[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation, if you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsjackson@bellsouth.net.]

Question: What are the deadlines for compliance with the HIPAA security rule?

Answer: For all covered entities, other than small health plans, the compliance deadline is April 20, 2005, says Robert W. Markette Jr., an Indianapolis attorney. "If you are a small health plan, you have until April 20, 2006," he adds. "Contrary to a popular rumor, there is not an exception for small health care providers. All covered health care providers must comply with the security rule by April 20, 2005," he warns.

Question: What happens to noncompliant providers on April 20, 2005?

Answer: If you are just beginning your HIPAA security rule compliance efforts, your first question is most likely what will the Centers for Medicare & Medicaid Services (CMS) do if you are not in compliance by the deadline, admits Markette. "At least for the near future, CMS is sticking to its stated policy of assisting noncompliant providers to become compliant, rather than imposing large fines," he says.

"However, the possibility of leniency from CMS should not lead you to feel complacent about Security rule compliance," suggests Markette. "You should make every effort to be in compliance or be well on your way to compliance because CMS is far more likely to be lenient if it can see documentation of the efforts you are making to comply, how far along you are, and how far you have left to go," he explains. "In the event of a complaint, a CMS investigator will not be interested to hear that you have read the rule, but have done little else," Markette warns.

"In addition to the potential penalties from the government, there are other potential consequences of a HIPAA violation that fall entirely outside of the federal government’s jurisdiction," he points out. For example, it is possible that HIPAA violations will become the basis for civil lawsuits, Markette says. "Providers who are subject to state licensure surveys may also encounter a state surveyor who erroneously cites a covered entity for a HIPAA violation. This could affect a provider’s license even without a violation."

Finally, a HIPAA violation presents the potential for negative publicity, Markette says. "With the current focus in America on individual privacy, a provider who is found to have violated the HIPAA security rule may be perceived as insensitive the concerns of patient privacy," he explains. This perception could have a negative effect on patient confidence and, therefore, business, adds Markette.

Question: Where should I start when putting together my compliance plan?

Answer: First, appoint a security officer, says Markette. The HIPAA security rule, like the privacy rule requires the covered entity to designate someone as responsible for the entity’s compliance with the HIPAA security regulation, he explains. "This person is known as the security officer. The security officer does not need to be an information security expert or hold any special certifications but the person should be familiar with the HIPAA privacy and security rules and be able to manage a project and complete it in a timely fashion," he says.

"Larger organizations should consider a security compliance team to assist the security officer," recommends Markette. The security rule allows this kind of assistance, but the security officer retains responsibility for your organization’s compliance efforts, he says. "The team should include managers from each department or persons designated by the managers," he suggests. It is important the team remember the security officer retains final control, and the security officer should be able to put pressure on the team to meet deadlines, he adds.

"Next, the security officer must familiarize himself or herself with the security rule," says Markette. "A good place to start is the rule itself and the CMS web site [www.cms.hhs.gov] provides a number of resources including CMS’ recently published overview of the security rule — Security 101 for Covered Entities," he suggests. (For more information, see box.)

HIPAA guidance available on security for covered entities

The first in a new series of Health Insurance Portability and Accountability Act (HIPAA) white papers designed to address issues related to the security rule is available from the Centers for Medicare & Medicaid Services. The paper provides background on the rule and its relationship to the HIPAA medical privacy rule. Topics of future papers will include administrative, physical, and technical safeguards; organizational policies and documentation requirements; the basics of risk analysis and risk management; and implementation for small providers. To access the paper, go to www.cms.hhs.gov/hipaa/hipaa2/education/Security%20101_Cleared.pdf.

"Reading the rule serves two purposes," says Markette. "You will learn the more specific requirements of the rule as set forth in the 19 standards and 36 implementation specifications, and you will also see that you have already implemented a number of the rule’s requirements as you implemented programs to comply with the privacy rule," he adds.

For more information on the HIPAA security rule, contact:

Robert W. Markette Jr., Attorney at law, Gilliland & Caudill, LLP 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: rwm@gilliland.com.