The trusted source for
healthcare information and
What does the HIPAA security rule require?
[Editor’s note: This is a periodic column that addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: email@example.com.]
Same-day surgery managers have been working hard to put policies and procedures into place to meet the HIPAA privacy requirements. Now it’s time to look closely at what’s needed to meet the requirement of the HIPAA security rule, adopted Feb. 13, 2003.
The rule requires you to ensure the confidentiality of electronic protected health information (EPHI) that you maintain. But the requirements don’t stop there, says Robert W. Markette Jr., an attorney with Gilliland & Caudill, a health care law firm in Indianapolis. Same-day surgery managers also must make sure EPHI always is available, even in the event of a disaster or emergency, he explains.
The security rule also requires you to protect EPHI against any reasonably anticipated threat or hazard and to protect against any reasonably anticipated use or disclosure of such information that would violate the privacy regulations, says Markette.
Here are answers to additional questions that are likely to puzzle you:
Question: What is the definition of EPHI?
Answer: EPHI is protected health information that is maintained or transmitted in an electronic medium, says Markette. "Electronic medium means any computer-based form of storage or transmission such as hard drives, floppy disks, CD-ROMs, and computer networks," he says.
Electronic transmission also includes physically moving storage medium, he adds. "This means mailing a floppy disk is considered an electronic transmission," he explains.
Question: What are the different types of standards?
Answer: The security rule requirements are broken down into three broad areas: administrative safeguards, physical safeguards, and technical safeguards. Generally, administrative safeguards are policies and procedures designed to protect EPHI and require that the organization perform a risk analysis, designate one person as a HIPAA security officer, and educate the work force on security requirements for EPHI, says Markette.
Physical safeguards are related to maintaining confidentiality of EPHI by physically preventing unauthorized people from accessing computers. These safeguards include items such as locks on doors, he says.
Technical safeguards are policies and procedures related to computers. This section does include a requirement that each individual have a unique identification on the computer, he says. Any of the standards or implementation specifications within the standards that are designated as required or addressable must be implemented by April 21, 2005.
Question: What is an "addressable" standard?
Answer: If a standard is identified as "addressable," an organization must determine whether a standard is reasonable or appropriate for its environment, Markette explains.
If it is not, the organization must document why it is not reasonable and implement an equivalent alternative measure if reasonable and appropriate.
One of the addressable standards is integrity control, he says.
"This standard requires the same-day surgery program to ensure that the EPHI is not altered in any way before or during transmission to another entity such as a billing company," Markette says. "The software that is available to check for alterations is expensive, so a small same-day surgery program may not be able to reasonably purchase and implement it."
An equivalent alternative measure to meet this standard would be to maintain paper copies of the records that staff members could use as comparison if they believe the information has changed or been altered, he suggests.
Question: Will we have to encrypt our e-mail or other transmissions of EPHI?
Answer: "This may be the most frequently asked questions regarding security rule compliance," admits Markette.
Encryption is listed as an addressable standard for both the access controls standard and the transmission security standard of the rule.
"Because it is addressable, covered entities do not have to implement encryption," Markette says. "An entity must assess whether encryption is a reasonable safeguard in its environment."
If it is, then the covered entity must implement encryption, he says. "If it is not, then the covered entity must document why it is not reasonable and appropriate to implement encryption and assess whether there is an equivalent alternative method to safeguard EPHI," Markette explains.
If the entity determines that the alternative method is reasonable, then the alternative measure should be implemented. If the alternative method is not reasonable, the organizations must document the reasons why and the organization will be in compliance, he adds.
For some small same-day surgery programs it may not be reasonable to implement encryption, says Markette.
"It is extremely important that reasons for not implementing encryption be thoroughly documented," he stresses.
Encryption may not be possible for some programs due to the cost of software and need to upgrade hardware, he says. Also, if a same-day surgery program is communicating by e-mail with surgeons’ offices or even patients in rural areas, it may be cost-prohibitive for those surgeons and patients to purchase software needed to decrypt the messages, he adds.
"This documentation will need to be maintained for six years according to the security rules and procedures manual," he adds.
Question: Does the security rule affect whether we can continue to fax paperwork to surgeons’ offices?
Answer: No. "The security rule only applies to PHI in electronic form," says Markette. In the final rule, the Department of Health and Human Ser-vices specifically excluded plain-paper fax transmission from the definition of electronic form, he says. However, using a personal computer to fax information via the modem would be considered an electronic transmission, which would make any PHI in the fax considered electronic information that is subject to the security rule, he points out.
For more information on the security rule, contact:
• Robert W. Markette Jr., Attorney, Gilliland & Caudill, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone: (317) 616-3652. Fax: (317) 275-9246. E-mail: firstname.lastname@example.org. Web: www.gilliland.com.
The Centers for Medicare & Medicaid offer help to health care providers preparing for the Oct. 16 deadline for electronic transaction standards by posting a free webcast on "Provider Steps to Getting Paid under HIPAA" at www.eventstreams.com/cms/tm_001/ and a series of papers on electronic transactions and code sets at www.cms.hhs.gov/.If you have any questions about this testing method, please contact customer service at (800) 688-2421 or by e-mail at email@example.com.