Securing the ‘Security Rule’
Importance of HIPAA Compliance for All Practitioners
Evidence is mounting that the U.S. Department of Health and Human Services is beginning to crack down on medical practitioners and their Business Associates who are not acting in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its Security Standards (the “Security Rule”). This is potentially bad news for many health care providers and vendors who work with such providers (defined as Business Associates) who have taken a less than rigorous approach toward compliance.How does a health care provider or Business Associate become compliant? First, let’s take a brief look at the Security Rule itself. The Security Rule’s primary objectives are to ensure the confidentiality, integrity and availability of protected health information (PHI). In plain English, the law was written to ensure that adequate safeguards are put in place to protect patient information from (i) unauthorized access and disclosure, (ii) improper alterations or deletions, and (iii) being inaccessible when needed.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the 2009 stimulus bill. One of the primary purposes of the HITECH Act was to provide a series of amendments, clarifications and updates to HIPAA – including a significant increase in enforcement activities and penalties. The HITECH Act also marked the first time that Business Associates could be found to be directly liable for HIPAA violations. It is worth nothing that while the Security Rule has been in force since 2006, the minimal penalties that were initially permitted for non-compliance created little incentive for health care providers to invest in compliance. With the HITECH Act ushering in penalties up to $1.5 million, noncompliance is a costly risk.
The Security Rule focuses on three core areas: Administrative, Physical and Technical Safeguards. The following review covers just a few of the items from each of these three areas to provide a better understanding of some of the requirements for health care providers and their Business Associates to consider for their compliance activities.
Administrative Safeguards
Administratively, a health care provider or Business Associate is required to have an accurate inventory of its hardware and software which contain PHI. This accurate inventory is crucial for determining the devices that need to be protected from viruses and spyware, have their logins monitored and passwords managed. Furthermore, not only does each employee require a unique login, but each employee should only be granted access to the PHI required for them to complete their specific job tasks.
Physical Safeguards
Physical safeguards ensure that traditional safeguards are in place to protect your equipment such as locked doors, screen barriers, cameras, etc. A data backup is also required, which should be maintained offsite to ensure PHI is not lost in the event of a disaster such as a fire, flood or theft. While many of these requirements may seem excessive (for example, maintaining a log of all door locks), it is important to remember the Security Rules apply to all organizations, regardless of size. Continuing with the door lock example, some businesses have only a front door and a back door, which use the same key. Other organizations, however, may not even have traditional door locks, instead using electronic key fobs. The Security Rule requires that each business respond to the requirement in a manner that is reasonable for the entity’s size and sophistication level.
The word “reasonable” is found throughout the Security Rule. This allows for interpretation of the law. Is it reasonable to have redundant servers in a secondary facility which can be used in the event of an outage? Probably not for one-physician practices with only four computers. But if that organization were a multi-hospital health system, then yes, it would be reasonable to establish those kinds of failover systems.
Technical Safeguards
Technical Safeguards address the way in which health care providers and Business Associates manage electronic PHI. One commonly discussed Technical safeguard is encryption. Technical safeguards can be controversial. Unfortunately, some “IT Professionals” upsell their clients on encryption packages because it’s “the law.” In reality, these vendors are either uneducated or taking advantage of a client who is relying on them for guidance. A review of the Security Rule indicates encryption is required only where it is reasonable and appropriate to protect PHI. If accessing Electronic Medical Records on an internal, private network, encryption is probably not required. But if a physician wanted to finish reviewing some remaining charts from the comfort of his or her den, then yes, the connection between the home and the office should be encrypted, using a VPN or similar connection.
The Security Rule is very comprehensive and technical. Both an investment of time and the use of an IT Professional educated in the Security Rule are necessary to complete implementation. It is law and both health care providers and Business Associates are required to comply.
We often hear a client’s frustration. Specifically, many clients have been lulled into a false sense of security. “But I’m a small fish, they’re not going to audit me. They’re going to go after the hospitals and the big chains.”
Enforcement data, however, suggests that this logic is faulty. The case of Phoenix Cardiac Surgery is evidence to this effect. Phoenix Cardiac Surgery is a small practice which employs only five physicians. According to the U.S. Department of Health and Human Services, a recent investigation determined that the practice was posting patient appointments on an Internet-based calendar that was publicly accessible. The investigation also showed that the practice had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rule and had insufficient safeguards in place to protect patients’ electronic health information.
Not only was Phoenix Cardiac Surgery required to pay a settlement of $100,000, but it also had to ensure future compliance with the Security Rule and overcome the negative media attention.
For businesses that haven’t yet given the Security Rule the attention it deserves, it’s not too late, but compliance is rarely a task that can be completed overnight. Precision Business Solutions has spent more than a year developing a comprehensive solution for our clients in health care. Developing our custom software and automated processes involved a significant investment in gaining knowledge and experience with HIPAA and Security Rule and employing the aid of attorneys focusing on HIPAA to ensure our solutions are comprehensive.
Post A Comment:
0 comments: