April 21, 2005 HIPAA Security Rule deadline. Fortunately, the Security Rule is closely synchronized syn·chro·nize v. syn·chro·nized, syn·chro·niz·ing, syn·chro·niz·es v.intr. 1. To occur at the same time; be simultaneous. 2. To operate in unison. v.tr. 1. with the HIPAA Privacy Rule which is already in effect. Hence, some actions taken to comply with the Privacy Rule will expedite ex·pe·dite tr.v. ex·pe·dit·ed, ex·pe·dit·ing, ex·pe·dites 1. To speed up the progress of; accelerate. 2. compliance with parts of the Security Rule. This article will assist facilities to plan the steps needed to comply with the Security Rule, with emphasis on what's reasonable for nursing facilities. The core language driving this regulation can be found in "The Regulatory Basis," p. 68. All facilities are urged to download an official copy of the Final Rule at www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp. For other helpful resources, see "Information Resources (1) The data and information assets of an organization, department or unit. See data administration. (2) Another name for the Information Systems (IS) or Information Technology (IT) department. See IT. ," p. 69. [ILLUSTRATION OMITTED] The Security Rule is more limited in scope than the Privacy Rule. While the Privacy Rule covered all protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. ), paper or electronic, the Security Rule applies only to electronically stored or transmitted PHI. Like the Privacy Rule, the Security Rule emphasizes reasonableness and does not specify any specific technology to meet its requirements. It allows scaling of responses, depending on each facility's size and technologic environment. Each facility is required to assess its status and address its vulnerabilities within its own organizational framework, as long as it complies with all basic standards and evaluates, documents, and acts appropriately regarding addressable Reachable. When something is addressable, it can be identified and manipulated independently of its surroundings. For example, screen pixels and RAM memory are addressable. Each of the screen's picture elements can be individually turned on and off, and each of the memory's bytes can be issues. To better understand the distinction between "required" and "addressable"--key to understanding this article--see "Implementation Specifications: Required versus Addressable." Road Map to Full Compliance Getting to compliance will necessitate ne·ces·si·tate tr.v. ne·ces·si·tat·ed, ne·ces·si·tat·ing, ne·ces·si·tates 1. To make necessary or unavoidable. 2. To require or compel. a deliberate effort to identify vulnerabilities and threats to the confidentiality, integrity, and availability of electronic PHI, or ePHI. All of the following steps must be taken, but the exact order will depend on the circumstances of each facility. Each standard will be identified as being "Required" (R) or "Addressable" (A) in accordance with the Final Rule and a suggestion as to timing: "Now," or "Later." While it would be desirable to do everything now, the reality of limited resources and the need to collect and analyze data before taking some actions dictate a phased approach. The timing suggestions must be evaluated by each facility--they are not part of the rule! In some facilities, standards suggested as "Later" may already have been met. The suggestions are intended for facilities without the current capability to comply with the standard. We suggest the facility's security official (and there must be one) use a HIPAA Security Matrix to ensure that each requirement is addressed. A comprehensive HIPAA Security Matrix is needed to document all issues related to the security of electronic PHI. Each facility will need to ensure that the security analysis they perform is comprehensive for their facility. Typically, a security matrix may be 20 pages or more. (A sample matrix for nursing facilities that can be tailored to individual facilities is available by e-mailing the author.) Documentation related to Security Rule analysis and actions is required to be maintained in a written record (which may be electronic) that includes the Risk Analysis (see below) and reports of actions, policies, and procedures. Start it now. Assigned Security Responsibility (R, Now). Identify the security official who will be responsible to the administrator for developing and implementing the facility's required policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Small, relatively uncomplicated facilities might need only one person part-time-perhaps the facility's Privacy Official--to fill this role; more complicated facilities might need a team or designated staff. Because this lead person will need time to research and digest the requirements, he/she must be assigned immediately. Risk Analysis (R, Now). The Risk Analysis is the foundation documentation for the compliance effort. Take time to do this well, since many other actions depend on it. Each facility must determine the particular vulnerabilities of its ePHI. This means considering "all relevant losses" that would be expected if the security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security were not in place. Examples would include losses caused by unauthorized uses and disclosures or any loss of data integrity, such as that caused by a system crash with no current backup. The Risk Analysis should use the Security Matrix described above as a tool to ensure that all risks are identified and evaluated. The Risk Analysis must be repeated often enough to ensure that the security measures continue to be adequate for providing the protection required by the rule. Authorization and/or Supervision (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that only authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: staff have access to ePHI. Workforce Clearance Procedure (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that only properly cleared staff have authorized access to ePHI. Termination Procedures (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that when staff are terminated, so is their authorization to access ePHI. Access Authorization (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that authorized staff have access to the data they need. As changes are made in software applications to facilitate compliance with the Security Rule, this issue will need to be revisited. Security Reminders (A, Now). Initiate security reminders using tools appropriate to your facility. Newsletters, e-mails, circulated tips, bulletin board notices, etc. can all help raise awareness. Protection from Malicious Software (A, Now). This most definitely can't wait! There must be policies and procedures to guard against, detect, and report viruses, worms, and other malicious software. Properly configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: firewalls for all outside connections are essential. Current antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. with regular updates should be running on all workstations that are vulnerable to attack. Loading software to network-connected or stand-alone workstations should be restricted to designated staff only. Data Backup Plan (R, Now). This should already be in place in all facilities--but typically isn't. We suggest that compliance with this requirement be supervised by the security official immediately. Facility Access Control and Validation (A, Now). Control access to physical components and to software for testing and revision. This means that physical access to servers and storage must be controlled and records maintained on individuals using the system (including guests). Workstation Use, Device and Media Controls: Disposal (R, Now). Address the secure final disposal of media or hardware containing ePHI. Workstation Use, Device and Media Controls: Re-use (R, Now). Address the re-use of media or hardware containing ePHI. Risk Management (R, Later). Since this depends on the Risk Analysis, this has to be delayed until the Risk Analysis task is complete. Evaluation (R, Later). Perform periodic technical and nontechnical evaluation of the security plan. Sanction sanction, in law and ethics, any inducement to individuals or groups to follow or refrain from following a particular course of conduct. All societies impose sanctions on their members in order to encourage approved behavior. Policy (R, Later). Determine the actions to be taken for breaches of the security policies. Isolating Healthcare Clearinghouse Functions (R, Later, if needed). In larger organizations, clearinghouse data (i.e., data aggregated from several facilities) must be protected from access by outside facilities. Access Establishment and Modification (A, Later). If the facility's current software supports access rights management, ensure that access rights are indeed being managed. Access Control: Unique User Identification (R, Later). AllePHI must be accessed through a "person-unique" access method to allow user identification and tracking. Note that this requirement does not affect applications that do not contain or access ePHI. Person or Entity Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. (R, Later). Ensure that the person or entity receiving ePHI is actually the person or entity it claims to be. Access Control: Emergency Access Procedure (R, Later). Procedures must be available to access ePHI in an emergency, with an appropriate audit trail. Login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. Monitoring (A, Later). Ensure all software or workstations that have access to ePHI will be capable of monitoring login attempts and reporting them. Vendors may have to upgrade their applications to provide the capabilities needed. Information System Activity Review (R, Later). Review logs and other monitoring data, based on the above. Password Management (A, Later) How passwords are distributed and managed depends upon the application and facility policy. Security Incident: Response and Reporting (R, Later). Since this partially depends on the Risk Analysis, this may be delayed until the Risk Analysis task is complete. Security Incident: Contingency Plan A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. (R, Later). Based on threats determined in the Risk Analysis. Disaster Recovery Plan (R, Later). Based on threats determined in the Risk Analysis. If your facility is highly automated, this may take a higher priority. Emergency-Mode Operation Plan (R, Later). Based on threats determined in the Risk Analysis. If your facility is highly automated, this may take a higher priority. Testing and Revision Procedures (R, Later). The emergency plans must include periodic testing and revision of all components of the system. For example, testing the backup and recovery of the system and data from crashes is essential to having confidence in the procedure. Procedures for testing under controlled conditions, carrying out the tests, and documenting their results are required to ensure the data will be protected. Applications and Data Criticality Analysis (A, Later). Assess the criticality of specific applications and data in support of other contingency plans. This could be performed as part of the overall risk assessment. Business Associate (written contract or other arrangement) (R, Later). Requires the Business Associate comply with the requirements to safeguard the confidentiality, integrity, and availability of the organization's ePHI. Contingency Operations A military operation that is either designated by the Secretary of Defense as a contingency operation or becomes a contingency operation as a matter of law (10 United States code (USC) 101[a][13]). It is a military operation that: a. (A, Later). Part of the disaster recovery plan. Facility Security Plan (A, Later). Plan to safeguard the facility against threats identified in the Risk Analysis. Maintenance Records (A, Later). Maintain records of all repairs and modifications to the facility that are related to security (e.g., hardware, walls, doors, locks). Workstation Use: Security (R, Later). Physical safeguards to restrict data access to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal performing authorized tasks. Depends on the Risk Analysis. Workstation Use: Accountability (A, Later). Record the person (s) and routines involved for movements of hardware and electronic media. Workstation Use: Data Backup and Storage (A, Later). Establish a policy to ensure that any ePHI on a workstation is backed up before movement of equipment. Automatic Logoff See logout. (A, Later). Provide for terminating an electronic session after a predetermined pre·de·ter·mine v. pre·de·ter·mined, pre·de·ter·min·ing, pre·de·ter·mines v.tr. 1. To determine, decide, or establish in advance: time of inactivity. Meeting this standard will probably involve your software vendor if the software does not already comply. Encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. and Decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. (A, Later). Implement a method to encrypt See encryption. and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. ePHI whenever deemed appropriate. Do this based on vulnerabilities identified in the Risk Analysis. Although encryption of ePHI is not required globally, data that are being transmitted outside of the facility should be considered for encryption, depending on the security of the transmission medium. Encryption may be used for internal access control, but is not required. Audit Controls (R, Later). Record and examine activity in information systems that contain ePHI. Logs of system activity must be generated and periodically evaluated by the facility. Unauthorized attempts to access the data, or attempts to penetrate the protections of the ePHI, will likely be identified in this way. Mechanism to Authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. ePHI (A, Later). There must be a mechanism to corroborate To support or enhance the believability of a fact or assertion by the presentation of additional information that confirms the truthfulness of the item. The testimony of a witness is corroborated if subsequent evidence, such as a coroner's report or the testimony of other that ePHI has not been altered or destroyed in an unauthorized manner. Meeting this standard will probably involve consulting with your software vendors, if their software does not already comply. Integrity Control (A, Later). When data are received electronically they must be protected from modification (on purpose or not) or the modification must be detected. For example, a laboratory report from a contract lab must be retained in its original form until the report is disposed of. Clinicians and administrators must be able to trust the data they are using for decisions. Final Note Throughout this guidance, the term "later" is relative. There is much to do, a limited time to do it, and possibly serious consequences for not doing it--all good reasons to at least start now. NOTE: This article is not intended to be legal advice, but rather the author's interpretation and understanding of the current Health Insurance Reform: Security Standards; Final Rule, published February 20, 2003. Facilities should always review compliance issues with competent legal counsel. RELATED ARTICLE: Implementation Specifications: Required Versus Addressable Implementation specifications are either "required" or "addressable." If a standard includes a required implementation, the covered entity must assess the risks and must implement the safeguard specified by the rule. If a standard includes an addressable implementation specification, a covered entity must: 1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment; and 2. As applicable to the entity: a. Implement the implementation specification if reasonable and appropriate; or b. if this is not reasonable or appropriate, document the reasons, and c. Implement an equivalent alternative measure, if reasonable and appropriate. RELATED ARTICLE: The Regulatory Basis The purpose of the Final Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI). This purpose has gained even greater importance since the commitment to work toward an electronic health record (EHR (Electronic Health Records) Computerized medical records that bring patient care into the digital age and save time, money and lives. The push to adopt comprehensive electronic documentation between doctors' offices and hospital settings intensified after the RAND ) as a national goal, supported by both major political parties. Before any EHR can be implemented, the goals of the Security Rule must be met. Two quotes from the actual Final Rule will help put the requirements in perspective: General Requirements-45 CFR CFR See: Cost and Freight 164.306(a) "Covered entities must do the following: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. 4. Ensure compliance with this subpart by its workforce. Flexibility of approach-45 CFR 164.306(b) 1. Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. 2. In deciding which security measures to use, a covered entity must take into account the following factors: a. The size, complexity, and capabilities of the covered entity. b. The covered entity's technical infrastructure, hardware, and software security capabilities. c. The costs of security measures. d. The probability and criticality of potential risks to electronic protected health information." RELATED ARTICLE: Information Resources * Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS for all source documents related to HIPAA: http://aspe.hhs.gov/admnsimp/index.shtml. * Healthcare Information and Management Systems Society Founded in 1961, the Healthcare Information and Management Systems Society (HIMSS) is a healthcare industry membership organization exclusively focused on providing leadership for the optimal use of medical informatics technology and management systems. (HIMSS HIMSS Healthcare Information and Management Systems Society ) provides an excellent CPRI CPRI Common Public Radio Interface CPRI Computer-based Patient Record Institute CPRI Central Power Research Institute (India) CPRI Central Potato Research Institute (India) Toolkit that is available to non-members at www.himss.org/asp/cpritoolkit_homepage.asp. HIMSS has a Long Term Care Special Interest Group that is a great resource for information technology professionals in nursing facilities and other long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. entities. * American Health Information Management Association The American Health Information Management Association (AHIMA) is a non-profit association for health information management professionals. The organization was founded in 1928, and has 51,000 members. (AHIMA AHIMA American Health Information Management Association (Chicago, IL) ) provides analysis and guidance in the implementation of the HIPAA requirements. Some documents are available to nonmembers, but their members have access to extensive communities of practice (www.ahima.org). * PricewaterhouseCoopers has an excellent interpretation of the Security Rule at: www.pwchealth.com/cgi-local/hcregister.cgi?link=pdf/securityrules.pdf. * Jim Albert of Masonicare in Connecticut and other members of the HIPAA Workgroup for the Connecticut Association of Not-for-profit Providers For the Aging (CANPFA CANPFA Connecticut Association of Not-For-Profit Providers for the Aging ) have developed several excellent worksheets and draft policies that the organizations are willing to share. To request copies, e-mail the author of this article. David Oatway is a consultant with Chesapeake Applied Technology, Key West, Florida “Key West” redirects here. For other uses, see Key West (disambiguation). Key West is a city and an island of the same name near the southernmost tip of the Florida Keys in Monroe County, Florida, United States. , and co-chair of the HIMSS Long Term Care SIG. To comment on this article, e-mail oatway0504@nursinghomesmagazine.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion