[Editor’s note: This is a periodic column that will address specific questions related to the Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: What does the HIPAA security rule require?

Answer: The HIPAA security rule, adopted Feb. 13, 2003, requires covered entities to ensure the confidentiality of electronic protected health information (EPHI) they maintain, says Robert W. Markette Jr., an attorney with Gilliland & Caudill in Indianapolis.

That means limiting access to the information; ensuring the integrity of any EPHI maintained; preventing unauthorized alterations to the data; and ensuring the availability of any EPHI even in the event of a disaster or emergency, he explains.

The security rule also requires the entity to protect EPHI against any reasonably anticipated threat or hazard to its security or integrity; protect against any reasonably anticipated use or disclosure of such information that would violate the privacy regulations, and ensure that the covered entities’ workers comply with the regulation, he adds.

Question: What is the definition of EPHI?

Answer: EPHI is protected health information that is maintained or transmitted in an electronic medium, says Markette.

"Electronic medium means any computer-based form of storage or transmission such as hard drives, floppy disks, CD-ROMs, and computer networks," he says.

"Electronic transmission also includes physically moving storage medium," he adds. "This means mailing a floppy disk is considered an electronic transmission."

Different types of standards

Question: What are the different types of standards?

Answer: The security rule requirements are broken down into three broad areas: administrative safeguards, physical safeguards, and technical safeguards.

Generally, administrative safeguards are policies and procedures designed to protect EPHI and require that the organization perform a risk analysis, designate one person as HIPAA security officer and educate the work force on security requirements for EPHI, Markette says.

Physical safeguards are related to maintaining confidentiality of EPHI by physically preventing unauthorized people from accessing computers. These safeguards include things such as locks on doors, he says.

Technical safeguards are policies and procedures related to computers. This section does include a requirement that each individual have a unique identification on the computer, he says.

Any of the standards or implementation specifications within the standards that are designated as required or addressable must be implemented by April 21, 2005.

Question: What is an "addressable" standard?

Answer: If a standard is identified as "addressable," an organization must determine whether a standard is reasonable or appropriate for its environment, Markette explains.

If it is not, the organization must document why it is not reasonable and implement an equivalent alternative measure if reasonable and appropriate.

Question: Will we have to encrypt our e-mail or other transmissions of EPHI?

Answer: "This may be the most frequently asked questions regarding security rule compliance," Markette admits. Encryption is listed as an addressable standard for both the access controls standard and the transmission security standard of the rule.

"Because it is addressable, covered entities do not have to implement encryption," he says. "An entity must assess whether encryption is a reasonable safeguard in its environment. If it is, then the covered entity must implement encryption," Markette says.

"If it is not, then the covered entity must document why it is not reasonable and appropriate to implement encryption and assess whether there is an equivalent alternative method to safeguard EPHI," he explains.

Alternative methods

If the entity determines that the alternative method is reasonable, then the alternative measure should be implemented. If the alternative method is not reasonable, the organizations must document the reasons why and the organization will be in compliance, Markette adds.

For many small home health agencies it may not be reasonable to implement encryption, says Markette. "It is extremely important that reasons for not implementing encryption be thoroughly documented," he stresses.

"This documentation will need to be maintained for six years according to the security rules and procedures manual," he adds.

Question: Does the security rule affect whether we can continue to fax paperwork to doctors as part of a referral?

Answer: "No. The security rule only applies to PHI in electronic form," Markette says. In the final rule, Health and Human Services specifically excluded plain paper fax transmission from the definition of electronic form, he says.

However, using a personal computer to fax information via the modem would be considered an electronic transmission, which would make any PHI in the fax electronic information that is subject to the security rule, he points out.

[For more information about the HIPAA security rule, contact:

Robert W. Markette Jr., Attorney, Gilliland & Caudill, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone: (317) 616-3652. Fax: (317) 275-9246. E-mail: rwm@gilliland.com. Web site: www.gilliland.com.]