HIPAA Regulatory Alert

Many health care organizations still remain a long way from security compliance

URAC identifies four barriers to meeting security demands

Even though less than a year remains before the HIPAA security rule takes effect April 21, 2005, many health care organizations are a long way from compliance, according to an assessment by Washington, DC-based URAC, the only organization offering a security accreditation program based directly on the HIPAA security rule. Written to minimize potential disruptions and security breaches to personal or protected health information (PHI), the HIPAA security rule affects:

1. how health care organizations interact with information systems that contain PHI;
2. methods by which organizations communicate with consumers, providers, and other third parties;
3. ways that health care organizations educate patients and obtain information about them;
4. the manner in which PHI is collected, used, and shared both internally and externally.

URAC officials say their accreditation review experience has identified four barriers that are hampering the ability of health care organizations to satisfactorily meet security rule demands:

1. Incomplete or inappropriately scoped risk analysis efforts. Risk analysis — formal identification of an organization’s risk tolerance, outstanding risk liabilities or residual risk, and prioritization of subsequent risk reduction activities — is the fundamental building block of any security management program. The government will look to an organization’s risk analysis as a primary piece of evidence when investigating security complaints and determining an organization’s rationale for reasonable and appropriate controls. URAC says risk analysis as required by the security rule is a much more demanding evaluation of an organization’s security posture than that from a typical vulnerability assessment.

2. Inconsistent and poorly executed risk management strategies. According to URAC, risk analysis and risk management are linked to ensure a sound security compliance strategy. Security risk management deals with allocating resources to gain the highest level of risk reduction possible within the bounds of an organization’s risk tolerance. URAC says organizations must be careful not to rely too much on technologists to make risk management assumptions without clear guidance and support from the business operations perspective. All the organizations it surveyed were found to have serious issues with policy and procedure documentation, management, and implementation.

3. Limited or faulty information system activity review. According to URAC, the purpose of information system activity review is to provide an accurate history of system activity in the event of a security breach, and allows health care organizations to track system usage; reconstruct, review, and examine events; and detect and verify unauthorized users and processes.

4. Ineffective security incident reporting and response. According to URAC, much of the confusion surrounding the security incident response and reporting requirement centers on the question of what constitutes a security incident and what constitutes a sufficient level of reporting. The rule defines a security incident as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system." This element is closely linked with the other three, URAC says, because the ability to identify security incidents is heavily dependent upon information system activity review, practicable mitigation requires an organization to have established risk tolerances as part of its security management process, and harmful effects must be linked to an organization’s knowledge of its threats, vulnerabilities, and impacts.

Improve compliance preparations

Based on its consulting experience. URAC has recommendations to improve preparations for security rule compliance, including:

1. Health care organizations must focus on implementation of a sound security risk management process that includes a comprehensive, meaningful, and realistic risk analysis, risk management program, information systems activity review function, and security incident reporting and response process.
2. HIPAA implementation efforts should be managed in the broader context of overall business risk.
3. Health care organizations should begin preparations now because most security risk management programs can take
up to a year to implement.

According to URAC, HIPAA compliance should not be seen as a costly regulatory burden, but rather as a way to appropriately manage ongoing security risks in a way that reduces overall business risk, reduces costs, and improves quality.

(Editor’s note: The report can be downloaded from www.urac.org.)