HIPAA security in next: don't look now, but yet another set of HIPAA requirements is coming your way. What to do--and not do.Of the three HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, components, the data security component is the last to be implemented--specifically, by April 21, 2005. Nursing facilities can gel a head start on fulfilling these requirements and actually improve their current data practices by taking a reasonable approach to securing their electronic protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (ePHI). Facilities planning to acquire new software or hardware that will contain or manage ePHI should study the rule as part of the acquisition process and ensure that their selected vendor(s) can support its requirements. Don't Wait, Start Now Fortunately, most of the changes involved in this will be low-cost and actually sensible to implement now, if you haven't already. Others will take longer to implement and need to be started soon to meet the deadline. As with the privacy component, some of the security requirements are technical, and many are operational. Here is an overview of what you should be thinking about now. Try to Be Reasonable As directed by Congress, the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (DHHS DHHS Department of Health & Human Services (US government) DHHS Dana Hills High School (Dana Point, California) DHHS Deaf and Hard of Hearing Services DHHS Deaf and Hard of Hearing Services ) has been careful not to specify technologies to meet the HIPAA security requirements, but rather has specified process and outcome requirements. The word "reasonable" appears 57 times in the rule, demonstrating government's willingness to scale solutions according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. facilities' different sizes and degrees of sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. . Consider the following factors in deciding what security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are reasonable in your situation: * the size, complexity, and capabilities of your organization; * its technical infrastructure, hardware, and software security capabilities; * what reasonable security measures might cost; and * the probability and criticality of potential risks to the facility's ePHI. Get Your Own Copy While facilities may engage consultants to assist with HIPAA compliance, each facility remains responsible for achieving this. To begin with, get a copy of the final rule at www.cms.gov/hipaa/hipaa2/regulations/security/default.asp. The good news is that the actual rule is only eight pages long, along with a preamble of analysis and responses to public comments. Next, determine whether the rule does, in fact, apply to your facility. If yours is a nursing facility, the rule applies absolutely; all nursing facilities must at least maintain computer-based MDS MDS, n See temporomandibular pain-dysfunction syndrome. MDS 1 Maternal deprivation syndrome, see there 2 Myelodysplastic syndrome, see there data and transmit those data to their state agencies. If you operate a CCRC Noun 1. CCRC - an agency in the Department of Defense that is a national center for research on all aspects of injury control and casualty care Casualty Care Research Center or assisted living as·sist·ed living n. A living arrangement in which people with special needs, especially older people with disabilities, reside in a facility that provides help with everyday tasks such as bathing, dressing, and taking medication. facility, the rule applies if you maintain residents' health information on a computer or transmit their ePHI electronically. (Staff employment records are exempt from the rule.) Know How to Respond There are two types of Security Rule specifications: 1. Required: The entity must implement the specification. 2. Addressable Reachable. When something is addressable, it can be identified and manipulated independently of its surroundings. For example, screen pixels and RAM memory are addressable. Each of the screen's picture elements can be individually turned on and off, and each of the memory's bytes can be : The entity must: (a) assess whether the specification is a "reasonable and appropriate" safeguard for its particular environment and (b) as applicable, implement the specification, if reasonable and appropriate, or document why its implementation is not reasonable and appropriate, and document any alternatives taken as being reasonable and appropriate. The Security Rule in Outline The following lists various compliance-related activities pertaining to the Security Rule: 1. Administrative safeguards. Security management process. This includes formal review of information system activity, risk analysis, risk management, and development of a sanction policy. Assigned security responsibility. Identify who in your facility is responsible for developing and implementing the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental of the Security Rule. Workforce security. Develop policies for authorization and/or supervision of staff who work with ePHI, including procedures for clearance and employment termination. Information access management. Implement policies and procedures for authorizing specific access to ePHI consistent with the applicable requirements of the Privacy Rule. Security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. training. Implement a security awareness and training program for all members of the workforce, including management; this includes posting security reminders, log-in monitoring, and establishing password management procedures. Security procedures. Develop procedures for identifying and responding to suspected or known breach-of-security incidents, mitigating, to the extent practicable, any harmful effects and documenting breach-of-security incidents and their outcomes. Contingency plan. This includes developing a data-backup plan and a disaster-recovery plan, outlining emergency-mode operational procedures, developing security policy testing and revision procedures, and performing criticality analysis of data and applications. Evaluation. Perform a periodic technical and nontechnical evaluation based initially on the standards implemented under this rule and, subsequently, in response to any environmental or operational changes affecting the security of ePHI. Business associate contracts. Document satisfactory assurances from business associates that they have procedures in place consistent with the organizational requirements of the rule. 2. Physical safeguards. Facility access controls. This requires policies and procedures to limit physical access to electronic information systems and the facilities housing them. Workstation use. This requires policies and procedures that specify the proper functions to be performed at the workstation, the manner in which those functions are to be performed, and the physical attributes of the workstation as they pertain to these functions. Workstation security. This requires physical safeguards for all workstations that access ePHI, aimed at restricting access to authorized users only. Device and media controls. This requires policies for disposal and reuse of data recording media, and accountability for these, as well as data backup and storage. 3. Technical safeguards. Access controls. This includes a unique user identification process, emergency access procedures, automatic log-off, and measures for encryption and decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. . Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in an information system that contains or uses ePHI. Integrity. Have safeguards to protect ePHI from improper alteration or destruction. Person or entity authentication. Have procedures to verify the identity of the person or entity seeking access to ePHI. Transmission security. Have safeguards to protect against unauthorized access to ePHI that is being transmitted over an electronic communications network. This includes integrity controls and encryption methods alluded to above. 4. Organizational requirements. Business associate contracts. Take reasonable measures to ensure that all business associates using or receiving ePHI comply with the rule's requirements. Group health plans. Review requirements specific to group health plans. 5. Policies/procedures/documentation requirements. Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards. The policies may be changed at any time provided that the changes are documented and are implemented in accordance with the rule. Documentation. Maintain policies and procedures, as well as reports of actions, activity, or assessment required by the rule, in a written record (which may be electronic). The documentation must be maintained for six years, be available to those persons responsible for implementing the procedures and, in the case of policies and procedures, be updated as needed as needed prn. See prn order. in response to environmental or operational changes affecting the security of ePHI. Conclusion Obviously, the final Security Rule will take considerable time and resources to implement, even if many of its elements are already in place at your facility. Facilities need to start now to meet the April 21, 2005, deadline. Information Resources American Health Information Management Association The American Health Information Management Association (AHIMA) is a non-profit association for health information management professionals. The organization was founded in 1928, and has 51,000 members. (AHIMA AHIMA American Health Information Management Association (Chicago, IL) ) www.ahima.org Centers for Medicare and Medicaid Services The Centers for Medicare and Medicaid Services (CMS), previously known as the Health Care Financing Administration (HCFA), is a federal agency within the United States Department of Health and Human Services (DHHS) that administers the Medicare program and (CMS) www.cms.gov/hipaa/hipaa2/regulations/security/default.asp Department of Health and Human Services (DHHS) www.hhs.gov/ocr/hipaa Healthcare Information and Management Systems Society Founded in 1961, the Healthcare Information and Management Systems Society (HIMSS) is a healthcare industry membership organization exclusively focused on providing leadership for the optimal use of medical informatics technology and management systems. (HIMSS HIMSS Healthcare Information and Management Systems Society ) www.himss.org David Oatway, RN, is President of CareTrack Systems, LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , Olney, Maryland, and is Vice-Chairman of the American Association of Nurse Assessment Coordinators. He has been a consultant on healthcare automation, clinical systems development, and regulatory affairs for more than 20 years. For further information, e-mail dave@caretracksystems.com. To comment on this article, please send e-mail to oatway0104@nursinghomesmagazine.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion