Data guard: The next HIPAA mandate

Thought you were finished with HIPAA? You wish. The federal law that required you to use standardized formats when conducting certain health care transactions electronically and implement measures to protect patient privacy has an upcoming security mandate that will become effective April 21, 2005.

Under that rule, doctors and other covered entities must take steps to safeguard the confidentiality, integrity and availability of electronic health data in their offices.

To avoid the aggravation, hassles and stress many physicians went through last year when they waited until the last minute to comply with the HIPAA transactions and privacy rules, physicians should start their security compliance effort now, said David Kibbe, MD, director of the Center for Health Information Technology at the American Academy of Family Physicians.

"There's a bit of work here that needs to be done for the practice to get up to speed," Dr. Kibbe said. "I'd encourage people to start early, take a chunk at a time and chip away at it rather than do it at the last minute."

Here are answers to some key questions to help you get started:

My office is paper-based. Do I have to comply with the security rule?

Not if your practice is completely paper-based, meaning that you don't have any information systems, database or computers in your office. However, even if you have no computers but outsource billing to a vendor that electronically transmits any HIPAA standard transactions to payers on your behalf, then you're covered by the security rule, said Steve Lazarus, PhD, president of Boundary Information Group, a Denver-based consortium of health care technology consultants.

"HIPAA only applies to [physicians and others] who transmit one or more of the standard transactions electronically," said Dr. Lazarus, a co-author of the AMA's Handbook for HIPAA Security Implementation. "So if you use a billing service to do your billing electronically, then you're not out of HIPAA. The security rule applies to you and all your electronic protected health information, even if the only electronic protected health information you have is in your billing system, and the only time you use it is to transmit claims to Medicare."

What does HIPAA require?

You must implement safeguards to protect the confidentiality, integrity and availability of any patient data that is either stored in an information system or transmitted electronically.

The first step toward reaching that goal is to conduct a risk analysis, which is a requirement of the security rule itself. The risk analysis requires doctors to look at their information systems to assess and identify the security risks to them, said Dr. Kibbe, who co-wrote the AMA's Field Guide to HIPAA Implementation. "It compares where you are now with where you have to be in terms of the rule."

The objective is "to figure out what areas have the highest risk and to come up with a plan to fix those," said Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan., and a co-author of the Handbook for HIPAA Security Implementation. "The risk analysis gives you a prioritization of what tasks you want to address in which order so that ... you take care of the ones that carry the greatest risk first."

Miriam Paramore, president of Paramore Consulting Inc. of Louisville, Ky., suggests that physicians first examine the risk analysis and plan they had to prepare to comply with the earlier privacy rule.

"The [security] processes that would protect electronic protected health information are kind of tightly associated to the [privacy] processes used to protect written communication, and you can look at it as very similar to the privacy rule," Paramore said. "Then take a look at your risks as they are laid out in the security rule. It does a pretty decent job of telling you what it wants you to look at."

The security rule also requires that you appoint a chief security officer for the office. That person could be you, an employee or someone outside the office whom you hire on a retainer and call on whenever you have a problem, experts say. The rule also requires that you periodically train staff on security policies and procedures. It also requires that you develop a contingency plan in case an earthquake, fire or other event knocks out or destroys your information systems.

The entire rule -- which experts estimate involves about 70% to 80% administrative policies and procedures and 20% to 30% technology, lays out "implementation specifications" and offers approaches that you can take to meet them. Some of those approaches are required, while others are "addressable."

What does addressable mean?

"Because an implementation specification is addressable doesn't mean you can ignore it," Dr. Lazarus said. "Addressable means that if you don't follow the recommendation in the regulation, you must do something that is equivalent to it."

What makes sense for a solo practice won't make sense for a 200-physician group or 100-bed hospital, Walsh said.

"For the majority of people, if you can't do exactly what it says in the rule, as long as you can come up with something that closely meets the intent, you will be in fine shape," he said. Whatever you decide to do must be carefully documented, he added.

Do I have to buy technology?

That will depend on the information systems you have and their features, Walsh said. Basically, information systems must have five types of technical controls and "most vendors or systems will have those capabilities embedded in their system," he said.

The required technical safeguards are:

• Controls that allow you to grant access and identify and track authorized users. The rule, for example, requires that one of those controls must be a unique user ID while another -- automatic logoff -- is addressable.
• Audit controls that record and examine activity within a system.
• Integrity controls to prevent data from intentional or unintentional alteration.
• Authentication controls to ensure that those accessing the system are who they say they are. These can be passwords, PINs, tokens, biometric technology or digital certificates.
• Transmission security controls to protect data transmitted over an electronic network.

Do I have to encrypt e-mails to patients?

Encryption is an addressable implementation specification under the rule. "You're not required to do encryption under the security rule but you're required to address the issue of whether or not you should," Dr. Kibbe said. "If a small [practice] doesn't put any identifiable or sensitive patient information in the e-mail, [it] may decide not to use encryption. But let's say a 16-doctor practice does that. In that case, I'd suggest that a prudent way of addressing that aspect of the security standard would be for them to do that communication through a secure server, and that their messaging should be encrypted."

But one problem with using encryption is that patients must have the same software you use to decrypt messages, experts say. However, doctors can use secure Web portals, secure messaging networks or virtual private networks to overcome that problem.

Physicians, for example, can use the secure messaging network of Medem Inc., which is partly owned by the AMA.

Do I have to use anti-virus software?

No, but you may want to think twice before deciding not to. "There's no rule that says you must buy virus protection software," Paramore said. "Now, any reasonable person would look at a computer system and say, 'I should have virus protection just in general as a good business practice to keep my computers running.'"

How much will compliance cost?

Nobody knows. The cost will vary from doctor to doctor and depend on what each needs to do to meet the security requirements.

How long will it take me to become compliant?

It won't happen overnight, which is why it's important to get an early start.

"The risk analysis [alone] can take some time to do because you can't really do much else until that is done in terms of understanding where to best spend your money and effort to change things to mitigate security risks," Dr. Lazarus said. "[The risk analysis] is something that will probably take half a day to several weeks, depending on how complex the organization is."