HIPAA Q&A
Question: Will we need to buy new computers in order to run security software that is compliant with the security rule?
Answer: No. The HIPAA security rule is technologically neutral, says Robert W. Markette Jr., an attorney with Gilliland & Caudill, a health care law firm based in Indianapolis.
"Health and Human Services [HHS] realized that it would be foolhardy to dictate technology in a rule that would not go into effect for two years. Therefore, the security rule requires security policies and procedures that cover certain specific points, but the rule does not dictate how a covered entity should go about complying with the rule," he says.
A same-day surgery program needs to perform a risk assessment and implement the requirements, but the decision to upgrade hardware or software is a decision based upon how the program decides to comply with the regulation, he explains.
Question: Will we need to be certified as compliant with the security rule?
Answer: No. HHS has not made certification part of the security rule, Markette says. "[It] will not consider a third-party certification evidence of compliance, and HHS has not designated any entity to provide such certification," he adds.
Question: Will we need to implement trading partner agreements with our business associates?
Answer: No. The trading partner agreement was part of the original security rule, Markette says. Under the new rule, when a covered entity shares electronic protected health information (EPHI) with a business associate, the rule simply requires some additional provisions in the contract that impose certain safeguarding requirements upon the business associate, he explains. For example, your business associate must agree to protect the information just as you protect it, by sharing it only with people that must have the information in order to perform their job, such as billing department employees, he explains.
Question: Will we need to purchase special software to ensure that none of our EPHI is altered without authorization?
Answer: No. "Although the rule requires same-day surgery programs to ensure that EPHI in their possession is not altered without permission, the rule does not require that the method for ensuring the integrity of information be electronic," explains Markette.
"In fact, HHS stated in the comments that for a smaller provider, a reasonable method of ensuring integrity might be to maintain paper copies of documents," he says.
If a question about the integrity of the data ever came up, the same-day surgery program simply could refer to the paper copy in its file.
Question: Does the security rule affect personal health information (PHI) in our paper files?
Answer: No, the security rule only applies to PHI maintained in electronic form, says Markette. However, PHI maintained on paper is subject to the privacy rule, he adds. (For information specific to the privacy rule, see these HIPAA Q&A columns: Same-Day Surgery, February 2003, p. 17; SDS, March 2003, p. 33; SDS, April 2003, p. 46; and SDS, July 2003, p. 82.)
Question: It appears that there will be some overlap between our privacy policies and our security policies. Can we borrow from our privacy policies to implement security policies?
Answer: Yes, there is a great deal of overlap in the two rules. "HHS set out to rewrite the security rule to harmonize with the privacy rule, and [it] succeeded," Markette says. "HHS has said that a covered entity should feel free to borrow from its privacy policies when implementing the security rule policies and procedures."
Question: Does the security rule require us to perform background checks on employees before allowing them to access EPHI?
Answer: No. The security rule does require a provider to ensure that an employee’s access to EPHI is appropriate; however, this does not mandate a criminal background check. HHS states in the comments to the rule that the "the need of and extent of a screening process is normally based on an assessment of risk, cost, benefits, and feasibility, as well as other protective measure in place."
There may be some situations in which a background check is appropriate, but that would be a decision for an same-day surgery program based on its risk analysis, says Markette. An employee that works in the billing office, for example, should have no record of financial crimes or identity theft, he adds.
"Of course, some state laws require criminal background check for certain employees as part of its licensing regulations," he emphasizes.
Question: Can our privacy officer also be our security officer?
Answer: Yes. The main reason for requiring a security office is to ensure that final responsibility for security compliance rests with one individual, Markette explains.
"Most organizations will want to designate somebody who will be comfortable dealing with the technology issues inherent in the security rule, but there is no reason an entity’s privacy officer cannot be the security officer as well," he adds.
Source
For more information about the security rule, contact:
• Robert W. Markette Jr., Attorney, Gilliland & Caudill, 6650 Telecom Drive, Suite 100 Indianapolis, IN 46278. Telephone: (317) 616-3652. Fax: (317) 275-9246. E-mail: [email protected]. Web: www.gilliland.com.
HIPAA Q&ASubscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.