DON'T LOOK NOW, BUT YET ANOTHER SET OF HIPAA REQUIREMENTS IS COMING YOUR WAY. WHAT TO DO-AND NOT DO BY DAVID OATWAY, RN Of the three HIPAA components, the data security component is the last to be implemented-specifically, by April 21, 2005. Nursing facilities can get a head start on fulfilling these requirements and actually improve their current data practices by taking a reasonable approach to securing their electronic protected health information (ePHI). Facilities planning to acquire new software or hardware that will contain or manage ePHI should study the rule as part of the acquisition process and ensure that their selected vendor(s) can support its requirements.
Don't Wait, Start Now
Fortunately, most of the changes involved in this will be low-cost and actually sensible to implement now, if you haven't already. Others will take longer to implement and need to be started soon to meet the deadline. As with the privacy component, some of the security requirements are technical, and many are operational. Here is an overview of what you should be thinking about now.
Try to Be Reasonable
As directed by Congress, the Department of Health and Human Services (DHHS) has been careful not to specify technologies to meet the HIPAA security requirements, but rather has specified process and outcome requirements. The word "reasonable" appears 57 times in the rule, demonstrating government's willingness to scale solutions according to facilities' different sizes and degrees of sophistication. Consider the following factors in deciding what security measures are reasonable in your situation:
- the size, complexity, and capabilities of your organization;
- its technical infrastructure, hardware, and software security capabilities;
- what reasonable security measures might cost; and
- the probability and criticality of potential risks to the facility's ePHI.
Get Your Own Copy
While facilities may engage consultants to assist with HIPAA compliance, each facility remains responsible for achieving this. To begin with, get a copy of the final rule at www.cms.gov/hipaa/hipaa2/regulations/security/default.asp. The good news is that the actual rule is only eight pages long, along with a preamble of analysis and responses to public comments.
Next, determine whether the rule does, in fact, apply to your facility. If yours is a nursing facility, the rule applies absolutely; all nursing facilities must at least maintain computer-based MDS data and transmit those data to their state agencies. If you operate a CCRC or assisted living facility, the rule applies if you maintain residents' health information on a computer or transmit their ePHI electronically. (Staff employment records are exempt from the rule.)
Know How to Respond
There are two types of Security Rule spec-ifications:
1. Required: The entity must implement the specification.
2. Addressable: The entity must: (a) assess whether the specification is a "reasonable and appropriate" safeguard for its particular environment and (b) as applicable, implement the specification, if reasonable and appropriate, or document why its implementation is not reasonable and appropriate, and document any alternatives taken as being reasonable and appropriate.
The Security Rule in Outline
The following lists various compliance-related activities pertaining to the Security Rule:
1. Administrative safeguards.
Security management process. This includes formal review of information system activity, risk analysis, risk management, and development of a sanction policy.
Assigned security responsibility. Identify who in your facility is responsible for developing and implementing the policies and procedures of the Security Rule.
Workforce security. Develop policies for authorization and/or supervision of staff who work with ePHI, including procedures for clearance and employment termination.
Information access management. Implement policies and procedures for authorizing specific access to ePHI consistent with the applicable requirements of the Privacy Rule.
Security awareness training. Implement a security awareness and training program for all members of the workforce, including management; this includes posting security reminders, log-in monitoring, and establishing password management procedures.
Security procedures. Develop procedures for identifying and responding to suspected or known breach-of-security incidents, mitigating, to the extent practicable, any harmful effects and documenting breach-of-security incidents and their outcomes.
Contingency plan. This includes developing a data-backup plan and a disaster-recovery plan, outlining emergency-mode operational procedures, developing security policy testing and revision procedures, and performing criticality analysis of data and applications.
Evaluation. Perform a periodic technical and nontechnical evaluation based initially on the standards implemented under this rule and, subsequently, in response to any environmental or operational changes affecting the security of ePHI.
Business associate contracts. Document satisfactory assurances from business associates that they have procedures in place consistent with the organizational requirements of the rule.
2. Physical safeguards.