At a Glance
With HIPAA's information security deadline looming, providers shouldn't lose sight of why they're putting forth so much effort. The end goal isn't merely one-time compliance, but establishing ongoing protections for the organization.
Most healthcare organizations recognize April 21, 2005, as the impending deadline when they need to be compliant with the HIPAA security rule.
Is this deadline on a back burner for your organization, or do you have a solid plan for readiness kept under a constant flame? Or perhaps you've thrown the security rule into the fire with all the rest of the rules? (You wish!)
Whatever your organization's current position, a critical aspect of the HIPAA security rule is the extent to which you are required to continually evaluate your security risk and update security plans. In essence, the compliance deadline is an artifact. Your organization's true focus should be on its ongoing efforts to manage residual risk.
Managing Residual Risk
Residual risk is the amount of risk that remains in the organization after controls have been put in place. Discussions of security efforts to manage residual risk often occur in the context of information systems. However, implementing effective security controls in the following areas is just as important.
Contractual obligations with business associates. A chief area of focus is ensuring that business associate agreements are updated with safeguard requirements and the obligation for business associates to report security incidents to you. Related to this, both parties need to agree on the definition of "security incident."
Human resources department. Descriptions of misconduct and offenses should be able to be applied to any aspect of security violation, and policies need to be in place to ensure the organization will be able to apply sanctions consistently. Also, is the human resources department set up to retain records of security training? At the very least, the organization should be prepared to provide investigators with evidence that it has a security awareness program. Is the HR department ensuring that access terminations are performed on time, or is this function caught between the crosshairs of the employee's supervisor and IT? Another important responsibility for human resources is ensuring background checks are thorough enough to minimize the threat of people misrepresenting themselves. Safeguards in this area may seem like a low priority considering that few candidates will seek healthcare jobs to steal protected health information. However, significant threat exists. Patient records present a new place for identity theft-the fastest growing crime in the United States, and the only crime prosecuted under HIPAA so far.
Procurement office. Several areas demand appropriate security policies: Is language included in requests for proposals and bids that requires applicants to include information about security measures? How will access be controlled for contractors brought into the facility, and how will authorization occur? How will you keep records of repairs and modifications to the physical components of the facility that relate to security? If the procurement office is responsible for records management and destruction, how will it know that devices and media are appropriately stored and destroyed?
Of course, these are just some of the primary concerns. Security should become a way of life for people throughout the organization. Staff members in every department need to know who the information security official is, where security policies and procedures that apply to them can be located, and what to do in the event of an information security incident.
Several mindsets typically present barriers to establishing effective security controls.
Compliance is a one-time project. The HIPAA standard for "evaluation" relates to performing a periodic technical and nontechnical evaluation, based initially on the standards implemented under the rule, and subsequently in response to environmental or operational changes affecting the security of electronic protected health information. This evaluation process clearly indicates that security assessment is not a one-time project in preparation for the April 21 deadline. The evaluation standard along with the security management process standard that requires ongoing review of information system activity are obviously intended to support a continual improvement process.
Current practices are infallible. Perhaps you believe that security in your organization is good. First, would everyone agree with this perception? Several informal surveys show that many staff believe security in their healthcare employment setting is not strong. Even if perceptions don't match reality, the fact that such perceptions exist is a risk factor. It is conceivable that these individuals know something that others don't, or that they could be the source of complaints filed with CMS, under whose jurisdiction the HIPAA security rule falls. More important, would you be able to substantiate your belief that security is strong?
Documentation is a secondary priority. Without evidence of documentation, a measure is as good as nonexistent. Many organizations find that they have been diligent about implementing information security controls but are hard-pressed to prove it. Documentation is missing, incomplete, or scattered in many locations. Or perhaps worse, many information systems produce so much documentation that the IT department can't keep pace. If you were the auditor, how would you rate such a scenario? Reams of paper or disks full of audit trail data do no good at identifying potential access problems. Similarly, huge folders with change controls on the local drive of the change control officer are of little use if the individual is unable to identify whether a specific change has been performed or someone else can't access it. Ensuring that documentation policies and practices reflect reality should be a top priority. Similarly, if audit trails are only used to investigate a potential incident, but the policy says they will be used to identify potential problems, then either the policy or the practice is in trouble!
Let's Get Cooking
Little time remains between now and the April 21 deadline. Healthcare providers should be well on their way to establishing information security controls throughout their organizations. It may be necessary to turn up the heat just a little bit-but not so much for buying new security wizardry, as to ensure appropriate documentation and preparedness for ongoing compliance.
Margret Amatayakul, RHIA, CHPS, FHIMSS, is president, Margret\A Consulting, LLC, Schaumburg, Ill. Her e-mail address is firstname.lastname@example.org.
Publication Date: Tuesday, February 01, 2005