HIPAA security rule now in final form

Security rule now integrated with privacy rule

Final security standards under the Health Insurance Portability and Accountability Act (HIPAA) for protecting patient health information that is maintained or transmitted electronically have been adopted by the Department of Health and Human Services (HHS). All "covered entities," which includes health care providers, health plans, and health care clearinghouses, must comply with the rule, which was published Feb. 20, 2003, in the Federal Register. It includes the following provisions:

  • All work force members, including management, must receive security awareness training.
  • Organizations must conduct risk analyses to determine information security risks and vulnerabilities.
  • Organizations must establish policies and procedures that allow access to electronic protected health information (PHI) on a need-to-know basis.
  • Organizations must implement audit controls that record and examine who has logged into information systems that contain PHI.
  • Organizations must limit physical access to facilities that contain electronic PHI.
  • Organizations must establish and enforce sanctions against members of the work force who don’t follow information security policies and procedures.

The electronic signature standard, a component of the proposed rule, was removed from the final version. HHS has said it will publish that standard in a separate final rule, but did not say when.

Some security experts have said the rule, while well integrated with the HIPAA privacy rule, lacks specific guidance in some critical areas, such as the requirement that encryption be used "only when deemed appropriate."

John Christiansen, JD, an attorney with Preston, Gates & Ellis, LLP, in Seattle, has said the HHS accomplished one of its goals, which was to integrate the security rule with the privacy rule. "A number of redundancies have been eliminated, as have some unclear concepts and rules," he said in the HIPAA Weekly Advisor, published by HCPro Inc.

For example, the chain of trust agreement, a document that would require business partners to protect electronic PHI received from covered entities, was eliminated. Covered entities are required to accomplish this through business associate agreements, which are required under the privacy rule.

HHS writes in the rule’s preamble that the regulations are consistent with "generally accepted security principles."

The regulations will become enforceable for most covered entities, including hospitals, on April 21, 2005. Small health plans will have an additional year to comply.

To view the final rule, go to www.access.gpo.gov. nIf you can automate, you can save time and money

Michigan facility used existing systems

Compliance with the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) starts with a good assessment, says Gary Frownfelter, application team leader at Genesys Health System of Flint, MI. "People probably are more HIPAA-compliant than they think," he says. "We started documenting what we already had in place, started defining what our policies and systems already do."

"Early on we took the tactic of trying to maximize systems already in place," says Carol L. Joseph, RN, CCRN, privacy committee provider chairperson for Genesys. "We decided that our systems could be tweaked and used to a greater capacity."

One of the first tasks accomplished, says Joseph, was automation of the tracking and distribution of the privacy acknowledgement form. Joseph says her organization not only got the form down to one page, but they used existing ADT technology to identify patients who had not received and signed the form. "It was very costly from a printing standpoint to print a nine-page privacy form and have patients sign each time they visited one of our facilities. Our system now autoflags patients and autoprints forms for patients who have not signed a form. After that, they will not be flagged again. Requesting one time was part of our continuing effort to make things convenient for patients and efficient for Genesys."

In addition to automating, Genesys also put audits into place. "The ability to audit and ensure compliance help to identify where we might be having problems or breakdowns," explains Joseph. "It’s important to think ahead of time about how you’re going to measure compliance. If you wait until after a problem is discovered, it’s more complicated and labor-intensive."

Though technology has helped with HIPAA compliance, it is not without problems. One problem that needed attention was the periodic changing of passwords. Genesys has more than 130 different applications, many of which require a unique sign-on ID and password, explains Frownfelter.

"What started happening was employees, many of whom had to access up to eight systems a day, started putting their passwords on sticky notes and sticking them on their computer screens, which of course defeated the purpose of password sign-on," says Joseph.

To improve security and usability, Genesys purchased Coreport, a single sign-on portal system sold by CoreChange Inc. The portal allows a user to access multiple Genesys systems with one ID and password. The system also has an authorization feature that allows the administrator to determine the user’s access level.