Review Your HIPAA Compliance Now
Part 2: Update your security policies.
By Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ
Recent changes to the Health Insurance Portability and Accountability Act (HIPAA) mean that all health care practices and facilities should be reviewing their processes to ensure compliance. Enhancements under the American Recovery and Reinvestment Act (ARRA) of 2009 have strengthened both the Privacy Rule (see part 1 of this series, “Review Your HIPAA Compliance Now,” in the August Coding Edge,) and the Security Rule, which we’ll cover here.
ePHI Must Be Secure
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic personal health information (ePHI). ePHI is any protected health information that is stored, accessed, transmitted, or received electronically. Examples of electronic media are: computers, laptops, disks, memory sticks, smart phones, personal digital assistants (PDAs), servers, disk drives, network systems, email, websites, etc.
Like the Privacy Rule, the Security Rule defines “confidentiality” to mean that ePHI should not be made available, nor disclosed, to unauthorized persons. The Security Rule promotes two additional goals of maintaining the integrity and availability of ePHI. Under the Security Rule, “integrity” means that ePHI is not altered or destroyed in an unauthorized manner; and “availability” means that ePHI is accessible and usable on demand by an authorized person.
Flexibility for how a practice complies with the Security Rule is allowed based on the office’s size and resources. But all covered entities must review and modify their security measures to continue protecting ePHI in a changing environment. This means:
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information
- Protecting against reasonably anticipated impermissible uses or disclosures
- Ensuring compliance by your workforce
The Security Rule requires a practice to:
- Identify potential risks to ePHI
- Implement appropriate security measures to address these risks
- Document what you did
- Devise policies and procedures that outline all required steps your office will take to maintain these security measures
- Routinely assess that your office is maintaining continuous, reasonable, and appropriate security protections for your ePHI
Your policies and procedures will be unique to your office—reflecting your specific business needs and risks—and are in addition to the Privacy Rules’ policies and procedures to comply with HIPAA.
Conduct a Risk Assessment
As a first step, your office should conduct a security risk assessment (also referred to as a risk analysis). Areas to include in the assessment are outlined in sections 164.308, 164.310, and 164.312 of the HIPAA regulations (available at the electronic Code of Federal Regulations (e-CFR) website: http://ecfr.gpoaccess.gov). See the security standards matrix on the next page for a list of risk assessment requirements in the Security Rule. There are 18 standards and 42 implementation specifications requirements, of which 20 are “required” and 22 are “addressable.”
Whereas required implementation specifications must be implemented as written, addressable implementation specifications need only be implemented as written if they are assessed as reasonable and appropriate safeguards for the practice’s environment. If an addressable specification is assessed as unreasonable, you must document why and implement an alternative, equivalent safeguard that is reasonable for your environment. In other words, addressable standards must be implemented, but offer greater flexability.
Use the Security Standards Matrix to conduct a security risk assessment. The assessment should help you to identify security weaknesses or vulnerabilities of your practice’s ePHI.
|Subpart C of Part 164 – Security Standards: Matrix|
|Standards||Sections||Implementation Specifications (R)=Required, (A)=Addressable|
|Security Management Process||164.308(a)(1)||Risk Analysis (R)|
|Risk Management (R)|
|Sanction Policy (R)|
|Information System Activity Review (R)|
|Assigned Security Responsibility||164.308(a)(2)||(R)|
|Workforce Security||164.308(a)(3)||Authorization and/or Supervision (A)|
|Workforce Clearance Procedure|
|Termination Procedures (A)|
|Information Access Management||164.308(a)(4)||Isolating Health Care Clearinghouse Function (R)|
|Access Authorization (A)|
|Access Establishment and Modification (A)|
|Security Awareness and Training||164.308(a)(5)||Security Reminders (A)|
|Protection from Malicious Software (A)|
|Log-in Monitoring (A)|
|Password Management (A)|
|Security Incident Procedures||164.308(a)(6)||Response and Reporting (R)|
|Contingency Plan||164.308(a)(7)||Data Backup Plan (R)|
|Disaster Recovery Plan (R)|
|Emergency Mode Operation Plan (R)|
|Testing and Revision Procedure (A)|
|Applications and Data Criticality Analysis (A)|
|Business Associate Contracts and Other Arrangement||164.308(b)(1)||Written Contract or Other Arrangement (R)|
|Facility Access Controls||164.310(a)(1)||Contingency Operations (A)|
|Facility Security Plan (A)|
|Access Control and Validation Procedures (A)|
|Maintenance Records (A)|
|Device and Media Controls||164.310(d)(1)||Disposal (R)|
|Media Re-use (R)|
|Data Backup and Storage (A)|
Technical Safeguards (see §164.312)
|Access Control||164.312(a)(1)||Unique User Identification (R)|
|Emergency Access Procedure (R)|
|Automatic Logoff (A)|
|Encryption and Decryption (A)|
|Integrity||164.312(c)(1)||Mechanism to Authenticate Electronic Protected Health Information (A)|
|Person or Entity Authentication||164.312(d)||(R)|
|Transmission Security||164.312(e)(1)||Integrity Controls (A)|
Flexibility for how a practice complies with the Security Rule is allowed, based on the office’s size and resources, but all covered entities must review and modify their security measures to continue protecting ePHI in a changing environment.
The next step is for your practice to determine the likelihood or probability for an external threat (such as a hacker trying to access your information) to expose a weakness and potentially gain unauthorized access to your ePHI.
Some examples from our client risk assessments include: the need to improve backup procedures for workstations, encryption for laptops, auditing user activity in the practice management system, or using a professional shredding service to dispose of ePHI. In most practices, human resource policies also will need to be updated to include greater pre-screening of new staff members, improved job descriptions to reflect proper access to and handling of ePHI by staff, exit interviews, and training on data security and proper use of passwords, etc. These safeguards are all part of the HIPAA Security Rule.
Put in place policies and procedures for each of the standards listed in the attached Security Standards table. For example, you might want to address each of the three safeguard areas in the following ways:
1. Administrative Safeguards
- Create office-specific security policies
- Place the copier or fax within the office to limit unauthorized access or viewing
- Appoint a security officer or official
- Conduct staff training on security rules, emergency operations, and reporting of real or suspected breaches (Remember: A breach is an inappropriate use, disclosure, or access of the practice’s PHI in violation of the Privacy Rule.)
- Finalize business associate contracts with outside entities that receive PHI generated by your office to do the work you require of them
2. Physical Safeguards
- Document who has access to the office during business and non-business hours, and which staff members have keys to the office
- Use password-protected screen savers
- Implement theft controls for computers and locate servers only in secured areas
- Conduct regular data backups and store them in a secure location
3. Technical Safeguards
- Control access to your workstations by using unique log-ins and time-limited passwords for all staff members
- Ensure that unattended computers automatically log out a user
- Appropriately dispose of ePHI by shredding or pulverizing, so the information can no longer be accessed
- Encrypt emails containing ePHI
The HIPAA policies you have now or create to comply with the Security Rule should be as detailed as possible. As an example, consider the following policy to address email use in your office:
Be very careful when emailing PHI. As a general rule, unencrypted email should not be used to communicate PHI because email is inherently less secure than other forms of communication, such as U.S. mail, Federal Express, UPS, or facsimile transmission. If email is used, the following safeguards should be taken:
- Attachments containing PHI sent as part of an unencrypted email should be encrypted in another manner before being attached to the email.
- The email message should contain a “confidentiality notice.”
- Verify that email is being sent to the correct person (e.g., always double-check the email address in the “To:” field before you hit “Send.”
Important Lessons to Take with You
A patient’s information—in written, electronic, or verbal form— belongs to the patient: Respect your patients’ privacy. As required by HIPAA’s “minimum necessary rule,” access only the information that is necessary to do your job. Report losses or misuses of information promptly to your privacy and/or security officer(s), so issues may be dealt with early, and harm can be mitigated. Set a protocol for confidential sending and receipt of PHI and ePHI. Question strangers who are in your work area. Never take patient information home or leave it in an unsecured place. And, always consult and comply with your office’s privacy and security policies and procedures.
Marcia L. Brauchler, MPH, CPC-P, CPC-H, CPC-I, CPHQ, is a health care consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Her firm is selling updated HIPAA policies and procedures at www.physicians-ally.com/hipaa_training.html.