• Home
• |
• Professionals
  • Attorneys
  • Management
• |
• Practice Areas
• |
• News
  • Firm News
  • Recent Cases
  • Upcoming Events
• |
• Resources
  • Publications
  • HIPAA Resources
  • Practice Technology
• |
• Diversity
• |
• Contact
  • Offices
  • Directions
• |
• Search

Publications

Print

• Publications
• Health Care Updates
• HIPAA Resources
• Practice Technology

The deadline to comply with the requirements of the Security Rule implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is fast approaching. Effective April 21, 2005, the Security Rule requires most health care organizations to protect the confidentiality, integrity and availability of protected health information maintained or transmitted in electronic form ("EPHI") by implementing certain administrative, physical and technical safeguards.

The Security Rule contains "standards" and "implementation specifications." A standard explains a requirement that must be accomplished, and the related implementation specifications provide instructions for implementing the standard. Implementation standards may be "required" or "addressable." When a standard includes an addressable implementation specification, a health care organization must: (1) assess whether the specification is a reasonable and appropriate safeguard in its environment; and (2) either implement the specification or, if not reasonable and appropriate, document that determination and implement an equivalent alternative measure that is reasonable and appropriate.

The Security Rule permits health care organizations to use any security measures that allow them to reasonably and appropriately implement the Security Rule and demonstrate compliance with its standards. In deciding which security measures to use, a health care organization must take into account the following factors: (1) the organization's size, complexity and capabilities; (2) the organization's technical infrastructure, hardware and software security capabilities; (3) the cost of security measures; and (4) the probability and criticality of potential risks to EPHI.

Among other requirements, health care organizations will need to take the following steps to comply with HIPAA's security standards:

• Designate Responsibility: Appoint a security officer to oversee HIPAA Security Rule implementation. The security officer may or may not be the same person that serves as the HIPAA privacy officer, but should be someone familiar with your information systems and general information security practices.
• Assess Security Risks and Gaps: Perform a general security risk assessment to inventory all EPHI and the flow of EPHI into, out of and within the health care organization by identifying the systems, hardware and software that maintain or transmit EPHI. Assess the potential risks and vulnerabilities to the systems that maintain or transmit EPHI and measure the adequacy of existing security measures.
• Risk Management: Using the risk assessment results, review compliance with the Security Rule standards and implement additional measures where necessary. Determine how to reduce risks to a minimum acceptable level. Develop monitoring safeguards to reduce the risk of security breaches caused by improper access, improper handling of machines, and failure to be prepared for contingencies.
• Policies and Procedures: Develop policies and procedures for managing EPHI or modify existing security policies to address changes made to your security practices. Make decisions on all addressable implementation specifications. Adopt and document policies and procedures to ensure ongoing security of EPHI.
• Security Awareness and Training: Review training policies and procedures. Review mechanisms to monitor log-ins, manage passwords, and protect the organization from malicious software. Train staff as necessary.
• Contracts: Enter into appropriate contractual arrangements with vendors and/or third parties that maintain or transmit EPHI on your behalf. Revise business associate agreements to include HIPAA security provisions if applicable.
• Documentation: Ensure that documentation is properly maintained in the form of a Manual of Security Policies and Procedures, and with respect to any actions, activities, or assessments required by the Security Rule.

The Centers for Medicare and Medicaid Services (CMS) will monitor compliance with the HIPAA Security Rule. Violating the Rule can result in both civil and criminal penalties. Unintentional violations may result in civil penalties of up to $25,000 per year per standard. Intentional violations can draw more severe fines or criminal sanctions.