It's April 2003, the month that those of us in the health care industry — some of us, anyway — have been counting down to for more two years. The definitive April 14, 2003, deadline has arrived for home care providers, insurance companies and other health care providers to be in compliance with the new federal Health Insurance Portability and Accountability Act privacy rules.
By now your organization should have developed and implemented HIPAA privacy-specific policies and procedures that describe how you maintain the confidentiality of protected health information, or PHI. Additionally, you should have trained your employees on those policies and procedures. Finally, you should have begun providing your organization's Notice of Privacy Practices to new patients. For those of you who have completed these tasks: Congratulations!
For good measure, here are some final tips to assist you in continuing your compliance efforts as they relate to the HIPAA Privacy Rule:
Keep track of changes to state laws and regulations that impact PHI and how providers handle and maintain the confidentiality of PHI. Many states are changing their requirements in light of the federal Privacy Rule. Remember: HIPAA requires that you comply with both state and federal privacy laws.
Conduct a Privacy Rule effectiveness review to ensure that your organization has taken all necessary and appropriate steps to be in compliance with the federal HIPAA privacy regulations. Perform effectiveness reviews and audits on a regular basis — annually, at a minimum. This process will help you understand how well your employees comply with the new privacy regulations and point out areas that may require additional training.
Re-train all employees on your privacy policies annually. Train new employees shortly after they are hired. Finally, make employee compliance with privacy polices and procedures part of every employee's evaluation process.
Next Stop: Security
But, your work is not complete. Home care providers have a second set of federal HIPAA regulations to look forward to and comply with — the new Security Rules. The U.S. Department of Health and Human Services published the final HIPAA Security Rule on Feb. 20, with a compliance deadline of April 21, 2005. This means you have two years to incorporate into your privacy policies and procedures, and other privacy-related compliance activities, measures to comply with security regulations. Security compliance activities are inextricably linked with privacy compliance activities.
While the Privacy Rule sets standards for how protected health information may be used and disclosed, the Security Rule sets standards for how to protect electronic PHI from unauthorized access, alteration, deletion and transmission. The Security Rule requires covered entities to assess their security needs and risks in order to devise, implement and maintain appropriate security for PHI.
The Security Rule matches the scope of the Privacy Rule in one respect: both apply only to individually identifiable health information. Therefore, they do not apply to health information that is de-identified, or not identifiable to a particular individual.
Security Rule Specifics
The final security regulations establish a minimum standard for the security of electronic PHI that is identifiable to an individual. The final Rule applies to electronic PHI at rest — that is, in storage — as well as during transmission. In addition, the security standards are designed to be applied to both internal and external activities. Therefore, the regulations apply to PHI in the custody of entities subject to HIPAA, known as covered entities, as well as to PHI that is in transit between covered entities and from covered entities to third parties, known as “business associates.”
The Security Rule sets forth 18 security standards that must be implemented through 13 “required” implementation specifications or 22 “addressable” implementation specifications.
The security safeguards are divided between administrative safeguards, physical safeguards and technical safeguards. You must document your compliance with the Security Rule.
Additionally, you must conduct your own evaluation of your compliance or hire a third-party to evaluate your compliance.
You also must enter into contractual agreements with your business associates to ensure that your business associates also will maintain electronic PHI received from the covered entities in accordance with the Rule.
The final Security Rule sets security standards that define administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of only electronic PHI. As you may recall, the proposed Security Rule applied to all health information. In contrast, the Privacy Rule applies to health information in any format, including paper, electronic or verbal.
Still, HHS reserves the right to propose standards for the security of PHI in non-electronic form in the future. Additionally, HHS will publish a final rule for electronic signatures, also at a future date.
The Rule is designed to be technology-neutral and therefore does not mandate specific technology solutions. Further, the security standards do not reflect “best practices” in information technology security, but instead represent a mandated “floor of protection” for electronic PHI. However, as a covered entity, you can implement security measures that exceed the mandated floor.
For more information about the final Security Rule, or to get updated information about other HIPAA requirements, go to www.hipaa.org.
A specialist in health care legislation, regulations and government relations, Cara C. Bachenheimer is an attorney with the law firm of Epstein, Becker & Green in Washing-ton. Bachenheimer previously worked at the American Association for Homecare and the Health Industry Distributors Association. You can reach her by phone at 202/861-1825 or e-mail at cbachenheimer@ebglaw.com.
