Sure, there’s no compliance deadline to fret over regarding HIPAA’s security rule — yet — but if preparation for the privacy rule taught you only one thing, it’s that getting a head start is crucial.
The White House’s Office of Management and Budget staff fessed up Jan. 13 with charmingly bureaucratic laconism that it has received the Health Insurance Portability and Accountability Act’s final security rule. The OMB notice reads: “HHSCMS RIN: 0938-AI57 Health Insurance Reform Security Standards (CMS-0049-F) STAGE: Final Rule. ECONOMICALLY SIGNIFICANT: No. RECEIVED: 01/13/2003.”
What the OMB intends to do with the rule is anyone’s guess — not to mention when it anticipates releasing the final rule to the public — but there are a few steps covered entities should be considering now that will help to prepare them for the imminent advent of the final rule.
The OMB likely will surgically extract whatever it deems to be malignant provisions of the security rule, but you shouldn’t sit idly in the waiting room for the results of this procedure. If you haven’t done so already, there are a few steps you can take to ensure you get a head start on security rule compliance:
No need to start from scratch. Remember that there is an archetype for the administrative requirements pertaining to HIPAA security, and that you’ve probably already taken steps, whether you know it or not, that will aid you with security compliance implementation: following privacy rule guidance.
Covered entities must take all “reasonable” steps to protect a patient’s protected health information. Until the OMB issues the final security rule, “the draft of that rule provides the CE with guidance that can help define what ‘reasonable’ means,” explains Donald Ribelin, HIPAA Project Manager with FirstHealth of the Carolinas.
Ribelin says he considers it “reasonable” for CEs to develop their policies based upon the recommendations in the draft of the security rule. “At the very least,” he notes, “you’ll be taking positive steps toward compliance.”
Conduct a security assessment. Even though there’s no firm deadline for the security rule, this should be your first step. Your computer and software vendors should be able to help you perform an internal assessment and identify any deficiencies. Vendors and consultants can also advise you which software to use, and which procedures best fit your organization.
Psst…What’s The Password?
Restrict password access. Sometimes covered entities that have provided passwords to their staff discover too late that those passwords are being shared, according to Jennifer Bever with consulting group KarenZupko & Associates Inc. (KZA) in Chicago.
One way to implement more secure daily operations is to ensure that staff members don’t share their passwords, and that the passwords are difficult to decipher, KZA advises.
And the number of characters your CE uses may depend on the particular platform you use. For instance, if you’re on a Microsoft platform, you should probably use seven or eight characters, and if you’re on UNIX, it’s usually eight, says Fred Langston, senior principal consultant with Guardent’s Seattle office.
Utilize a password aging plan. Langston tells Eli CEs will need to have a password aging mechanism, and he advises CEs to have staff members change their passwords every 35 days, and at least after every 90 days.
Langston says for small offices such as physicians’ practices, an onerous password policy is unnecessary, “but you also want to have a complexity requirement — a mixture of letters, numbers, special characters, upper and lower cases,” he urges.
Implement access controls. Implementing fundamental access controls is an area that will not be made obsolete quickly. A provider should think about what logical steps it can take to minimize access risks, including unauthorized external individuals accessing the provider’s system or internal users having access to sections of the system that are unnecessary for the individual’s job requirements. Users should be restricted to the level of electronic information that is necessary for performance of their job functions, says Eileen Kahaner, an attorney in the Washington office of Arent Fox Kintner Plotkin & Kahn.
A provider should “prohibit staff from taping passwords to the outside of their computer monitors and/or otherwise sharing this information,” she urges.
“Someone at the practice also should be responsible for immediately terminating access rights to individuals who leave the organization. Everyone should be required to log off their machines at the end of the day,” Kahaner informs Eli.
Develop an encryption solution. This is high on Langston’s list for small providers. If you’re encrypting data at risk on your system as well as data in transit, you’re pretty much covering all bases in terms of data protection. That’ll help out a bunch if the feds ever come banging on your door, since protecting health data puts smiles on regulators’ faces, he claims.
Perform a data classification. If you don’t know where your patient data lives, how can you protect it? Langston says he’s spoken with many CEs who claim to have performed a gap analysis, but don’t know the first thing about how their data is classified.
Performing a data classification means evaluating the processes involved in storing, moving and accessing your protected health information. Langston says CEs “commonly think this is the same form of classification that corporations or military use — top secret, highly classified, trade secret, etc. — but for HIPAA the goal is to identify PHI.”
Langston says the most important point to take away on classification is if you can’t locate every place where PHI data is stored, transmitted or received, “you’re not ready for a gap analysis, let alone implementation of remedial measures,” so make sure you get this taken care of ASAP, he urges.
While it’s still too early to say what form security rule enforcement will take, taking these due diligence steps should provide a springboard to compliance. And if you document each step you make, you’ll be taking a giant leap away from any potential enforcement actions.