Health Information Compliance Alert

SECURITY:

12 Steps To Security Compliance Success

How secure is your PHI? A group of HIPAA experts assembled last month to provide covered entities with a more practi cal look at the security rule jumble - and what they said will make your security rule implementation go a lot easier.

You already know that the modifications to the Health Insurance Portability and Accountability Act's security rule last month mean that you have to get started on your compliance plans stat. Even though most CEs have until April 21, 2005 - and for small health plans, a year later - to comply with the rule, the priva cy rule taught you that it's never too early to get your plan in place. Take a look at these tips to make your policy- and procedure-planning go a bit easier:

1. LET COMMON SENSE PREVAIL, NOT TECHNOLOGY. "Ninety percent of security is what's between people's ears, not necessarily what technology they implement," says Tom Hanks, National Director of HIPAA Practice for
PricewaterhouseCoopers, in a recent audio conference. You're already familiar with the dos and don'ts of privacy rule compliance. That's more help than you probably realize when it comes to implementing your security rule plan.

2. FOCUS ON THREE AREAS OF COMPLIANCE. Administrative, physical and technical safeguards: those are the three areas the Department of Health and Human Services wants CEs to be familiar with. Remember that the security rule is technology-neutral, and you can choose almost whatever policies and procedures will work for your organization. HHS realizes that a two-person physician practice has different needs than a large hospital, for example.

3. RISK ANALYSIS/ MANAGEMENT A MUST. This is the key to getting started on your security rule compliance plan, says Bill Braithwaite, National Director of HIPAA Advisory Services for PricewaterhouseCoopers. That means compiling an accurate assessment of potential risks and vulnerabilities within your organization.

Run a risk analysis to determine what those vulnerabilities are, advises Braithwaite, and then ensure you have the appropriate sanctions in place against workforce members who fail to comply with your policies and procedures. As one of its implementation specifications, the security rule requires an "information review system," which means not just keeping audit logs, access reports and incident tracking reports, but reviewing them. "It's absolutely no use to have the logs if you don't review them," he notes.

And others agree that the risk analysis is the most important first step CEs can take. Michael Roach, an attorney with the Chicago office of Michael, Best & Friedrich, tells Eli he performed a risk assessment for a client recently. "I walked through a client's facility and afterwards said, 'I see CDs sitting around cubicles and nobody's sitting there. Do you have a policy where people who aren't employees can, because they may have a badge on them, roam through this workspace unattended?'"

Roach says in order to know the items you'll need to address you must know the current state of your security systems. Once you've done that, he recommends that CEs create a checklist from the security rules, a tool that should obviate a haphazard approach to compliance. "That way you can make sure that your program is addressing everything that's required," he notes.

4. ASSIGN SECURITY RESPONSIBILITY. This means a person, not a committee, Braithwaite warns. It sounds simple, but someone has to have the responsibility of developing and implementing your policies and procedures that make your security plan work.

5. ENSURE WORKFORCE SECURITY. You have to ensure that the members of your workforce have appropriate access to protected health information, urges Braithwaite. "Appropriate access" means you'll have to consider whether or not you'll need to have procedures in place to authorize and supervise workforce members that have or could have access to electronic PHI. This also applies to employees who've been terminated; they'll have to be cut off from access to PHI when their employment ends.

6. TRAIN YOUR WORK-FORCE. The security rule specifies that all members of one's workforce must have training with respect to security principles. Braithwaite advises CEs to perform periodic security updates, say, via a group email or a newsletter. "Remind your workforce what they should be doing in terms of their security procedures every so often," he says. It's also a good idea to implement protections from potentially malicious software out there. Additionally, the person responsible for your security plan should monitor login attempts and manage passwords, he urges.

7. REPORT SECURITY INCIDENTS.  Part of your policies and procedures should include addressing security incidents when they occur. That means having a response mechanism and then reporting those incidents. Identifying and responding to such incidents effectively and efficiently will help you to mitigate possibly harmful effects. And, if you do have a security breach, make sure to document it and its outcome, says Braithwaite. That way, you'll be able to show exactly what happened and, more importantly, what you did to prevent it from recurring.

8. HAVE A CONTINGENCY PLAN. Responding to an emergency situation is critical for any CE. Data backup and disaster recovery plans and emergency mode operation plans are required. What happens, for example, if your computer system is on the blink and you still have to treat patients? Testing and revising your contingency plan and procedures in emergency situations is especially important for larger organizations, says Braithwaite. Whatever your contingency plan looks like, it's important for you to analyze what are the most critical things to keep going when an emergency occurs.

9. UPDATE/REVIEW YOUR POLICIES AND PROCEDURES.

The rule requires you to perform a technical and non-technical evaluation of your security plan to establish whether or not you're meeting the rule's requirements. While "periodic" isn't defined, Braith-waite says, "Every year or two is a good rule of thumb." But remember that software updates can occur more frequently, and he says whenever a vendor updates your software or replaces your old system with a more recent version, that's the perfect time to run an evaluation to ensure your policies and procedures are still up to snuff.

10. REVIEW YOUR BA AGREEMENTS. Roach says this is extremely important. Odds are you already have your business associate agreements in place that focus on the privacy rule. Unfortunately, the additional security rules mean you'll have to tweak those agreements to conform with some of the security regs, he cautions. Roach says even though it's highly unlikely your current BA agreement will contain the language appropriate to serve the security rule requirements as well as those in the privacy rule, he believes CEs shouldn't stress over the BA agreement modifications. "It won't be a big amendment, but that is something they should get in place, and I would suggest that people start that sooner than later."

Once you've got a BA agreement in place for privacy, the additional language for security is fairly minor, Roach states. While it shouldn't cause you undue amounts of frustration, it's important to get it done A.S.A.P., he warns. "Because it's a legal document, many covered entities would want their lawyer to look at it, and if they wait until March 2005 and think that their lawyer is going to be able to review 500 amendments to BA agreements and get them signed by the deadline, they're wrong."

11. REVIEW YOUR FACILITY'S ACCESS CONTROLS. A "facility" is really anywhere where electronic data is stored. Ask yourself this: Can anyone at all waltz into your computer room and make changes to a file? Think about all of the areas in your organization where someone could walk up to a workstation and make changes, advises Cynthia Smith, Senior Manager with PricewaterhouseCoopers. You know more than anyone else what's best for your organization, and you'll be obliged to come up with appropriate access controls based on your specific needs.

You'll have to come up with access controls for laptops or PDAs, for example. If a laptop that's been taken home for the day is stolen, you'll need to ensure that even though the computer is missing, patients'PHI is safe through encryption controls. The security rule isn't specific on these physical safeguards mainly because they should be specifically tailored to fit your needs.

12. KEEP MAINTENANCE RECORDS. If there's an accident or a situation that adversely affects your system, it could be that a line was accidentally cut. Or maybe there was a phone switch change. Whatever the case, keeping and maintaining maintenance records could help you identify not only who might have made the mistake, but also where you can focus your efforts to get the system back up A.S.A.P.

Editor's Note: These tips represent an overview of the security rule guidance presented by Hanks, Braithwaite and Smith, and they'll help you get a head start on your own compliance plan. Eli will supply you with more practical strategies you can use to beef up your compliance in our next issue.