HIPAA Security Deadline: Getting Compliant

This article will review critical steps that healthcare providers, payers, and clearinghouses must complete to fully comply with the legislation. It will look at the broad requirements of the...

The April 20, 2005 deadline is almost here, by which time all healthcare organizations must be in compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

This article will review critical steps that healthcare providers, payers, and clearinghouses must complete to fully comply with the legislation. It will look at the broad requirements of the HIPAA Security Rule and review the seven steps you and your organization must take to achieve compliance. The operative word here is “review.” Many of the compliance steps outlined should have already been completed by your organization or at least put into motion well before now—if you haven’t started your HIPAA compliance efforts yet, you probably won’t be able to meet all requirements in time for the April deadline. The article also reviews the actions necessary to achieve compliance with the Evaluation standard in the HIPAA Security Rule, which is one of the final tasks an organization must complete prior to the deadline. As written, the Evaluation standard requires small practitioners, hospitals, long-term care facilities, and others to “perform a periodic technical and non-technical evaluation to demonstrate and document compliance with the entity’s security policy and the requirements of the HIPAA Security Rule.”

Healthcare and HIPAA

The healthcare industry accounts for 15% of the GDP of the United States and is the largest segment of the US economy. HIPAA directly affects the entire $1.7 trillion healthcare industry. HIPAA is a comprehensive piece of legislation that includes the Administrative Simplification Title, which sets specific requirements in the areas of Transactions and code sets, Identifiers, Privacy, and Security (TIPS). Tied in to these legislative requirements are compliance dates and penalties for violations.

The HIPAA Security Rule identifies standards and implementation specifications that organizations must meet in order to become compliant. Many large organizations that access, store, maintain, or transmit patient-identifiable information are required by law to meet the HIPAA Security Standards by April 21, 2005 (small health plans have until 2006). Failing to comply can result in severe civil and criminal penalties.

Core Objective: CIA of ePHI

The core objective of the HIPAA Security Rule is for all covered entities such as pharmacies, hospitals, healthcare providers, clearing houses, and health plans to support the Confidentiality, Integrity, and Availability (CIA) of all electronic Protected Health Information (ePHI).

HIPAA Security Requirements

The HIPAA Security Rule outlines the requirements in three major categories:

• Administrative Safeguards

• Physical Safeguards

• Technical Safeguards

Administrative Safeguards

Administrative Safeguards are defined as the “administrative actions, policies, and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Table 1 (see next page) summarizes standards and implementation specifications defined in the Administrative Safeguards category.

Physical Safeguards

Physical Safeguards are defined as the “security measures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.” Table 2 (see page 30) summarizes standards and implementation specifications defined in the Physical Safeguards category.

Technical Safeguards

Technical Safeguards are defined as the “the technology and the policy and procedures for its use that protect ePHI and control access to it.” Table 3 (see page 31) identifies all standards and implementation specifications defined in the Technical Safeguards category.

The Seven Steps to Compliance

The HIPAAShield™ security methodology identifies seven critical steps that an organization must implement to become compliant with the HIPAA Security Rule.

Step 1: Assign Security Responsibility

Successfully completing this step involves the following activities:

• Develop specific job description

• Identify security officer

• Acquire training

• Establish initial budget

The organization must clearly identify job responsibilities and associated authority to address this requirement. Next, identify the individual in the organization who will be respons-ible for coordinating all activities and initiatives to enable compliance with

the HIPAA Security Rule. This individual will also be responsible for leading the development of all security policies and procedures and coordinating the deployment of appropriate security technologies. Identify key team members to assist with security activities.

Step 2: Conduct Risk Analysis

This step involves the following:

• Conduct vulnerability assessment

• Identify contingency requirements

• Conduct information system activity review

As part of the vulnerability assessment initiative, the organization must create an inventory of all vital enterprise assets, systems, and communications. This information will provide the basis for a comprehensive risk analysis and an information system activity review. For example, a small physician’s practice is moving to install new Web-based applications. It decides to first complete a risk assessment. Upon conclusion of the assessment, the team recommends that the organization install a firewall, upgrade its virus detection and containment software, and implement an automated access control function with an audit capability. In addition, the team emphasizes the need for the organization to develop a user manual and complete training before implementation. This scenario details the impact of a risk assessment in a small physician’s practice. HIPAA Security requires that all organizations conduct a comprehensive and thorough risk analysis on a periodic basis (at least yearly).

Step 3: Develop Security Strategy and Policies

To complete Step 3, you and your organization must:

• Develop information security and other security policy documents

• Document security procedures

• Determine contingency planning requirements

• Develop plans for physical security

All organizations must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications of the Security Rule. All organizations must maintain the policies and procedures implemented in written form (which may be electronic). Organizations must develop a security strategy and risk-mitigation plans appropriate for the organization’s mission and priorities.

Step 4: Remediate

Remediation in this context requires the following:

• Implement perimeter defense systems (firewalls, intrusion detection)

• Secure facilities and server systems (harden operating system)

• Implement device and media control solutions

• Implement authentication solutions

• Deploy access control technology

• Implement automatic log-off

• Activate log-in monitoring and auditing capabilities

• Deploy integrity control and encryption technology

• Test contingency planning procedures

Remediation is the step where the rubber meets the road. It is in this step that initiatives are launched to “close and lock” the gaps and risks that are identified. The objective is two-fold: to meet HIPAA Security Rule requirements, and to protect all enterprise assets and communications. It is in this step that security pilot projects are launched and technologies are deployed.

Step 5: Update Business Associate Contracts (BAC)

To complete this step, you must review BACs with all other organizations that access your organization’s ePHI. This step involves updating all BACs to address safeguards, training, and audit requirements.

Step 6: Train all Members of the Workforce

To do this, you must:

• Train all members of the workforce on the HIPAA Security Rule and Security Policy requirements as they apply to your organization

• Consistently communicate security requirements to the workforce through security reminders, updates on malicious software, and password management initiatives

To illustrate how this may be accomplished, let us consider an example from the NIST Special Publications 800-66 document. A small family practice doctor’s office must certify annually that proper licenses for practicing medicine and operating a business are current. As part of this annual review of operations, the practice decides to incorporate a status report on its information security efforts, including a section focusing on an awareness and training plan.

One person—the office manager—is designated as the office’s information security manager. He advises the three physicians, two physicians’ assistants, three nurses, and seven office staff members that they will need to receive a security awareness briefing (which will be delivered via a PC-based tool that the office manager has procured). Several information security posters will be hung in high-traffic areas, and a list of security “do and don’t” items will be routed to all staff.

The doctor’s office will contact the local businesses that provide its IT support and accounts receivable/payable services. The office will hold meetings to discuss how these businesses protect any office/ patient information they may have a need to access and how they train their own employees in information security, including any information security certifications they may require their support staff to acquire and maintain.

Step 7: Evaluate

Evaluation of your compliance efforts entails the following:

• Determine if all vulnerabilities have been addressed

• Verify that all compliance requirements have been met

The Risk Management standard requires that organizations on a regular basis identify, select, and implement controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost. Organizations must also repeat the process of identification of all ePHI vulnerabilities as well as other information assets and determine appropriate security measures to reduce risk to a reasonable and appropriate level.

The Evaluation Standard: Your Checklist

Evaluation is a HIPAA Security Rule Standard defined within the Administrative Safeguards section (164.308 (a) (8)). The objective of the Evaluation standard is to perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI.

Covered entities are required to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of the Security Rule.

Covered entities must assess the need for a new evaluation based on changes to their security environments since their last evaluation. Reasons for initiating a new evaluation would include an organization adopting new information technology or implementing responses to newly recognized risks to the security of its information.

This evaluation may be performed internally or by an external accrediting agency, which would be acting as a business associate. The evaluation would include both technical and non-technical components of security.

A small provider might be able to self-certify through industry-developed checklists. The evaluation process must be thorough and complete to be sure that the provider’s environment is not vulnerable to threats and attacks.

Table 4 (see next page) may be used to evaluate if your organization has achieved compliance with all requirements of the HIPAA Security Rule. In this table, “S” refers to HIPAA Security Rule Standard, “R” refers to Required Implementation Specification, and “A” refers to Addressable Implementation Specification.

Summary

Healthcare service providers, insurance companies, and state and local government agencies must ensure that their employees are trained and understand the HIPAA Security requirements. The regulations explicitly recognize that very small organizations will be able to satisfy the requirements with less elaborate approaches than larger, more complex organizations. The Security Rule does not address the extent to which a particular entity should implement the standards and implementation specifications. Instead, the Security Rule requires that each covered entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements. Each organization must decide on its own which individual security requirements would be satisfied and which technology to use.

For more information on this topic, check out the bonus HIPAA Security Compliance article at www.mdng.com.