Safeguarding Electronic Information

William Hubbartt HIPAA, the federal government regulation dealing with the privacy and security of health information rears its head again in 2005 with yet another compliance deadline. HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. Covered entities such as health plans, health information clearinghouses, and health care providers were required in 2003 to establish privacy policies and to communicate privacy protections to consumers.

The latest compliance requirement, referred to as the Security Rule, defines a series of standards relating to providing administrative, physical and technical safeguards to protect the security of health information. The regulation creates a series of standards to protect the confidentiality, integrity, and availability of electronic protected health information.

The HIPAA Security Standard defines certain "Required" actions that must be implemented. Additionally, certain "Addressable" actions should be assessed and implemented as reasonable and appropriate.

Under the Administrative Safeguards section, the Security rule requires the covered entity to establish a security management process. This means that the organization must first assess security threats and then implement actions to prevent, detect, contain, and correct security violations. The following action items are required elements.

A good first step is to assign security responsibility. It is important to identify an individual who is responsible for the development and implementation of security policies and procedures.

Conduct a Risk Analysis. The Risk analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

The next required element is a Risk management process. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA requirements.

The regulation requires the covered entity to create a security incident reporting and investigation process.

Another required action is to develop a sanction or discipline policy. The entity should apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

An additional required action is to conduct an information system activity review. The review consists of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The HIPAA regulation affects many other organizations that are not defined as a covered entity. For example, firms that service the health care industry, referred to as business associates, are contractually obligated to establish security safeguards. Business such as billing services, collection services, data processing, or other professional services that have access to or handle or create protected health information on behalf of the covered entity in the course of providing their service qualify as business associates.

The HIPAA Security Rule also requires health plans to limit disclosure of protected health information to plan sponsor employers unless certain conditions are met. Employers who are health plan sponsors and receive protected health information from the health plan to are obligated to implement administrative, physical and technical safeguards to protect the information received.

Every organization has valuable operating or financial information and records in its computer system. These records must be protected from real or potential threats. The various implementation specifications of the HIPAA Security Rule provide a blueprint for system security protecting confidential information - whether an organization is a covered entity or not.

William S. Hubbartt is a human resources and privacy consultant St. Charles, IL. www.Hubbartt.com. He is the author of "The HIPAA Security Rule - A Guide for Employers and Health Care Providers,"a 200+ page book in CD format.

Print page