A road map to HIPAA compliance

Nursing Homes, May, 2004 by David Oatway

As noted in my earlier article ("HIPAA Security Is Next," January 2004, p. 37), now is the time to start complying with the standards of the April 21, 2005 HIPAA Security Rule deadline. Fortunately, the Security Rule is closely synchronized with the HIPAA Privacy Rule which is already in effect. Hence, some actions taken to comply with the Privacy Rule will expedite compliance with parts of the Security Rule. This article will assist facilities to plan the steps needed to comply with the Security Rule, with emphasis on what's reasonable for nursing facilities. The core language driving this regulation can be found in "The Regulatory Basis," p. 68. All facilities are urged to download an official copy of the Final Rule at www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp. For other helpful resources, see "Information Resources," p. 69.

[ILLUSTRATION OMITTED]

The Security Rule is more limited in scope than the Privacy Rule. While the Privacy Rule covered all protected health information (PHI), paper or electronic, the Security Rule applies only to electronically stored or transmitted PHI. Like the Privacy Rule, the Security Rule emphasizes reasonableness and does not specify any specific technology to meet its requirements. It allows scaling of responses, depending on each facility's size and technologic environment. Each facility is required to assess its status and address its vulnerabilities within its own organizational framework, as long as it complies with all basic standards and evaluates, documents, and acts appropriately regarding addressable issues. To better understand the distinction between "required" and "addressable"--key to understanding this article--see "Implementation Specifications: Required versus Addressable."

Road Map to Full Compliance

Getting to compliance will necessitate a deliberate effort to identify vulnerabilities and threats to the confidentiality, integrity, and availability of electronic PHI, or ePHI. All of the following steps must be taken, but the exact order will depend on the circumstances of each facility. Each standard will be identified as being "Required" (R) or "Addressable" (A) in accordance with the Final Rule and a suggestion as to timing: "Now," or "Later." While it would be desirable to do everything now, the reality of limited resources and the need to collect and analyze data before taking some actions dictate a phased approach. The timing suggestions must be evaluated by each facility--they are not part of the rule! In some facilities, standards suggested as "Later" may already have been met. The suggestions are intended for facilities without the current capability to comply with the standard.

We suggest the facility's security official (and there must be one) use a HIPAA Security Matrix to ensure that each requirement is addressed. A comprehensive HIPAA Security Matrix is needed to document all issues related to the security of electronic PHI. Each facility will need to ensure that the security analysis they perform is comprehensive for their facility. Typically, a security matrix may be 20 pages or more. (A sample matrix for nursing facilities that can be tailored to individual facilities is available by e-mailing the author.) Documentation related to Security Rule analysis and actions is required to be maintained in a written record (which may be electronic) that includes the Risk Analysis (see below) and reports of actions, policies, and procedures. Start it now.

Assigned Security Responsibility (R, Now). Identify the security official who will be responsible to the administrator for developing and implementing the facility's required policies and procedures. Small, relatively uncomplicated facilities might need only one person part-time-perhaps the facility's Privacy Official--to fill this role; more complicated facilities might need a team or designated staff. Because this lead person will need time to research and digest the requirements, he/she must be assigned immediately.

Risk Analysis (R, Now). The Risk Analysis is the foundation documentation for the compliance effort. Take time to do this well, since many other actions depend on it. Each facility must determine the particular vulnerabilities of its ePHI. This means considering "all relevant losses" that would be expected if the security measures were not in place. Examples would include losses caused by unauthorized uses and disclosures or any loss of data integrity, such as that caused by a system crash with no current backup. The Risk Analysis should use the Security Matrix described above as a tool to ensure that all risks are identified and evaluated. The Risk Analysis must be repeated often enough to ensure that the security measures continue to be adequate for providing the protection required by the rule.

Authorization and/or Supervision (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that only authorized staff have access to ePHI.

Workforce Clearance Procedure (A, Now). Related to the Privacy Rule, policies and procedures must be in place to ensure that only properly cleared staff have authorized access to ePHI.