Are You Prepared for the HIPAA Security Rule?
Take these steps now to comply with the April 25 deadline.
JOHN E. STEINER, JR., ESQ.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included three major components -- Privacy Standards, Transactions and Code Sets, and Security Standards. The last of these three, also referred to as the Security Rule, has a compliance deadline of April 25 for "covered entities." Healthcare providers, health plans, and clearinghouses are considered covered entities.

The Security Rule has many specific requirements, some of which are primarily relevant to large, complex healthcare organizations with multiple computer systems. For many physician practices, however, the Security Rule is fairly manageable. The key, as under the Privacy Rule, is to demonstrate good faith efforts to comply, consistent with the level of complexity of your practice's information management system and security risks. At a minimum, your office workforce should receive awareness education and training on the Security Standards. In this article, I'll explain what you should do right now to prepare your practice for complying with the HIPAA Security Rule.

Use this Checklist

To protect medical information and the underlying systems that transmit and handle that information, you should review the three general categories of security controls:

► administrative safeguards, such as written policies and procedures

► physical safeguards, including locks on rooms and office furniture where medical information is stored

► technical safeguards on information systems and hardware, such as intrusion detection and protection software.

The Security Rule is designed to ensure some level of awareness and appropriate action to protect individual records and other protected health information. Those efforts should be in written policies and procedures as well.

Focus Your Compliance Efforts

Education and training awareness for your office should focus on the following items:

Computer Workstations:

► Establish, reinforce and follow log-off protocols

► Don't allow user-owned computers in your practice

► Use only authorized personnel to maintain hardware and software.

Software:

► Use only licensed software that's been approved by the practice in your office's IT program. Screen savers or personal software should not be brought from the home to the office. Only authorized personnel should install software.

► Remind employees that they can be held legally responsible for ignoring or disobeying the terms and conditions of software licensing and copyright laws.

► Have good anti-virus software. Staff should know how to confirm that a computer has up-to-date anti-virus protection in place. They must never disable anti-virus software.

Access Controls:

► Train your employees to access only the minimum necessary amount of protected health information to perform their duties.

► As employees change jobs or positions within your practice, have a contact person or centralized mechanism to update access controls. Instruct your employees not to share their user IDs or password(s).

► Make it clear to employees in writing that they are not to use any protected health information for their personal gain or profit, or to maliciously harm others.

Passwords:

► Use passwords that are difficult for others to crack. Passwords should be at least six characters long and not a complete word or name, with a mix of letters and numbers and a special character (e.g., @, $). Passwords should never be left in writing on or near the computer.

► Change passwords periodically, or if it's suspected that an unauthorized person knows a password.

E-Mail, Internet and Fax:

► Adopt office policies that restrict use of e-mail, fax, Internet, and phones to business purposes. Employees must get permission for any personal use of these technologies.

► Discuss and implement internal control policies pertaining to sending e-mails with protected health information.

► In using the Internet, instruct employees not to upload or distribute Protected Health Information or any information classified as "sensitive" of "confidential."

► Instruct employees to exercise discretion in limiting information transmitted by fax to the amount that is "minimally necessary" to meet the needs of the requestor.

► Use an official fax cover sheet when transmitting protected health information, and verify the requestor's fax number, identity and authority to receive the protected health information before it's disclosed.

► Don't locate fax machines in areas that are accessible to the general public. Incoming faxes shouldn't be left in plain view of others who are not the intended recipient.

Auditing and Monitoring:

► Caution your employees that authorized representatives of your practice have the right to audit all software, files, directories and user activity at any time. Let staff know that workplace e-mail and Internet usage can be monitored.

Reporting Incidents:

► Inform your employees regarding when and to whom to report an information security incident. Such incidents include any adverse event that occurs on any part of your information system and network.

Make a "Good Faith" Effort

The key regulatory language in the Security Rule that allows each covered entity to demonstrate good faith compliance efforts is fairly flexible. The statement below, from the preamble of this part of the HIPAA regulations, gives practices reasonable guidelines for achieving compliance.

"Each individual who has access to electronic protected health information must be aware of the appropriate security measures to reduce risk of improper access, uses and disclosures. This requirement does not mean lengthy training is appropriate in every instance. There are alternative methods to inform individuals of security responsibilities, e.g., pamphlets or copies of security policies and procedures."

As you prepare for the April 25 compliance deadline for the Security Rule, many of the points covered above should be useful for security awareness and training in your practice.

John E. Steiner, Jr., Esq., is chief compliance officer and privacy officer for the Cleveland Clinic Health System.