| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume Two, October 2002No. 38 HIPAA Regs -- Developing Organizational Privacy Policies? Don't Forget Security! Part IWith the HIPAA Privacy Rule deadline rapidly approaching, most organizations' HIPAA teams have focused their energies on meeting the Privacy requirements. Security has been largely relegated to the Information Technology departments. However, you may be surprised to learn that you are also required to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information" as contained in § 164.530 c (1). With this standard, the security aspect of HIPAA can no longer be a sleeping giant. HHS is expecting all Covered Entities to implement appropriate security measures based upon the organization's risks. This not only includes the technical aspects of security, but also security policies and procedures. You do not have to meet all of the requirements contained in the Security NPRM by the Privacy Rule's implementation date of April 14, 2003. But you should have performed a risk analysis and taken appropriate action to implement the "security" requirements in the Privacy Rule. Once the final Security Rule is published, organizations are expected to meet its specific requirements based on risks. As a covered entity, you and your Business Associates should first consider what security measures are needed for your organization to implement the Privacy Rule. Armed with this information, focus your efforts on those processes, applications, and communications that store or transmit PHI. Look to update or develop protection mechanisms based on the requirements in the Security NPRM. Consider the following example. Under the current draft of the Security NPRM, Information Access Control and Role-Based Access falls under Security Administration and Technical Security Services. Since the Privacy Rule requires Covered Entities to implement the Minimum Necessary rule, it is logical that security processes and systems will need to be updated to support this requirement. Specific actions to achieve compliance includes defining who will approve new roles or job codes, how to implement access lists to certain applications and files, and creating unique user IDs for your job force. In summary, don't let your organization's focus on the Privacy
Rule cloud your vision of the supporting security requirements.
They complement each other -- and both are required. Angie Atcher, Director No. 39 HIPAA Regs -- Developing Organizational Privacy Policies? Don't Forget Security! Part IISo, your privacy and security teams are getting ready to develop or update your organization's policies on the privacy rule for "minimum necessary"? You need to remember that protected access to health information REQUIRES security. Although your Information Systems staff will need to make the necessary changes to enforce minimum necessary through system access, they should not be the only ones involved in decisions about what needs to change. Other areas, such as Human Resources, Patient Accounting, Medical Records and management should be involved in these important decisions. Many departments may find they need to change job codes, alter roles and functions, and re-establish computer access needs. Once these roles and accesses have been decided, your IS department should determine if there will be any undesirable impacts on system functionality due to the altered plans for system access. Creating a situation where your users are no longer able to access the information they need to perform their jobs, is certainly not what is intended by the "minimum necessary" rule! You may also need to redesign how system access in your organization is requested, established and changed. Overall responsibility for ensuring the employee has the access necessary to perform their duties should be determined by a governing authority or management.
As you begin this enormous task, be sure to understand your operational
processes, establish a multi-department task force to determine
changes and consider how your system access modifications will affect
all of the involved parties. Angie Atcher, Director No. 40 HIPAA Detail -- Behind on Your HIPAA Compliance? Here's What to DoSo you missed the filing deadline to request an extension for compliance with the transactions regulations. And the privacy deadline is only six months away. Yet, you have not completed a gap analysis nor even begun planning your HIPAA strategy! You're not alone -- According to the U.S. Healthcare Industry Quarterly HIPAA Survey Results (HIMSS and Phoenix Health Systems, Inc., Summer 2002), 80% of providers and 79% of payers have not completed their Transactions and Code Sets remediation AND Privacy remediation. What do you do now? The first step should be to consult with your corporate legal staff about the matter. Then, you need to focus on HIPAA compliance. At this point, the quickest and most effective way to achieve compliance may be through "negative" or non-compliance assumptions. Since there is not enough time to conduct a comprehensive gap analysis, you start from ground zero with your HIPAA strategic plan. Basically, you assume that you meet none of the regulatory standards and go from there. You move forward to implement HIPAA compliant processes throughout the organization, eliminating or altering any practices that are incongruent with your plan. Whether you choose to engage third party assistance, or manage HIPAA implementation totally in-house, you still should immediately lay down the following groundwork:
The last point is critical. You cannot afford to waste time planning organizational changes based on HIPAA mythology - get the facts! The final rules for Privacy, Transactions, Code Sets, and some of the Unique Identifiers have now been published. Make sure you understand the actual regulations, obtain appropriate legal counsel, and base your HIPAA implementation on the established laws. The above steps will help you expedite the planning and implementation process. Angie Atcher, Director No. 41 HIPAA Terms -- HIPAA Security Need to Know vs. Privacy Minimum NecessaryAlthough we all await the final rule for security, many IS professionals are already making preparations to ensure the confidentiality and privacy of protected health information (PHI.) Those of you who are responsible for making the system changes necessary to meet the privacy regulations do have an interesting challenge. How do you balance the minimum necessary requirements of privacy with the open access needed to use and support your various applications? After all, it is open access which allows application analysts and vendor support personnel to troubleshoot issues for a quick resolution. One way to achieve compliance in this area, yet not create unnecessary barriers to information, is to develop role-based access profiles for each individual responsible for system support. These personal profiles would provide individuals access to only those applications and files essential to perform their assigned tasks. An alternative strategy is to adopt an open access environment under the auspices of healthcare operations. This option relies heavily on establishment and enforcement of strict policies, procedures and training for all system analysts on their responsibilities for safeguarding the security and confidentiality of PHI. Either one of these options may be appropriate for your organization, but it is vital that your chosen solution be supported by a monitoring process of regular background checks and auditing of system access logs and events. Remember that the ultimate goal in resolving "need to know"
vs. "minimum necessary" is to ensure the privacy and security
of protected health information without compromising the operations
of the covered entity. Angie Atcher, Director
|
