HIPAA security standards: Is your facility ready?
HIPAA security standards: Is your facility ready?
Before tackling HIPAA, take stock of current system
The rapid advance of technology has meant a lot of changes in the way clinicians work. And now that medical records and information have been firmly entrenched in hospital computer systems and potentially exposed to the expertise of hackers and thieves, it’s time to install the deadbolts.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is now an official standard, and those deadbolts are expected to be securely in place and ready for examination within two years.
However, with the rush to get up to speed for Y2K, many hospitals already will have some of the more important and expensive procedures in place. If not, here is a short checklist from QuadraMed, a health care information technology company based in San Rafael, CA, to help get you started. The list includes these basic steps:
• Add HIPAA compliance to your strategic plan.
• Designate an information security manager to take responsibility for HIPAA compliance.
• Ensure that your current or future vendors/ contracts are obligated to comply with legislation.
• Purchase new or update current information technology systems to satisfy HIPAA requirements.
• Evaluate current security and confidentiality policies and procedures and modify them, as necessary, to meet the requirements.
• Evaluate your exposure to password security breaches.
Sandra Fuller, MA, RHIA, vice president of professional development services for the Chicago-based American Health Information Management Association (AHIMA), notes that the regulations are technology-neutral, meaning they do not mandate what system, hardware, or software to use. "They address policy and accountability over technology," she says. She suggests that although "the theft of a personal computer may be an annoyance, it is likely to be less expensive than the value of the data stored on that computer." To determine your exposure, she suggests you ask the following questions:
• What precautions are taken for a physical disaster (flood, fire, earthquake)?
• How will this type of emergency affect computer operations?
• What safeguards are in place to protect equipment from theft or vandalism?
• Are special physical security procedures in place for computer rooms or network closets? Are these locked? Are a limited number of people given access?
• Are these physical precautions tested, and are the results of these tests used to improve the security going forward?
Preparation needs to start now. William Spooner, senior vice president and chief information officer for Sharp Healthcare in San Diego, also recommends a thorough review of current policies and practices. "Forget HIPAA for the moment and look at what you have in place," he advises.
He then suggests shopping around for someone who has specific expertise and knowledge about HIPAA. "We brought in a consulting firm to review our current policies. They interviewed all the executives throughout the organization and got their opinion on security and how well they thought we were doing. They looked around for problems and even tried getting into our secure systems."
Since then, Spooner and his colleagues have given high-level briefings to their board of directors. "Our legal department is reviewing everything, and our compliance and finance people are looking at the regulations and recommendations," he says. "We’ve started to meet informally and compare notes. Within the next quarter, we’ll be briefing our entire management team. We’re currently recruiting for someone to serve as our HIPAA coordinator."
Record processing is going to be a big factor in security standards, according to Fuller. "The regulations require that policies are in place to describe the processing of electronic records. The policies should address data receipt, manipulation, storage, dissemination, transmission, and disposal."
Fuller suggests a complete record of security activities, including all details of physician privileges (granting, modification, termination). She also recommends a comprehensive record of all those with electronic access to sensitive areas at any time. This will provide useful information if a security breach appears.
Those who do have access to health records should be properly trained in the organization’s security policies. And those policies need to be documented in writing and maintained for the record. That means documentation of terminations and additional written records on the return of all security devices such as keys and key cards plus a change of combination locks to the computer rooms. Excessive? Possibly, but these measures are important if you’re going to be serious about security.
Both Spooner and Fuller point out the importance of having a designated security manager. This is the person responsible for making sure the HIPAA policies and measures are in place; someone who understands your organization’s culture as well as the state and federal security regulations and who can quickly get the ear of your administration.
Also, Fuller explains, there must be a policy to cover the acquisition, removal, and disposal of hardware, software, and data. You also will need a policy describing how computer screens in busy areas are protected from general view. Are automatic screen savers and application timeouts in place? Are staff trained to protect the information on the screen? All these things must be documented.
Although most hospitals will have two years to comply with HIPAA’s requirements, "if no policies are currently in place, they will need to be developed at the rate of one every 45 days," Fuller says. That’s a tall order, as anyone can testify who’s tried to push even so much as a job description through an administrative chain of command.
Still, HIPAA does not consider a written policy to be adequate protection. There are also technical requirements such as physical safeguards, secure workstation location, audit controls, authorization controls, technical security services, and technical security mechanisms for transmission. (For a more thorough report on complying with the HIPAA regulations, see Sandra Fuller’s article, "Implementing HIPAA Security Standards — Are You Ready?" in the Journal of AHIMA, October 1999.)
And the cost for all this? It’s dependent on the individual organization, of course. "There’s no question it will be significant," says Spooner. "But in the end, it seemed estimates for Y2K compliance were greatly exaggerated. We don’t need to overstate the situation. But we need to be aware and ready. In this case, there may be necessary changes we haven’t yet addressed."
One thing is certain: Time will not stand still. If you’re going to be ready to prove your records are secure, it’s time to start ordering the deadbolts.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.