HIPAAnotes
September 2004

Living With HIPAA Privacy Rule While Preparing for Security

It has been well over a year since the HIPAA Privacy Rule became effective on April 14, 2003. During that time, healthcare organizations have been working through the expected and unexpected impacts of the changes required to fully comply with that rule. Now as they deal with other HIPAA rules, these same organizations need to prepare for the April 21, 2005, implementation of the HIPAA Security Rule. It is wise to consider how Privacy needs to be integrated with Security. There have been numerous published articles and studies that speak to this topic and this short document touches on several key aspects.

While implementation of the Privacy Rule has led to better understanding by the public of health information privacy concerns, and has no doubt enhanced the privacy of that information, the growth of electronic health record technology is making it much easier to disseminate health data more widely for legitimate purposes. HIPAA permits disclosing such data for payment, treatment and other uses. The expansion of technology is also allowing clinicians to consult with their peers not only in the United States but in other parts of the world.

As institutions move toward implementation of the HIPAA Security Rule, their plans should include addressing such Security and Privacy crossover concerns as:

• Data sent to foreign countries even for legitimate purposes is not governed by HIPAA privacy rules in those countries. This may require domestic providers to use more secure means of data transmission and require assurances that data privacy is protected.
• There is an increasing use of email between patients and providers regarding their health data. Data security is essential for this legitimate exchange of information to remain private.
• The business structures of many healthcare institutions are becoming more complex. Enterprises may include one or more hospitals, owned physician practices, hospital employed physicians who are not based in the hospital, and other situations. Ensuring both privacy and security of health data can require a great deal of planning across the corporation.
• Over the past few years there has been an increasing trend toward more use of contractors and contract services companies in various areas of hospitals. This has begun to move beyond the typical outsourced Environmental Services or Food Services areas, and into healthcare itself and management of health data. Aside from technical data security, an institution must manage such contractual situations to ensure both privacy and security of health data.

These are only some of the potential HIPAA-sensitive situations an institution may encounter as our healthcare and technology environment continues to evolve. They illustrate that three of the most important keys to effective HIPAA compliance are to analyze the risks to data privacy and security together, ensure that correct contractual and procedural safeguards are in place -- and remain alert to changes in how health data are being used.