Implementation of the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has spawned a cottage industry of businesses offering compliance advice and services to IT managers throughout the U.S.
In an electronic presentation at the 2004 Healthcare Information and Management Systems Society (HIMSS) conference in Orlando, Kristen Sostrom, information security analyst with Integrated Management Services in Arlington, VA, and Jeff Collmann, Ph.D., from the Georgetown University Medical Center in Washington, DC, shared their thoughts on keeping HIPAA security simple.
The duo conceived their plan as an outline for IT administrators who are charged with HIPAA security compliance. For most providers, compliance with the security rule must be in place by April 21, 2005; small health plans have until April 21, 2006.
According to the authors, the security rule establishes four objectives:
- Provide access to authorized individuals while preventing unauthorized access, and ensure accuracy and completeness of information.
- Protect electronic protected health information (EPHI) from reasonably anticipated threats and hazards.
- Ensure that the EPHI is used in accordance with the privacy rule.
- Ensure that employees implement the security rule.
The HIPAA security rule covers three categories: administrative, physical, and technical. Each of these areas has standards, which are required safeguards. Implementation specifications are the steps taken to implement the standards.
Each of the implementation specifications is labeled as either required or addressable for each standard. An addressable specification is one in which a reasonable or cost-effective alternative is allowed to be implemented.
"It’s important to note that standards and implementation specifications state what to do, not how to do it," Sostrom and Collmann wrote. "Covered entities must develop and exercise administrative judgment in complying with HIPAA security."
The authors advised that each addressable implementation specification should be covered in a risk assessment conducted by the facility. If an IT manager found the risk to be reasonable and appropriate, a safeguard would need to be implemented. If the risk was found to be unreasonable or inappropriate, Sostrom and Collmann recommend that an alternative safeguard be implemented.
"In all cases, document everything," the authors emphasized.
Administrative security
The administrative standards comprise the bulk of the security standard. These standards are:
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plan
- Evaluation
- Business associate agreements and other arrangements
The security management process standard is the foundation of the security program and is used to implement the rest of the rule, according to Sostrom and Collmann. There are four required specifications that must be followed to comply with the standard: risk analysis; risk management; a sanction policy; and an information system activity review.
The assigned security responsibility standard requires that an individual or entity be identified who is responsible for security policies and procedures.
Workforce security has three addressable specifications for standards compliance. These are authorization or supervision for all workforce members, workforce clearance procedures, and termination procedures.
The information access management standard requires that an information access plan be in place, Sostrom and Collmann noted. This is specified in one requirement, that healthcare clearinghouse functions are isolated, and two addressable specifications, that access to EPHI can be only through authorization and that it be established and modified as necessary.
Security awareness and training simply requires that a facility develop a security awareness and training program. The implementation specifications are comprised of four addressable elements: security reminders, protection from malicious software, login monitoring, and password management.
The security incident procedures standard is straightforward; the implementation specification requires that response and reporting procedures must be in place.
Compliance with the contingency plan standard requires that a facility have a data backup plan, a disaster recovery plan, and an emergency-mode operation plan. Addressable elements are testing and revision procedures to ensure the contingency plan is implemented correctly; and applications and data criticality analysis to analyze what is critical in the site’s contingency plan.
The evaluation standard requires a periodic technical and procedural evaluation of the facility’s security-compliance plan.
Lastly, the business-associate agreements and other arrangements standard requires that agreements be established from the facility (which is the covered entity) to businesses that come in contact with PHI.
"The single required implementation specification states that contracts and agreements detailing the assurances must be in writing," Sostrom and Collmann wrote.
Physical security
The physical standards are limited to coverage of the following items:
- Facility access controls
- Workstation use
- Workstation security
- Device and media controls
Compliance with the facility-access controls standard is maintained by limiting physical access to the facility and its electronic information systems. Contingency operations for emergency facility access, a facility security plan, access control and validation procedures, and maintenance records of the controls are the addressable implementation specifications.
The workstation use and workstation security standards have no implementation specifications. Sostrom and Collmann recommend that a facility document the appropriate physical environment and use of workstations to protect health information and that it protect its workstations from unauthorized access.
The device and media controls standard covers items such as permanent and removable disk drives, diskettes, compact discs, memory sticks, tapes, and any other device that is capable of storing electronic information.
The implementation specifications for the standard require that disposal of devices and media track the destruction of the device and that the re-use of re-writeable media be controlled to ensure that the device has been erased before re-use. Addressable areas of the implementation specification are for the accountability of who is responsible for media and hardware, and for data backup and storage of a facility’s media.
Technical security
The technical standards comprise the following areas:
- Access controls
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
"The access control standard is simply an implementation of technical access control policies and procedures that enforce administrative information access management policies," Sostrom and Collmann wrote.
Required implementation specifications include unique user identification for each user, and emergency access procedures to EPHI. Addressable specifications are automatic logoff after a period of inactivity and encryption and decryption of EPHI.
Compliance with the audit control standard, which has no implementation specification, requires that EPHI activity within a system be recorded and periodically examined.
The integrity standard was put in place to protect EPHI from unauthorized alteration or destruction. The addressable implementation specification suggests that a facility have a mechanism to authenticate EPHI.
The person or entity authentication standard simply requires that technical procedures be installed and used to verify the identity of persons or entities requesting access to EPHI. There are no implementation specifications for this standard.
Lastly, the transmission security standard seeks to guard access to EPHI while it is in transfer. Addressable implementation specifications are technical integrity controls such as the creation of virtual private networks for EPHI transmission, and the encryption of ERHI during transfer.
Policies and procedures
"Covered entities must implement ‘reasonable and appropriate’ policies and procedures to comply with the standards and implementation specifications," Sostrom and Collmann wrote.
The duo recommended that a facility document all policies and procedures and any required action, activity, or assessment, and include a time limit, availability, and update for security compliance.
The authors outlined a four-step plan to keep HIPAA security compliance simple:
- Understand the rule.
- Start with a thorough risk assessment.
- Follow up with a risk management plan.
- Document everything.
Sostrom and Collmann suggest that those wishing a complete copy of the final HIPAA security rule, as well as a plain-English explanation, download the Computer-based Patient Record Institute (CPRI) Comprehensive Toolkit for Health Care Security Management, Version 4, from the HIMSS Web site at http://www.himss.org/asp/cpritoolkit_toolkit.asp.
By Jonathan S. BatchelorAuntMinnie.com staff writer
March 12, 2004
Related Reading
HIMSS offers advice on CMS contingency plan, September 25, 2003
CMS to accept non-compliant transactions after October 16, September 23, 2003
New HIPAA transaction standards in spotlight, September 16, 2003
U.S. health officials warn of potential payment "train wreck", September 12, 2003
X-ray film recycling raises HIPAA concerns, July 10, 2003
Copyright © 2004 AuntMinnie.com
