Beef up your information security with the new HIPAA-mandated standards
Beef up your information security with the new HIPAA-mandated standards
HHS’ rules aren’t just a good idea; they’re the law
This month, if everything remains on track, the Department of Health and Human Services (HHS) will unveil the final version of its standards for information security, as mandated by the 1996 Health Insurance Portability and Accountability Act (HIPAA). If you’ve been waiting for "official" guidance on how to proceed in strengthening your information security systems, it’s well past time to get busy, experts say.
Although the new rules likely will include a two-year implementation period, developing effective facility-wide policies can be a lengthy and labor-intensive process. If your organization isn’t compliant when time finally runs out, you could be facing criminal and civil sanctions. That’s because, unlike HHS’ model compliance plans, the information security standards aren’t just "guidances" they carry the weight of law.
The standards are needed, says Sandra Fuller, MA, RRA, vice president of practice leadership at the American Health Information Management Association in Chicago, because the health care industry as a whole is still playing catch-up with other industries when it comes to information technology. And it continues to fall behind in ensuring the security of confidential information. "Depending on the health care institution, maybe all the steps have been missed," Fuller says. "I’m certain there are places that have no auditing function, that don’t have policy, that don’t have anybody responsible [for policy], that just haven’t paid attention."
Ironically, one reason why many institutions haven’t developed formal information security policies has been the assumption they aren’t really needed. "When you start to talk about policy and awareness programs and training programs, and you ask what are you going to do when somebody violates this policy and what is your follow-up going to be, people look at you like, Well, of course no one’s going to breach confidentiality. We’re all professionals,’" Fuller says. "It’s assumed that there is an individual professional awareness or concern for the patient’s best interest." The problem is that no one is perfect, and some professionals have divergent opinions regarding where the patient’s best interest lies.
Fortunately, not everyone’s behind the curve on this, Fuller notes. She’s aware of some institutions that have been working hard on information security initiatives since before HIPAA was passed in 1996. "But we also have people yet today that have no clue that HIPAA exists," she says. Many institutions, particularly those with an information systems director or a health information management director, may be aware of the need for formalized information security standards but have been waylaid by other, more pressing concerns, such as preparing the organization for year 2000 computer problems. "That’s certainly been a huge diversionary issue for the industry," Fuller says.
The good news is that if you’ve done an effective job preparing for Y2K, you’ve probably also paved the way for adhering to the HIPAA security standards. That’s because a big part of the concern over Y2K has to do with information security issues.
For example, the HIPAA regulations require contingency planning in the following areas, all of which relate to Y2K preparation:
• applications and data criticality analysis;
• data backup plan;
• disaster recovery plan;
• emergency mode operation plan;
• testing a revision.
In their Y2K preparations, most organizations developed a way to identify the systems and data most crucial to their business. The resulting prioritized list, Fuller says, effectively serves as an application and data criticality analysis. That analysis should help you better direct your information security efforts by identifying the areas most important to your business.
With regard to data backup, Fuller says, "I would think that everybody right now is more aware of backup than they have been at any other time in the industry" as a result of Y2K. "So what are the points of failure, what are the vulnerabilities? They should have done some of that risk assessment, and should be able to carry it over" to information security issues.
In their Y2K preparations, many organizations have also already developed an emergency mode operation plan, another HIPAA requirement. Such a plan should address how the organization will respond if confronted with a systems failure or some type of natural disaster.
Questions to ask regarding emergency procedures include:
• What systems are supported by emergency power, and how long does that power last?
• Does a "hot site" (a replication of your critical systems in a remote location) exist, and how long does it take to bring it on-line?
• What hardware alternatives can be employed?
• Is replication built into the network?
• Can the vendor supply new hardware within hours, or will it take days?
• What is the process for switching back to manual procedures?
Fuller notes that, while the HIPAA standards represent a good place to start for organizations committed to improving their information security standards, they probably won’t provide a complete blueprint for your organization. Their purpose is to provide a "common baseline" for the industry, and as such the initial standards aren’t likely to be too onerous. It’s likely, however, that the standards will be updated annually to "make them more stringent," she says.
"The industry still has a lot of work to do," she says. "We believe [HHS] has started in the right place, in the areas of policy, accountability, and training. That’s because, if you look at the cause of most security breaches, it’s been because either security wasn’t anybody’s job or people didn’t know any better."
The next step beyond HIPAA is likely to be a push toward standardizing information software packages, which currently aren’t regulated with regard to the types of features they must include. Fuller says that, as organizations begin to address information security concerns, they’ll discover that their software may be hindering their efforts. For example, some software packages don’t keep audit trails, or the audit trails they do keep are rudimentary at best. "It may only record the last person who looked at a record," Fuller says. "Or it may not specify which record you were in. It doesn’t give you a level of detail that allows you to actually take corrective action."
The reason so many software systems are inadequate when it comes to information security is that, up to now, the issue hasn’t been a deal-breaker in choosing one system over another. "Functionality and integration have been much more important considerations," Fuller says. "I think that will continue. That’s why I think the right approach for the industry to take is a certifying approach that would encourage every vendor to come to the baseline."
Even if your institution already has effective standards to ensure information security, Fuller cautions that it’s important not to become complacent. "You may have a good monitoring system or auditing system for the kinds of health care information you have out there today, but the information will change," she says. "You’ll have more granularity. There will be more detail." And as information security systems become more elaborate, organizations will be forced to consider ways to balance the need for security with the ability of health care professionals to easily access important information in a timely manner.
Reference
1. Fuller S. Implementing HIPAA security standards — are you ready? J AHIMA 1999; 9:38-44.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.