Next on the HIPAA agenda: protecting security
From the March ACP Observer, copyright © 2005 by the American College of Physicians.
By Margo J. Williams, MHA
When the final phase of the Health Insurance Portability and Accountability Act (HIPAA) takes effect next month, will your practice be ready? The answer to that question could be yes because this rule should be less demanding to implement than the HIPAA privacy and transactions rules. But you still need to take a few steps to review your practice just to make sure.
On April 20, the HIPAA security rule becomes law. And while it is designed to protect electronic health information, making sure you comply will also safeguard your practice and your patients' trust.
Required vs. addressable standards
The HIPAA security rule lays out 18 standards to safeguard electronic patient information. These standards fall into two categories: required and addressable. Required standards are mandatory—but that doesn't mean addressable standards are optional. They are, however, somewhat more flexible.
While required standards are mandatory, addressable standards are somewhat more flexible.
For an addressable standard, a practice needs to implement that standard if it is appropriate to do so, or document why the standard doesn't apply and implement a reasonable alternative that satisfies the standard.
For example, "Encryption and Decryption" is an addressable access control standard that doesn't apply to your practice if you don't use e-mail. If you do use e-mail, however, but don't have encryption software, then you can use a secure messaging service that verifies the identity of both doctor and patient. You also need a clear policy on what is and is not appropriate in patient e-mail. (A complete list of required and addressable standards can be found on page 142 of ACP's "HIPAA Security Rule Manual." Also see "Online HIPAA help" for additional information.)
The good news is that meeting each of the 18 standards is not particularly difficult. In fact, the software you're already running may make compliance a snap.
For example, one requirement says you must back up your data. Just about every software vendor includes a process to do so, whether on tape, CD or other device, in case of a power outage or other computer emergency. Similarly, password protection—one of the 18 standards—is a "given" in virtually every computer system sold today.
Making sure you're ready
While you may already have many of the security rule provisions covered, you should conduct an analysis of your practice's information systems just to be safe. Here are some items to check:
Verify that all your business associate contracts are up to date, especially with vendors and those with whom you do business electronically. That includes your billing company and software vendors.
Check with your practice management software vendor to make sure all features—such as audit controls, password management, automatic logoff and screen savers—are available and turned on properly.
Make sure your office policies and procedures cover security-related issues, such as workstation use and protection, password management, employee termination procedures and sanctions.
If your practice uses e-mail with patients or other providers, make sure protected health information is secure by using encryption software or some other security means.
Verify that antivirus and firewall subscriptions are current and being used properly.
Review and update practice contingency plans related to data backup and storage, disaster recovery and emergency operations.
The business case for security
As with the other HIPAA rules thus far, security rule enforcement will be complaint-driven. But following the rules makes good sense for other reasons. Losing patient data, temporarily closing down operations because of technological issues or stopping a terminated employee from accessing your system without authorization—these are the types of scenarios compliance will help you avoid.
Finally, new national provider identifiers are next on the HIPAA front. You can begin applying for your new 10-digit national provider identification (NPI) number this May.
These will replace all other provider identifiers, including Medicare's unique provider identification number. Look for information in next month's ACP Observer about how to apply for your NPI and the deadlines for using it.
Margo Williams is a practice management associate in ACP's Washington Office.
For more help with HIPAA, including forms, tables and sample policies, members can download a free copy of the Practice Management Center's "HIPAA Security Manual." (Registration is required.)
Internist Archives Quick Links
Not an ACP Member?
Join today and discover the benefits waiting for you.
ACP offers different categories of membership depending on your career stage and professional status. View options, pricing and benefits.
A New Way to Ace the Boards!
Ensure you're board-exam ready with ACP's Board Prep Ace - a multifaceted, self-study program that prepares you to pass the ABIM Certification Exam in internal medicine. Learn more.