Question: Will we need to buy new computers in order to run security software that is compliant with the security rule?
Answer: No. The HIPAA security rule is technologically neutral, says Robert W. Markette, Jr., an attorney with Gilliland & Caudill, a health care law firm based in Indianapolis. "Health and Human Services [HHS] realized that it would be foolhardy to dictate technology in a rule that would not go into effect for two years. Therefore, the security rule requires security policies and procedures that cover certain specific points, but the rule does not dictate how a covered entity should go about complying with the rule," he says. A covered entity needs to perform a risk assessment and implement the requirements, but the decision to upgrade hardware or software is a decision based upon the entities’ application of the regulation.
Question: Will we need to be certified as compliant with the security rule?
Answer: No. HHS has not made certification part of the security rule, points out Markette. "They will not consider a third-party certification evidence of compliance, and HHS has not designated any entity to provide such certification," he adds.
Question: Will we need to implement trading partner agreements with our business associates?
Answer: No. The trading partner agreement was part of the original security rule, Markette says. Under the new rule, when a covered entity shares electronic protected health information (EPHI) with a business associate, the rule simply requires some additional provisions in the contract that impose certain safeguarding requirement upon the business associate, he explains.
Question: Will we need to purchase special software to ensure that none of our EPHI is altered without authorization?
Answer: Again, the answer is no. "Although the rule requires covered entities to ensure EPHI in its possession is not altered without permission, it does not require that the method for ensuring the integrity of information be electronic," explains Markette.
"In fact, HHS said that for a smaller provider, a reasonable method of ensuring integrity might be to maintain paper copies of documents," he adds. That way, if a question about the integrity of the data ever came up, the entity could simply refer to the paper copy in its file.
Question: Does the security rule affect private health information (PHI) in our paper files?
Answer: No, the security rule only applies to PHI maintained in electronic form, says Markette. However, PHI maintained on paper is subject to the privacy rule, he adds.
Question: It appears that there will some overlap between our privacy policies and our security policies. Can we borrow from our privacy policies to implement security policies?
Answer: Yes, there is a great deal of overlap in the two rules. "HHS set out to rewrite the security rule to harmonize with the privacy rule and they succeeded. HHS has said that a covered entity should feel free to borrow from its privacy policies when implementing the security rule policies and procedures," he says.
Question: Does the security rule require us to perform background checks on employees before allowing them to access EPHI?
Answer: No. Though the security rule does require provider to ensure that an employee’s access to EPHI is appropriate, this does not mandate a criminal background check. HHS said in the comments to the rule that "the need of and extent of a screening process is normally based on an assessment of risk, cost, benefits, and feasibility as well as other protective measure in place."
There may be some situations where a background check is appropriate, but that would be a decision for an entity based on its risk analysis, says Markette. "Of course, some state laws require criminal background checks for certain employees as part of its licensing regulations," he emphasizes.
Question: Can our privacy officer also be our security officer?
Answer: Yes. The main reason for requiring a security office is to ensure that final responsibility for security compliance rests with one individual, explains Markette.
"Most organizations will want to designate somebody who will be comfortable dealing with the technology issues inherent in the security rule, but there is no reason an entity’s privacy officer cannot be the security officer as well," he adds.
[For more information about the HIPAA security rule, contact:
• Robert W. Markette, Jr., Attorney, Gilliland & Caudill, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone: (317) 616-3652. Fax: (317) 275-9246. E-mail: firstname.lastname@example.org. Web site: www.gilliland.com.]