HIPAA Security Rule – Waiting for the other shoe to drop?
Congress passed the Health Insurance Portability and
Accountability Act (HIPAA) in 1996. Since then, the healthcare
industry have been waiting for “the other shoe to drop” when
enforcement really started. How would HIPPA enforcement affect
Personal Health Information (PHI) and Electronic Patient Data (EPD)?
How would the law ensure access to needed medical information
while protecting EPD?
On February 16, 2006, the Department of Health and Human
Services (HHS) published a final rule which details the bases
and procedures for imposing civil money penalties on covered
entities that violate any of the Health Insurance Portability &
Accountability Act of 1996 (HIPAA) Administrative Simplification
Rules. These enforcement rules largely centered on responding to
complaints.
In March 2009, Atlanta's Piedmont Hospital became the first
institution in the country to be audited for compliance with the
security rules of the Health Insurance Portability and
Accountability Act (HIPAA).
The audit was conducted by the office of the inspector general
at the U.S. Department of Health and Human Service (HHS) and is
being seen by some in the health care industry as a precursor of
similar audits to come at other institutions.
Neither Piedmont nor HHS officials have publicly confirmed the
audit or spoken about it. That silence has sparked considerable
curiosity about why Piedmont was targeted as well as the scope
of the audit and the kind of information HHS was seeking
On August 4, 2009 the Secretary of Health and Human Services (HHS)
announced that effective immediately the Office of Civil Rights
(OCR) is now the enforcement arm for HIPAA.
For those in the healthcare industry this was more than the
long-awaited shoe dropping. This was an industry wakeup call to
make information security a top priority by not only securing
patient health information, but also ensuring it remains
private.
To refresh your memory, the ARRA (American Reinvestment and
Recovery Act of 2009) created much stronger HIPAA fines and
penalties. While many in the industry expected increased
compliance, the move to OCR was unexpected. It changed
indifferent enforcement into a focused legal mandate.
OCR has a long and successful history of developing case law
around ambiguous legal descriptions, which is exactly what we
are seeing as standards and case law are now defining
“meaningful use” and “reasonable access.”
Within 24 hours of its official delegation of HIPAA compliance
responsibility, OCR announced it settled the first of several
legal cases. Many involved people in clinical roles viewing
Electronic Health Records (EHR) when they had no clinical or
business reason to read the file.
This is the first time the government prosecuted HIPAA PHI
viewing, both criminally and civilly. In these cases nurses,
doctors, and employees were fired, suspended, and fined for
reading a patient file without having a valid reason to access
it. They were found guilty even though they did not share, sell,
or even discuss patient information.
In March 2005, NIST (National Institute of Standards and
Technology) published its guide for implementing the HIPPA
Security rule. In October 2008, it published its first revision.
This
HIPPA Security Rule identifies that :
“All
HIPAA covered entities, which include some federal agencies,
must comply with the Security Rule, which specifically focuses
on protecting the confidentiality, integrity, and availability
of EPHI, as defined in the Security Rule. The EPHI that a
covered entity creates, receives, maintains, or transmits must
be protected against reasonably anticipated threats, hazards,
and impermissible uses and/or disclosures. In general, the
requirements, standards, and implementation specifications of
the Security Rule apply to the following covered entities:
Covered Healthcare Providers—Any provider of medical or other
health services, or supplies, who transmits any health
information in electronic form in connection with a transaction
for which the Department of Health and Human Services (DHHS) has
adopted a standard.
Health
Plans—Any individual or group plan that provides, or pays the
cost of, medical care, including certain specifically listed
governmental programs (e.g., a health insurance issuer and the
Medicare and Medicaid programs).
Healthcare Clearinghouses—A public or private entity that
processes another entity’s healthcare transactions from a
standard format to a nonstandard format, or vice versa.
Medicare Prescription Drug Card Sponsors –A nongovernmental
entity that offered an endorsed discount drug program under the
Medicare Modernization Act. This fourth category of “covered
entity” remained in effect until the drug card program ended in
2006.”
T
he
rule itself is fairly substantial and covers more than what one
would consider just “information security”. The rule itself is
well written and is over 100 pages in length, it contains over
100 required activities that may require substantial effort to
fulfill. These requirements are not as restrictive or costly as
complying with other standards such as PCI (Credit Cards).
However, PCI calls for extensive testing to ensure its
requirements are met. We don’t know what kind of enforcement OCR
will mandate yet.
The
good news is that a significant number of (larger) institutions
already have a significant number of the written policies and
procedures the Security Rule mandates (43). They may not
necessarily have performed the identification tasks (17) risk
assessments (13) auditing (4), training (6) or implemented the
controls (19) identified.
To access the standard to see where you stand,
click here.
For assistance complying or for an assessment of where you stand
click here
before the other shoe drops.
