By Brain Shrift, HCISPP
Evidence is mounting that the U.S. Department of Health and Human Services is beginning to crack down on medical practitioners who aren’t fully compliant with the HIPAA Security Rule.
That’s potentially bad news for many health care organizations that have taken a less than rigorous approach toward compliance. What does it take to become compliant? First, let’s take a brief look at the rule itself.
The Security Rule’s primary objectives are to ensure the confidentiality, integrity and availability of protected health information (PHI). In plain English, the law was written to ensure adequate safeguards are put in place to ensure patient data is protected from unauthorized access and disclosure, cannot be improperly altered or deleted, and is always accessible when needed.
The HITECH Act of 2009, which required compliance by Sept. 23, 2013, strengthens the civil and criminal enforcement of the Security Rule. The Security Rule has been in force since 2006, but with minimal penalties for non-compliance there was little incentive to make the investment in compliance. With the HITECH Act ushering in penalties up to $1.5 million, noncompliance is a costly risk.
When I first read the Security Rule, I was taken aback by all the rules and regulations being forced upon the medical community, myself included as a health care IT practitioner. But the more I thought about it, the more I understood the importance in protecting our private health information. – my private health information.
The Security Rule focuses on three core areas: Administrative, Physical and Technical Safeguards. I’m going to review just a few of the items from the three areas, to give you a better understanding of some of the requirement your business is subject to.
Administratively, you’re required to have an accurate inventory of the hardware and software which contain PHI. Without an accurate inventory, how would you know what devices you’d need to protect from viruses and spyware, monitor logins on and manage password? And speaking of passwords, not only does each staff member require a unique login, but each staff member should only be granted access to the PHI required for them to complete their job.
Physically, you’re required to ensure traditional safeguards are in place to protect your equipment such as locked doors, screen barriers, cameras, etc. A data backup is also required, which should be maintained offsite to ensure your PHI is not lost in the event of a disaster such as a fire, flood or theft. Do you maintain a log of the maintenance to your door locks?
A maintenance log for your door locks? I always use this example when discussing Physical Security because at first, this could seem like excessive regulation. But when you take a moment to think about it, you have to remember this law was written for organizations large and small. When you read this rule, you may think of your front door and your back door, which only has one key. Whereas other organizations may not even have traditional door locks, instead using electronic key fobs.
Throughout the Security Rule you’ll read the word “reasonable,” which allows for interpretation of the law. Is it reasonable that you have redundant servers in a secondary facility which automatically failover in the event of an outage? No, you’re a one-physician practice with four computers. But if that organization were a multi-hospital health system, then yes, it would be reasonable for them to have those kinds of failover systems in place. Fortunately, we’re able to work a little common sense into our implementation of the Security Rule.
That’s the same when you look at some of the Technical Safeguards, such as encryption. When I hear other “IT Professionals” upselling physicians on encryption packages because it’s “the law,” I get upset as they’re either uneducated or taking advantage of an individual who is relying on them for guidance. When reviewing the Security Rule you must determine if it is reasonable and appropriate to implement encryption to protect PHI. If you’re accessing your Electronic Medical Records on an internal, private network, then no, encryption is not required. But if you wanted to finish reviewing those remaining charts from the comfort of your den, then yes, you would need to connect to your office using an encrypted connection, such as a VPN.
The Security Rule is very comprehensive, technical, and will take an investment of your time and an IT Professional educated in the Security Rule complete implementation. But it is law and you are required to complete it.
But I’m a small fish, they’re not going to audit me. They’re going to go after the hospitals and the big chains.
I’m sure that’s just what Phoenix Cardiac Surgery, a smaller practice of five physicians, thought as well. According to the U.S. Department of Health and Human Services, a recent investigation determined that the practice was posting patient appointments on an Internet-based calendar that was publicly accessible. The investigation also showed that the group had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules and had limited safeguards in place to protect patients’ electronic health information.
Not only did Phoenix Cardiac Surgery have to pay a settlement of $100,000, but it still had to ensure it had complied with the Security Rule, not to mention all the bad press.
If you haven’t yet given the Security Rule the attention it deserves, it’s not too late.
However, it is worth noting that isn’t always a task that can be completed overnight. For the benefit of our health care clients, our firm has spent more than a year in developing a comprehensive solution for our customers. Developing our custom software and automated processes involved becoming HIPAA Security Rule experts and employing the aid of HIPAA legal experts to ensure our solution was comprehensive.
For more information on the Security Rule and HITECH Act, and for your complimentary Business Associate Agreement, (updated to comply with the HITECH Act & Breach Notification) please visit our website: HIPAASecurityHelp.com.
Brian Shrift is president and Director of Technology at Precision Business Solutions. Mr. Shrift is a certified Health Care Information Security and Privacy Practitioner.