In addition to providing those incentive dollars for meaningful use of a certified EHR, the Health Information Technology for Economic and Clinical Health Act (HITECH) significantly strengthened aspects of the HIPAA security rule, including the penalties imposed under HHS and the Office of Civil Rights.
If you are a “Covered Entity” (CE) or “Business Associate” (BA) it’s time to get serious, the deadline to be fully compliant with these final HIPAA rules has now passed.
Remember, HIPAA comprises three sets of standards — transactions and code sets, privacy, and security. The goal was to:
- Simplify the administration of health insurance claims and lower costs
- Give individuals more control over and access to their medical information
- Protect individually identifiable medical information from threats of loss or disclosure
But this is not news! The HIPAA Security Final Rule was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003.
Most covered entities had two full years — until April 21, 2005 — to comply with these standards.
The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.
In general, the HIPAA Security Rule protects electronic patient health information (EPHI) whether it is stored in a computer or printed from a computer.
The Security Rule is comprehensive including 18 regulation standards defining what safeguards to implement and 35 specifications that describe how those standards must be implemented. The documentation requirements for the Security Rule are daunting to say the least.
Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!
To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.
The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.
What is new? Enter the HITECH Act, called a “game-changer” and “ground-breaking”.
Without a doubt, HITECH requires the largest and most consequential change to the federal privacy and security rules ever.
In 15 areas, HITECH brings new federal privacy and security provisions that will have major financial, operational and legal consequences for all medical practices, hospitals, health plans, and their “business associates.”
HHS Secretary Kathleen Sebelius made clear the importance of privacy and security in announcing the “Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH” recently: “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”
HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.
And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.
What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.
Your analysis should include administrative, physical, and technical safeguards as well as organizational requirements and policy and procedure documentation requirements.
Examples of items in your risk assessment are in the following table:
|Implementation Specification||Assessment Item||
Policy and Procedure Recommendation
|Technical safeguard||Is your Protected Health Information (PHI) data encrypted? Discuss options with your vendor for how best to encrypt patient data.||Implement policies to periodically confirm that your encryption processes are up to date.|
|Physical safeguard||Workstation security||Develop policies for limiting workstation access during off-hours by unauthorized employees.|
|Administrative safeguard||Termination procedure||Document what the practice does to prevent unauthorized access to PHI by former employees.|
|Technical safeguard||Backup and recovery||Document your data backup plan, disaster recovery plan, and emergency mode of operations plan.|
In addition to plowing through the Final Rule, there are other resources available to help you assess and document your risk analysis, including a whole industry built around HIPAA and HITECH compliance. Here are three websites that offer — for a price — toolkits and training: www.hipaasecurityassessment.com, www.training-hipaa.net, and www.hitechanswers.net.
Aside from the importance of keeping your dealings with your patients confidential, there’s a solid business reason for getting compliant: New penalties for violating HIPAA and HITECH Act security regulations are enormous — up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, and untold damage to your reputation and mine.
Rosemarie Nelson is a principal with the MGMA Health Care Consulting Group.