HIPAAnotes Volume Two, February 2002

No. 5 HIPAA Tech -- HIPAA Security: Not Just About Villains

Ask people about the purpose of a security program, and you may conjure up thoughts of Agent 007. James Bond used high tech tools and his wits to defeat the nastiest of villains. In the real world, a good security program should address all types of threats - from the most malicious to the accidental. Security experts commonly categorize these threats as one of the following:

• Direct Threats
• Indirect Threats
• Acts of God
• Human Nature

Direct Threats occur when an individual attempts to gain unauthorized access to, or get possession of your assets. The direct threat often receives the most attention because it is easiest to identify. Within health care, direct threats may take the form of hackers attempting to break into your computers, the theft of a personal computer, or entering a secure area. Keep in mind that your assets don't have to be tangible to be real; the value of your reputation and your information may be higher than the value of your equipment.

Indirect Threats are random situations where your organization is not specifically an intended target. "Catching" a computer virus is likely the result of an indirect threat. The theft of an unattended PDA may also be the result of an indirect threat if the thief was not looking for that PDA when they stumbled across it.

Protecting your organization against Acts of God requires an acknowledgement of natural events and their potential impact. The use of emergency generators can help reduce the impact of a potential power outage. Backup tapes of sensitive computer data reduce the risk of loss in the event of a disk drive failure. Disaster recovery plans are developed specifically against this type of threat.

Finally, Human Nature creates many organizational security risks. Lack of training, poorly documented or executed procedures, simple carelessness, or mistakes in judgment cause the great majority of security incidents within organizations.

The HIPAA Security NPRM is designed to address all four threat categories. Given the recent rumblings that the final Rule will be published soon, you should start looking NOW at how security threats could impact your organization.

William M. Miaoulis, Principal
Phoenix Health Systems

No. 6 HIPAA Detail: The 4 W's and H of HIPAA Security Training

We all know that HIPAA requires security training and awareness. We must provide training on general security, policies and procedures, password usage, viruses, security incidents, contingency plans and more. How can this be done cost-effectively?

HIPAA provides only general training guidelines. It is the responsibility of each organization to determine what training, education and awareness must be conducted. Providing training includes the basics of WHO, WHAT, WHEN AND WHERE/HOW.

In deciding WHO must receive HIPAA training, include anyone that has access to patient information. This would include administration, business office, clinicians, volunteers, contractors, residents, and employees.

In determining WHAT training should be provided, look at internal policies, the HIPAA standards and the key messages to be conveyed. Remember that the message will be different for different users. Management, patient care areas, Information Technology Departments, vendors, volunteers, etc. will require tailored training. As an example, management needs to understand HIPAA from a strategic, budegetary and liability perspective; the needs of a hospital volunteer would be much simpler.

WHEN training occurs should relate to when new security policies and procedures are introduced to the workforce. Also, determine if current training programs, such as employee orientation, performance reviews, and corporate compliance training can cost-effectively incorporate security training. If so, existing program schedules may govern your HIPAA training timetable.

WHERE/HOW offers creative opportunities for cost-effective training with minimum disruption to the organization. Training might be conducted online via computer or web-based training and email messages; through newsletters and posters; in staff meetings and managers' forums; through legal contracts; through videos; and/or group or one-on-one training. Be creative — but repeat your message over and over! Document attendance and test the effectiveness of HIPAA training. You might give follow-up exercises or quizzes, or randomly ask employees about the training and their comprehension.

Finally, in deciding the level of HIPAA training required within your organization, remember the difference between training and education. A medical student may learn a great deal in class — but will not really understand what to do without more "hands-on" training.

Amanda Dorsey
Director, Phoenix Health Systems

No. 7 HIPAA Detail: How Does Certification Fit into the HIPAA Picture?

You have heard the word used in all sorts of contexts. Under the proposed HIPAA security rule, certification is the part of compliance that assesses the degree to which an organization's computer system or network meets the security requirements. HIPAA provides that this assessment may be performed internally by the organization or by a recognized an accrediting agency.

The tools for certification should involve a combination of interviews, questionnaires, and monitoring software. One of the major goals of the monitoring software is to analyze the organization's system and network to show vulnerabilities and potential threats (such as viruses, worms, etc.)

Certification must demonstrate that the organization systems and procedures comply with the security rule. How often the certification is done is not specified by HIPAA. However, a plan for procedures for re-certification should be put in place to address changes in technology, business processes, and policies/procedures. As always under HIPAA, DOCUMENT, DOCUMENT, DOCUMENT!

Ken Schulkin
Director, Phoenix Health Systems

No. 8 HIPAA Terms -- Consent vs. Authorization: Why Are Both Required?

The Privacy regulation requires both consents and authorizations - provisions that seem redundant and confusing. Actually, each form of patient permission applies under very different circumstances:

Most health care providers already obtain a patient's written consent before using or disclosing the patient's health information to carry out treatment (direct from provider to patient), payment, or health care operations - TPO, in HIPAA jargon. This is basically disclosure for routine use. Today, many health care providers, for professional or ethical reasons, routinely obtain a patient's authorization for disclosure of information for reasons other than TPO. The Privacy regulation builds on these common practices by establishing a standard for covered health care providers to obtain their patients' agreement to uses or disclosures about patient health information.

So when does consent apply? When a treatment relationship is direct and use is for routine TPO, the provider must obtain the patient's consent via a form signed by the patient. Examples of TPO are disclosure for consultation about diagnosis, referrals to other providers, submitting a claim for payment purposes, and internal quality review. Providers do not have to obtain advance consent if they perform indirect treatment (such as a radiology or lab exam requested by a primary physician) or in special treatment situations such as emergency treatment.

In order to disclose personal health information for any reasons other than TPO, the patient's authorization is needed. The patient may revoke the authorization at any time, or an authorization may expire upon a certain event or date. Authorizations may be patient initiated or initiated by the provider. An example of individually initiated authorization would be authorizing health status disclosure when applying for life insurance. An example of a covered entity initiated authorization would be when a pharmaceutical company requests patient demographic information for company new product marketing purposes. Either way, all authorizations need to be in writing, and signed and dated by the patient.

One last, important, difference between consents and authorizations…. Consents are typically general in nature to enable normal, necessary healthcare delivery follow-through. Authorizations must be written precisely, stating the particular uses for the disclosure and setting other patient-protective parameters such as duration and purpose.

Ken Schulkin
Director, Phoenix Health Systems