[Editor’s note: This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA). If you have questions, please send them to Sheryl Jackson, Hospital Home Health, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsjackson@bellsouth.net.]

Question: After my security officer is designated and familiar with the HIPAA security rule, what are my next steps toward compliance?

Answer: Identify which activities your organization already has implemented as part of your normal operating procedure that show compliance with the security rule, advises Robert W. Markette Jr., an Indianapolis attorney. "For example, the rule requires covered entities to implement policies and procedures to create retrievable duplicate copies of electronic protected health information [EPHI], also known as backup copies," he points out. "It is extremely unlikely that providers who use computers to maintain patient information and billing information are not regularly making backup copies of the data."

By comparing what your organization already is doing to what the rule requires, you will discover that you already have implemented parts of the rule, Markette says. "For these standards and specifications, compliance with the security rule then will become a matter of evaluating whether the procedures are reasonable and either modifying them accordingly or simply inserting them into your HIPAA security rule policies and procedures binder," he says.

The next step is to inventory EPHI, Markette notes. "This should not take a lot of effort, because you should have an inventory of protected health information [PHI] that was generated as part of your privacy rule compliance efforts."

You can determine the locations of EPHI by simply reviewing the PHI inventory and determining which locations meet the definition of electronic media under the security rule, Markette continues. "This inventory will make the risk analysis easier," he adds.

Question: What steps are necessary for a proper risk analysis, according to HIPAA?

Answer: Although the security rule requires you to perform a risk analysis, it does not provide you with any guidance on how to perform one, Markette notes. "There are numerous strategies and methods for performing a risk analysis, including publications from the National Institute for Standards and Technology," he says. "Regardless of the particular tool you choose, the key concept in risk analysis is identifying potential risks and quantifying the likelihood that the risk materializes."

Identifying potential risks will involve thinking about the ways your information systems could be harmed, explains Markette. Start with broad categories, such as natural disasters and incidents caused by people, then subdivide these categories, he suggests. "For example, under incidents caused by people, you may have two subcategories: intentional and unintentional," he explains. Those categories could be divided further into employee and nonemployee. "You should try to identify all potential risks — even remote risks," Markette adds. "Then, in the next step of the risk analysis, you will determine the likelihood of the potential risks coming to pass."

Identifying the likelihood of the identified risks coming to pass will not be a mathematically precise endeavor, he admits. "The security rule requires you to implement policies and procedures aimed at protecting against reasonably anticipated risks of your electronic protected health information," he says. "You do not have to sit down and decide that a potential risk has a 43.5% chance of happening, and therefore, it is reasonably anticipated."

Identify all potential risks and group them into categories such as highly unlikely, unlikely, likely, or highly likely to occur, Markette suggests. For example, a highly unlikely risk would be a hurricane in Montana or, for providers without Internet access, a hacker breaking into the system, he continues. "On the other hand, an employee’s actions leading to a security incident might be categorized as very likely. The object is to identify the risks against which you should take precautions."

Once you have completed your risk analysis, you will have a framework for reviewing your current security policies and for designing new policies and procedures that reduce the risk to your EPHI, Markette says.

Question: Is a risk analysis and review of security rule compliance a one-time activity?

Answer: HIPAA security rule compliance is not a one-time effort, emphasizes Markette. "The security rule specifically requires you to periodically evaluate your security rule efforts but does not state how often you need to perform this evaluation," he says. Markette recommends a review on an annual basis, at a minimum. "As your organization grows and changes, the potential threats to EPHI security may change, and that means that your policies and procedures also will need to change."

For more information on the security rule, contact:

  • Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (800) 894-1243 or (317) 704-2400. Fax: (317) 704-2410. E-mail: rwm@gilliland.com.
  • To find a draft of the Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, go to csrc.nist.gov, click on "CSD Publications," then choose "drafts," then scroll down to May 12, 2004, publication #800-66. For other tools specific to risk analysis, go to csrc.nist.gov, then enter "risk analysis" in the search box to see a list of articles and tools available.