It's April 2003, the month that those of us in the health care industry some of us, anyway have been counting down to for more two years. The definitive
by Cara C. Bachenheimer, Esq.
April 1, 2003

It's April 2003, the month that those of us in the health care
industry — some of us, anyway — have been counting down
to for more two years. The definitive April 14, 2003, deadline has
arrived for home care providers, insurance companies and other
health care providers to be in compliance with the new federal
Health Insurance Portability and Accountability Act privacy
rules.

By now your organization should have developed and implemented
HIPAA privacy-specific policies and procedures that describe how
you maintain the confidentiality of protected health information,
or PHI. Additionally, you should have trained your employees on
those policies and procedures. Finally, you should have begun
providing your organization's Notice of Privacy Practices to new
patients. For those of you who have completed these tasks:
Congratulations!

For good measure, here are some final tips to assist you in
continuing your compliance efforts as they relate to the HIPAA
Privacy Rule:

  • Keep track of changes to state laws and regulations that impact
    PHI and how providers handle and maintain the confidentiality of
    PHI. Many states are changing their requirements in light of the
    federal Privacy Rule. Remember: HIPAA requires that you comply with
    both state and federal privacy laws.

  • Conduct a Privacy Rule effectiveness review to ensure that your
    organization has taken all necessary and appropriate steps to be in
    compliance with the federal HIPAA privacy regulations. Perform
    effectiveness reviews and audits on a regular basis —
    annually, at a minimum. This process will help you understand how
    well your employees comply with the new privacy regulations and
    point out areas that may require additional training.

  • Re-train all employees on your privacy policies annually. Train
    new employees shortly after they are hired. Finally, make employee
    compliance with privacy polices and procedures part of every
    employee's evaluation process.

Next Stop: Security

But, your work is not complete. Home care providers have a
second set of federal HIPAA regulations to look forward to and
comply with — the new Security Rules. The U.S. Department of
Health and Human Services published the final HIPAA Security Rule
on Feb. 20, with a compliance deadline of April 21, 2005. This
means you have two years to incorporate into your privacy policies
and procedures, and other privacy-related compliance activities,
measures to comply with security regulations. Security compliance
activities are inextricably linked with privacy compliance
activities.

While the Privacy Rule sets standards for how protected health
information may be used and disclosed, the Security Rule sets
standards for how to protect electronic PHI from unauthorized
access, alteration, deletion and transmission. The Security Rule
requires covered entities to assess their security needs and risks
in order to devise, implement and maintain appropriate security for
PHI.

The Security Rule matches the scope of the Privacy Rule in one
respect: both apply only to individually identifiable health
information. Therefore, they do not apply to health information
that is de-identified, or not identifiable to a particular
individual.

Security Rule Specifics

The final security regulations establish a minimum standard for
the security of electronic PHI that is identifiable to an
individual. The final Rule applies to electronic PHI at rest
— that is, in storage — as well as during transmission.
In addition, the security standards are designed to be applied to
both internal and external activities. Therefore, the regulations
apply to PHI in the custody of entities subject to HIPAA, known as
covered entities, as well as to PHI that is in transit between
covered entities and from covered entities to third parties, known
as “business associates.”

The Security Rule sets forth 18 security standards that must be
implemented through 13 “required” implementation
specifications or 22 “addressable” implementation
specifications.

The security safeguards are divided between administrative
safeguards, physical safeguards and technical safeguards. You must
document your compliance with the Security Rule.

Additionally, you must conduct your own evaluation of your
compliance or hire a third-party to evaluate your compliance.

You also must enter into contractual agreements with your
business associates to ensure that your business associates also
will maintain electronic PHI received from the covered entities in
accordance with the Rule.

The final Security Rule sets security standards that define
administrative, physical and technical safeguards to protect the
confidentiality, integrity and availability of only
electronic PHI. As you may recall, the proposed Security
Rule applied to all health information. In contrast, the
Privacy Rule applies to health information in any format, including
paper, electronic or verbal.

Still, HHS reserves the right to propose standards for the
security of PHI in non-electronic form in the future. Additionally,
HHS will publish a final rule for electronic signatures, also at a
future date.

The Rule is designed to be technology-neutral and therefore does
not mandate specific technology solutions. Further, the security
standards do not reflect “best practices” in
information technology security, but instead represent a mandated
“floor of protection” for electronic PHI. However, as a
covered entity, you can implement security measures that exceed the
mandated floor.

For more information about the final Security Rule, or to get
updated information about other HIPAA requirements, go to www.hipaa.org.

A specialist in health care legislation, regulations and
government relations, Cara C. Bachenheimer is an attorney with the
law firm of Epstein, Becker & Green in Washing-ton.
Bachenheimer previously worked at the American Association for
Homecare and the Health Industry Distributors Association. You can
reach her by phone at 202/861-1825 or e-mail at cbachenheimer@ebglaw.com.