Your next step in HIPAA compliance: the security rule
From the January/February ACP Observer, copyright © 2004 by the American College of Physicians.
By Jackie Blaser
Now that you're on your way to meeting the requirements of the privacy and transactions rules, what's your next step in complying with the Health Insurance Portability and Accountability Act (HIPAA)? Implementing the HIPAA security rule.
The final security rule was published last February, with a compliance deadline of April 21, 2005. That may seem like a long way off, but the new security requirements are directly related to the act's two other rules. Addressing aspects of security now in conjunction with those other requirements will save you time and hassles later.
The security rule is the third major rule of HIPAA. The HIPAA privacy rule, which went into effect in April 2003, spells out how individually identifiable patient health information—whether it's written, oral or electronic—can be used and disclosed. (The privacy rule also gives details about what rights patients have regarding the confidentiality of their own health information.)
The transactions rule, which went into effect last October, creates common technical standards for electronically conducting certain transactions, such as claims and remittances. The security rule, on the other hand, establishes standards to safeguard the security of electronic health information, whether that information is being used, stored or transmitted.
Because the privacy rule touches on the security of all patient health information—including any data in an electronic format—there is some overlap between the privacy rule and the security rule. However, the security rule goes into much more detail about how medical groups, as well as health plans and clearinghouses, must protect electronic information.
And like the privacy rule, the security rule was intentionally designed to be flexible, allowing groups to decide what aspects of the rule apply to their practice, based on their financial and staff resources. Because the rule is written very broadly, compliance for a large, multispecialty group will be very different from that for a solo practitioner.
The security rule creates more than a dozen security standards, which fall into three basic categories:
Administrative safeguards. Practices must adopt formal administrative procedures designed to protect personal electronic health information. They must, for instance, designate a security officer to assess the group's potential security risks and monitor compliance efforts.
Physical safeguards. Practices must implement procedures to safeguard their computer systems and other equipment, as well as the buildings where the practice is housed.
Technical safeguards. Groups must make sure that technical safeguards—such as network firewalls, passwords and automated log-offs—are in place to control and monitor access to electronic information. Those procedures are meant to protect against inappropriate use of information by both external and internal sources.
To help practices meet the rules, some standards include detailed "implementation specifications."
One size does not fit all
Some of these implementation specifications are required, while other specifications are designated as "addressable." The addressable specifications build flexibility into the rule, making it possible to scale security standards to a practice's needs and resources.
Here's an example of a required specification: All practices—regardless of their size—must implement unique user identification technology. Each person who uses the group's computer system must have a user ID to control computer access to protected information. This ID will also allow the group to track that person's information use.
For addressable specifications, however, a practice can decide whether or not a particular specification is reasonable or applicable. If it is not reasonable, the practice can implement an alternative measure to meet the standard. If the specification does not apply, the practice doesn't need to implement one at all.
For example, one addressable specification concerns the use of encryption to protect the transmission—via e-mail, for example—of protected information. If your practice decides encryption is not reasonable or appropriate, you can choose to not implement this specification and instead implement an alternative means of meeting the standard. You must, however, document why the specification is not appropriate.
And if the specification doesn't apply to your practice—because you don't use e-mail, for instance—you must document why you're exempt from the specification.
When choosing not to implement an addressable specification, however, keep in mind that you may make that choice only if the specification truly does not apply to your office. You can't decide not to implement an addressable specification simply because you don't want to.
To help you comply, the College's Practice Management Center (PMC) has developed a "HIPAA Security Manual" that takes you through the process step-by-step. For this and other HIPAA resources, visit the PMC Web site.
Jackie Blaser is a representative with ACP's Practice Management Center.
Internist Archives Quick Links
ACP Clinical Shorts
Expert Education on Your Schedule
Short videos deliver highly focused answers to challenging clinical situations seen in practice and are a terrific way to earn CME credit on-the-go. See more.
New: Free Modules from ACP Practice Advisor!
Keep your practice moving in the right direction. ACP Practice Advisor is offering four modules that you and your staff can try for free. Get to know the premier online practice management tool at no risk. Explore the modules.