Providers Must Be HIPAA Security Rule Compliant by April 2005

The HIPAA Security Rule deadline is April 21, 2005.  Ready or not, here we go with another HIPAA compliance effort!  But where to start?  As always, health care providers need to start with by conducting a risk assessment.

Risk Assessment

The first step to addressing security issues is to conduct a risk assessment.  This was true for HIPAA Privacy Rule compliance, and it holds true for HIPAA Data Security Compliance as well.

The HIPAA Data Security Rule addresses two different categories of implementation specifications:  those that are “required” and those that are “addressable.”  “Addressable” means that the Data Security Rule provides a provider with flexibility in implementing a strategy for addressing an information security issue.

If anyone can access protected health information and the provider did not properly try to prevent such access, then the provider could be viewed as being non-compliant.  A health care provider must assess the risks and take appropriate steps to protect itself and the protected health information that is in its possession.

The Data Security Rule requires providers to conduct a detailed risk analysis and create an on-going risk management program with respect to data security.  Such an analysis helps the provider determine which different risks can affect protected health care information security.

Providers are responsible under the Data Security Rule to appoint someone to be responsible for administering a data security program that complies with the HIPAA Data Security Rule.  Such an individual will be called the Data Security Officer.

Awareness

The Data Security Officer should make creating awareness among the employees as to what constitutes a data security risk a very high priority.  As with fraud and abuse as well as privacy, a critical goal is to encourage employees to come to the compliance officer for each area and report problems rather then either remaining silent or complaining to the federal government regarding the problem.  Employee reporting gives the provider the opportunity to investigate and resolve the problem efficiently and effectively without interference from governmental authorities.

One area that employees will surely encounter is the use and disposal of protected health information stored on removable media.  First, the provider must ensure that such information is not improperly disclosed.  Second, the provider must remember to remove protected health information before the removable media is discarded.  Two possible approaches to ensuring protection are encryption and a policy and procedure that prohibits reusing data disks.

Plan, Plan and Plan

Health care providers are required, under the HIPAA Data Security Rule, to ensure the confidentiality of all electronic protected health information.  Protection must be provided for any reasonably anticipated threats or hazards to the security of such protected health information.

Compliance

Providers must establish policies and procedures to ensure that protected health information is protected in its electronic form.  As with the HIPAA Privacy Rule, the health care provider must make and be able to show a good faith effort at compliance.  Part of this good faith effort is training employees on the policies and procedures.  The other aspect is treating Data Security compliance as a whole new area requiring compliance.  Providers must be very careful not to delude themselves into thinking that HIPAA Privacy Rule Compliance automatically means Data Security Rule compliance.  There certainly is overlap; however, Data Security deals with many different areas including, as an example, risks involving computer passwords as well as employee access to electronic protected health information once that employee leaves his job position.