Lynda M. Johnson
Joanna D. Schulte
Taking a proactive stance is your top job for effective information security.
At a Glance:
Healthcare providers trying to meet the April 21 deadline to comply with HIPAA's security regulations need to take several actions:
- Study the security regulations to determine adequate levels of security for each organization.
- Establish a security committee and appoint an information security officer.
- Identify existing security measures within the organization, including administrative, physical, and technical safeguards.
- Conduct a thorough risk analysis.
- Develop and implement remediation plans.
- Adequately train the workforce.
- Periodically review these compliance activities.
With the security compliance deadline quickly approaching, healthcare leaders should take several steps to prepare their organizations for a smooth transition into compliance with HIPAA's security regulations.
1. Study the Security Regulations
Healthcare leaders must become familiar with the HIPAA security regulations and how the regulations will affect their organizations. It is essential to the success of the organization for "reasonable and appropriate" measures to be taken when confronting the requirements of the security regulations. A balanced security approach provides due diligence without impeding the delivery of healthcare services. The lack of adequate security may result in unauthorized access to confidential information; however, too much security may hinder the delivery of healthcare services. Risk elimination is not the goal. Rather, providers should strive to reduce risks to an acceptable level based on the organization's risk tolerance.
2. Establish a Security Committee and Appoint an ISO
When establishing the security committee, representatives from various departments within the organization should be designated to serve as members. Factors that may affect the success of the security committee are support from senior administration and participative board involvement. The security committee will be very valuable in documenting whether a particular specification is reasonable and appropriate for the organization. To ensure personal accountability, it is also important to assign responsibility for security regulation compliance to one individual. This individual is typically named the information security officer (ISO). Large organizations may have site security coordinators working with the ISO, while smaller organizations may ask the privacy officer to serve as the ISO or outsource the ISO function altogether.
3. Examine Current Security
The security committee should identify the existing security measures within the organization, including administrative, physical, and technical safeguards. The committee should then begin to focus on creating a security management process. For example, controls that the committee should look for that might already exist or that need to be established pertaining to workforce security include:
- Authorization controls to verify the identity of the workforce member
- Types of background checks that will be conducted for workforce members
- Collecting access control devices or changing door locks after a termination
4. Conduct a Risk Analysis
The organization should conduct an assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information. Although this risk analysis is used as a benchmark to allow an organization to determine the appropriate means of compliance, this latitude should not be taken to mean that organizations have complete discretion to make their own rules. Three basic elements are required of the risk analysis.
The risk analysis must be accurate. Although a third party review is not required, objectivity in the review is critical.
The risk analysis must be thorough. All systems that contain electronic protected health information should be analyzed.
The risk analysis should contain an assessment of risks and vulnerabilities. All elements of all systems that contain electronic protected health information should be defined, all likely threats to these systems should be determined, and the level of vulnerability of these systems should be determined. In addition, the likelihood that an actual loss of confidentiality, integrity, or availability will occur should be determined, and the likely costs of any loss of confidentiality, integrity, or availability should be analyzed.
5. Develop Remediation Projects
After the completion of the risk analysis, the security committee should begin the development and prioritization of remediation projects. The group should begin acquiring needed technology and implementing system fixes. It is necessary to create compliant policies, procedures, and feedback loops that include monitoring, audit trails, incident reporting processes, and business continuity. Also, procedures should be put in place to allow users to report unusual occurrences in security or breaches to patient confidentiality.
The security regulations identify the need for facility access controls under the physical safeguards. Facility access controls are used to protect buildings, equipment, and media from natural and environmental hazards and unauthorized intrusions. One way organizations can control facility access is by tracking maintenance records for repairs or changes to door locks. Examples of other facility controls include:
- Workstation use
- Workstation security
- Device and media controls
Organizations should verify that workstations are located in an area that will prevent unauthorized viewing. A random audit of computer workstations should also be conducted to verify that they have been updated with the latest version of virus detections. Also, the security committee should use the risk analysis to determine the extent of audit trails necessary. Events that trigger an audit need to be determined jointly by the data owners and the privacy and security officers.
The technical safeguards specified in the security regulations require organizations to document any integrity controls that will be employed, particularly for transmission beyond the internal network, to ensure the validity of the data being sent and the sender of the data. When electronic protected health information is transmitted from one point to another, it must be protected. Although the security regulations do not require the encryption of e-mail, they do specify that this protection should occur in a manner equal with the associated risk.
6. Train Your Workforce
Security awareness and training are critical, regardless of an organization's size. The security committee should be responsible for developing and implementing training programs for the entire organization, including members who work from home (such as transcriptionists). Information security content that should be covered in workforce training includes:
- Security reminders
- Protection from malicious software
- Log-in monitoring
- Password management
Organizations also should consider coupling this security training with a privacy refresher course.
7. Evaluate Compliance
As organizations work toward compliance, it is essential that they periodically review their program controls and procedures and test security mechanisms. Organizations should maintain a running, annotated, up-to-date documentation file that supports their decision-making relative to each of the security implementation specifications. This documentation should be retained for a period of six years either from the date of its creation or from the date when it was last in effect, whichever is later.
Another important consideration for all covered entities is the adoption of a media reuse policy. People purchasing used computers sometimes find sensitive and confidential information stored on the hard disks. In some instances, it has been possible to retrieve names, addresses, medical information, social security numbers, and credit card numbers. Organizations should implement a strong media reuse policy to prevent these types of disclosures that could possibly lead to identity theft.
In working toward compliance, organizations should document procedures for the secure, offsite storage and rotation of backup copies of electronic protected health information. Such a contingency plan should include the following elements:
- Data backup plan
- Disaster recovery plan
- Emergency mode operation plan
- Testing and revision procedure
- Applications and data criticality analysis
The HIPAA security regulations require healthcare organizations to apply reasonable and appropriate safeguards and controls to protect electronic protected health information. Performance of a risk analysis and documentation of the security committee's consideration of all addressable implementation specifications are key elements in striking the appropriate security balance in your organization. If you have not yet begun compliance efforts in your organization, don't delay any longer.
Lynda M. Johnson, JD, is a partner, Friday, Eldredge & Clark, LLP, Little Rock, Ark.
Joanna D. Schulte is a human resource specialist, Veterans Healthcare System, Little Rock, Ark.
HIPAA's Security Regulations: An Overview
Each safeguard outlined by the HIPAA security regulations contains several specifications that are classified as either addressable or required. It is important to note that the term addressable does not mean optional. There are 22 addressable specifications and 20 required specifications that need to be analyzed by each "covered entity," which includes virtually every healthcare provider. Covered entities must be in compliance with the final HIPAA security regulations by April 21, 2005.
When analyzing the addressable specifications, healthcare organizations should consider whether the specification is reasonable and appropriate based on factors such as a risk analysis, the organization's mitigation strategy, security controls currently in place, and the costs of implementation. If the organization finds that the addressable specification is reasonable and appropriate, it should be implemented. However, if the particular addressable specification is not reasonable and appropriate, the organization need not implement the specification, but should thoroughly document its reasons for not doing so. Organizations also have the option to implement an equivalent alternative measure that is deemed reasonable and appropriate.
Publication Date: Friday, October 01, 2004