Home

Cover Story

Table of Contents

E-Newsletter

Article Archive

Editorial Calendar

Datebook

Writers' Guidelines

Orgs/Links

Opinion Polls

Reprints

Forum

For other articles and previous issues click here.

March 21, 2005

One-Month Checkup
By Carol Ann Quinsey, RHIA, CHPS
Radiology Today
Vol. 6 No. 6 P. 22

The HIPAA security rule takes effect next month (except for small health plans). Is your facility ready?

In the past year, a great deal has been published about the HIPAA security rule. Now that the April 21 deadline for compliance is looming, it makes sense to review its requirements and some of its key concepts. If by chance you are still not prepared, there are a few things that can be done—even at this late date.

HIPAA History
The final HIPAA security regulations were published February 20, 2003, by Health and Human Services. Like the privacy rule, covered entities were given two years to comply (except small health plans, which have until April 2006).

While the privacy rule covers all protected health information (PHI) in organizations, the security rule is narrower in scope. It complements the privacy rule by establishing the baseline for securing electronic health information.

The security rule is based on three principles: comprehensiveness, scalability, and technology neutrality. The rule addresses all aspects of security, assures that the rule can be implemented effectively by organizations of any type and size, and does not require specific technology.

ePHI (electronic protected health information) is PHI maintained or transmitted in electronic form. Some examples of ePHI are patient information—including diagnostic images—stored on magnetic tapes or disks, optical disks, hard drives, and servers. Examples of transmission media include Internet and extranet technology, leased lines, private networks, and removable media such as disks.

Some examples of information not covered by the security rule include information that was not in electronic form before the transmission (eg, messages left on voice mail or faxes when the information was not in electronic form prior to the transmission). However, some of these items are covered under the privacy rule.

Implementation specifications may be “required” or “addressable.” All standards in the rule must be implemented. Required implementation specifications must be implemented as stated. Addressable implementation specifications must be implemented as stated in the rule or in an alternate manner that better meets the organization’s needs. This allows some flexibility in implementing the standard. Should an organization choose to execute the implementation specification in an alternate manner, it must document the reason.

Safeguards include administrative, physical, and technical issues an organization must consider in implementing the standards and implementation specifications included in the rule. Safeguards are not limited to technology. They also require policies and procedures for the workforce to follow and sanctions for noncompliance.

Scalability allows organizations to decide on security measures appropriate to their operational risks. Factors such as the organization’s size and complexity, hardware and software, costs of implementing additional security, and the threats and vulnerabilities identified in a risk analysis serve as guidelines toward implementing appropriate measures.

Rule at a Glance
In a hospital setting, information technology staff outside the radiology department may be driving the facility’s security rule effort. If you’re a radiology manager in that situation, assess those efforts as they apply to your department. If a technologist, pay attention to where you interface with electronic data and make sure you understand your role in the process.

Security rule standards are grouped into five categories:

• administrative safeguards;

• physical safeguards;

• technical safeguards;

• organizational standards; and

• policies, procedures, and documentation requirements.

If you have any interaction with electronic data and have not previously done so, read and study the security rule. Here is a summary of the important elements.

Administrative safeguards (164.308) include the following:

• Security Management Functions require organizations to analyze their risks to security and implement policies and procedures that prevent, detect, and correct security violations and define appropriate sanctions for security violations.

• Assigned Security Responsibility requires organizations to identify the individual responsible for overseeing development of the organization’s security policies and procedures.

• Workforce Security requires organizations to have policies and procedures to ensure that members of the workforce have access to information appropriate for their jobs and clear termination procedures.

• Information Access Management requires organizations to implement procedures authorizing access to ePHI.

• Security Awareness and Training requires organizations to offer a security awareness and training program for all members of its workforce, including management.

• Security Incident Procedures require that there be policies and procedures for reporting and responding to security incidents.

• Contingency Plan requires an organization to have policies and procedures for responding to an emergency or occurrence (such as fire, vandalism, or natural disaster) that damages equipment or systems containing ePHI in case that information is not available to caregivers when and where it is needed.

• Evaluation requires that organizations periodically monitor adherence to security policies and procedures, document the results of monitoring activities, and make appropriate improvements in policies and procedures.

• Business Associate Contracts and Other Arrangements require that contracts between a covered entity and business associates provide satisfactory assurance that appropriate safeguards will be applied to protect ePHI that it creates, receives, maintains, or transmits on behalf of the covered entity.

Physical safeguards (164.310) include the following:

• Facility Access Controls require limitations on physical access to equipment and locations that contain or use ePHI.

• Workstation Use requires descriptions of what tasks can be performed at each workstation, the manner in which tasks can be performed, and the physical attributes of areas where workstations with access to ePHI are located.

• Workstation Security requires a description of how workstations permitting access to ePHI are protected from unauthorized use, including portable workstations such as laptops and personal digital assistants.

• Device and Media Controls require organizations to address the receipt and removal of hardware and electronic media that contain ePHI. This includes the use, reuse, and disposal of electronic media containing ePHI both within and outside the organization (for example, a third-party vendor’s potential reuse of backup tapes).

Technical safeguards (164.312) include the following:

• Access Control requires policies and procedures limiting access to ePHI to persons or software programs requiring the ePHI to do their jobs.

• Audit Controls require installation of hardware, software, or manual mechanisms to examine activity in systems containing ePHI.

• Integrity requires policies and procedures that protect ePHI from being altered or destroyed in any way.

• Person or Entity Authentication requires implementation of measures to prevent unauthorized users from accessing ePHI.

• Transmission Security requires mechanisms to protect ePHI being transmitted electronically from one organization to another.

Organizational requirements (164.314) include the following:

• Business Associate Contracts or Other Arrangements requires organizations to document that its business associate contracts or other arrangements comply with the security measures when handling ePHI.

• Requirements for Group Health Plans require each organization to ensure its plan documents that appropriate safeguards will be implemented for ePHI.

Policies, procedures, and documentation requirements (164.316) include the following:

• Policies and Procedures require that organizations implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the security rule.

• Documentation requires that written or electronic records of policies and procedures implemented to comply with the security rule be maintained for a period of six years from the date of creation or the date when last in effect.

What Should Be Done By Now
If your organization has identified its security officer, completed the risk analysis, carried out remediation efforts, updated policies and procedures, and completed security awareness training, you are ready to roll. Most covered entities estimated their preparation time would entail six to 12 months of work. With only a short time left before the compliance date, most everything should be in place.

As with the privacy rule, there will be no routine monitoring for compliance with the security rule. Enforcement will be based on complaints investigated by the Office of Civil Rights. Should it find lack of compliance with the provisions of the security rule during investigations, penalties could be forthcoming.

Playing Catch-Up
If you are not completely prepared, here are a few tips that may be useful:

• If you have not already done so, appoint a security officer. In some organizations, the responsibilities have been assigned to someone carrying a different title, which is not a problem. In your documentation, just be clear about who has that role; in training, be sure employees know who that person is.

• Next, organize and start to conduct a risk analysis. Everything else should flow from that document. (Several excellent resources are listed in the accompanying box.) It is not necessary to hire a consultant to do this work, although it could be helpful in some organizations.

• Develop a training plan and train your personnel on security awareness. Some elements of security may have been included in the training for the privacy rule implementation. However, the focus of security training should be on items pertaining to malicious software, password management, and access monitoring and security reminders. These are required training elements of the security rule.

Some other items to examine and take steps to remedy now include the following:

• Check for policy and procedure updates that might be driven by your password management program, including remote access to your information systems.

• Ensure that you have contingency plans describing how business will be conducted in the event of a disaster. (Note that contingency plans are different from backup plans for your data.) Your contingency plan may include reverting to paper from electronic systems depending on the extent of the disruption. Staff members need to know how to conduct business in the wake of a disaster, where supplies are kept, and how paper forms are used.

• Review business associate agreements for elements that may be specific to the security rule implementation, such as allowing access to information systems only for specific purposes and time periods for items such as updates and troubleshooting.

• Evaluate reuse or destruction of media processes such as discs or CD-ROMs used as backups to the electronic master patient index. Also, be certain to clean hard drives on computers transferred within the facility or sold or donated to charity.

Final Thought
As with the privacy rule, compliance with the security rule is a journey, not a switch that can be flipped. Most organizations will be on this journey throughout their existence. However, the most important part of any journey is taking the first step and then staying on course. Take time now to check on where your organization is on its journey toward compliance and help correct the course if necessary. It is never too late to start.

— Carol Ann Quinsey, RHIA, CHPS, is the AHIMA professional practice manager.

Security Rule Resources
Amatayakul M. Kick starting the security risk analysis. J AHIMA. 2004;75(7):46.

Amatayakul M. Practice brief: Security risk analysis and management: An overview. J AHIMA. 2003;74(9):72A-G.

Amatayakul M. Security awareness: The right messages. J AHIMA. 2004;75(4):56.

Amatayakul M, Lazarus SS, Walsh T, Hartley C. Handbook for HIPAA Security Implementation. AMA Press: 2004.

Cooper T. An updated toolkit for security strategies. J AHIMA. 2004;75(7):42.

Eight security compliance tasks you can start now. Health Information Compliance Insider. Brownstone Publishers, Inc.: April 2003.

Get set to comply with final HIPAA security regs. Health Information Compliance Insider. Brownstone Publishers, Inc.: April 2003.

Quinsey CA. A HIPAA security overview. J AHIMA. 2004;75(4):56A-C.

Security Standards Final Rule. 45 CFR Parts 160, 162, 164. Federal Register 68, no. 34 (February 20, 2003). Available at: http://www.hhs.gov/ocr/hipaa

Take four steps to address “addressable” implementation specifications. HIPAA Security Compliance Insider. Brownstone Publishers, Inc.: April 2003.

Subscribe to Radiology Today Magazine!

Radiology Today Cover Image
Copyright © 2007 Great Valley Publishing Co., Inc.
3801 Schuylkill Rd • Spring City, PA 19475
Publishers of Radiology Today
All rights reserved.