Finish to-do list’ for HIPAA security rule

Check faxing, log-in practices

If planning isn’t already under way, the time is now for your hospital to get ready for implementation of the Health Insurance Portability and Accountability Act’s (HIPAA) security rule, which takes effect April 21, 2005. And although the rule doesn’t apply as specifically to access departments as does the HIPAA privacy standard, there is definitely an access "to-do list," say those leading the preparation effort.

The privacy rule, which became effective April 2003, had more impact on day-to-day access operations because, among other things, access personnel were on the front lines, handing out the notice of privacy to patients, notes Rita Aikins, MBA, CHS, system director, privacy and information security, for Providence Health System’s West Coast hospitals.

But she adds that if access departments are using systems that don’t have unique log-ins and passwords for each individual, "whoever is managing the department will have to figure out what to do about that" as part of the security rule implementation. Providence began doing away with generic log-ins "years and years ago because we didn’t think it was good practice," Aikins says. However, there are many hospitals that have not taken that step.

Prepare now to implement rule

Access managers also need to conduct a departmental analysis, she says, to look at issues such as how they handle the faxing and photocopying of protected health information. Meanwhile, a report released at the end of April by URAC, a health care accreditation organization, recommended that hospitals begin preparing immediately for security rule implementation, suggesting that most security risk management programs can take up to a year to fully implement.

That report said key challenges encountered by the sample of health care organizations studied included incomplete or inappropriately scoped risk-analysis efforts; incomplete or poorly executed risk management strategies, limited or faulty review of information system activity, and ineffective security incident reporting and response.

Handle risk management first

The American Hospital Association reports that it is working with the consulting firms Ernst & Young and Computer Associates to provide hospitals with additional resources to help jump-start their security efforts. Providence Health System is "right in the middle of the pack" in terms of its security rule preparation, says Aikins. "What’s on everyone’s mind is getting the risk assessment done. Once that’s done, we can figure out the workload and the cost."

Providence began its risk assessment — "a very complex" process — in September 2003, she notes. "The complexity of it [means that] you have to look at every computer system that stores or uses electronic protected health information [EPHI] and there’s not a good inventory to work with. We’re trying to create an inventory as we go along, trying to reach compliance."

In addition to the systems that Information Systems support, Aikins points out, there are "departmental systems and access databases that departments have created, and they’re all covered under the security standard if they have EPHI in them. That’s my opinion as to what makes the security rule more complex — this identifying, fact-finding, analytical phase you have to go through before you do anything."

With the privacy standard, on the other hand, "when you read it, you knew what to do here, here and here," she adds.

Aikins says she has the "gap analysis" — an accounting of issues the risk assessment has indicated need to be addressed — for the health system’s Oregon region, but not for the Alaska, Washington, and California facilities. "The biggest challenge is the audit requirement, because systems will need to set a standard around their auditing," she notes. "The security standard says you have to audit, but doesn’t tell you how often or what to look at, and it says you have to have a sanction policy."

One concern is that the policies must be consistent throughout the organization, Aikins points out. "For us, we don’t want California to say, We’re going to audit this way,’ and then another state say, That’s too much work. We won’t audit that way.’"

Categorize auditing practice

Aikins says she puts the various systems at Providence into three categories, defining what each category should include, and how stringent the auditing practice should be for each:

• Category I includes the main hospital information system, with all registration, admission and transfer functions, the order entry system, and the electronic medical record, if one exists.

• Category II includes systems to which only a single department has access, such as a laboratory system, Aikins adds. "It will still require auditing, but not as stringently, because only a small percentage of people have access."

• Category III includes systems with "small applications, few users, and smaller data repositories," she says. "This might be a database that someone created that has three users in the department, or a database that tracks mammograms and sends reminders when a woman needs to come back."

All categories will be audited, Aikins adds, but with Category I, the auditing will be proactive, and with II and III it will be done only for cause. "Auditing will be labor-intensive," she says, "and we have to be careful that the parameters we put around auditing are realistic. If we set the bar too high, we won’t be able to achieve anything."

Much to be done for compliance

"Getting one’s arms around the [HIPAA security] regulations is challenging," says Gillian Cappiello, CHAM, senior director of access and chief privacy officer at Chicago’s Swedish Covenant Hospital. "Most hospitals — and Swedish Covenant is no exception — have so many systems and databases that need to be up to snuff."

"I would have to say that while we are not in panic mode yet," she adds, "there is much to be done."

The hospital’s senior information technology director is "leading the charge," and likely will be named the hospital’s chief security officer," Cappiello says. "He is in the process of creating a charter to define the purpose, scope, roles and responsibilities, risks and vulnerability assessments, and processes" for complying with the security standard.

Swedish Covenant has engaged a consulting firm to do a facilitated risk-analysis project (FRAP), and also is using information from the gap analysis and road map developed by another firm during preparation for the privacy standard, she notes. "It was done mostly for the privacy regulations but [also addresses] what was known of the security rule before it was final."

Updates can be extensive

The hospital also is using and updating some of the strategies from its Y2K planning, Cappiello says, "particularly as they relate to threats or hazards, the risk to security or integrity of data, disaster recovery, backup systems, continuity plans, and business impact assessments and contingencies."

Such initiatives come with a price tag that is likely to be substantial, she suggests. While implementation of the HIPAA privacy standard was "pretty low cost," adds Cappiello, "security is a whole different story. Some of the requirements are going to be more expensive to implement."

"We had difficulty finding a consultant — for the fee we wanted — that could also do the physical plant assessment," she notes, "so that is not included in the FRAP."

Aikins says that until the Providence assessment is completed, she won’t know what the cost of preparing for security rule implementation will be. She points out, however, that she expects much of it to be paid from operating dollars. "I’m not sure some of this [expense] can come out of capital, with the rules around capital dollars having changed," Aikins adds. "There are certain rules for health care organizations as to what qualifies to have capital spent on it."

"If you don’t have an audit trail and have to have one created, can you use capital for that? These are the questions people will have to ask and answer," she notes. "The way one organization wants to handle it, another may not. With the current business environment, some have strengthened and tightened up their accounting practices and may say, No, we can’t spend capital for this."

(Editor’s note: Rita Aikins can be reached at rita. aikins@providence.org, and Gillian Cappiello can be reached at gcappiel@schosp.org.)