HIPAA Security for the Business World Outside of Healthcare
The HIPAA Security Rule (a further provision of the Health Insurance Portability and Accountability Act (HIPAA))– titled “Security Standards for the Protection of Electronic Protected Health Information” was introduced in 2003. The Rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. The Security Regulation requires that protections be in place for electronic health information that is in transmission or at rest. Information is “at rest” when it is stored in electronic storage – such as a disk, hard drive, server, PC, or database.
The Security Rule includes EPHI that is created, received, maintained, or transmitted in electronic form. For example, EPHI may be transmitted via the Internet, stored on a computer, a CD, a disk, magnetic tape, etc. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.
As one would expect, this new Security Rule is most applicable to healthcare practices that revolve around patient contact relationships where protected health information is used on a daily basis. However, what many other businesses do not realize, is that these same security provisions are just as pertinent to those companies that are not healthcare focused. Though a company may not have an elaborate database full of patient health information, most still have documents that contain some of their employees’ protected health information. Most commonly located within the Human Resources sector of a business, these documents include anything with employee health information. For example, if your entity provides a health plan to its employees, then the organization is lawfully required to be in compliance with the Security Rule. Company insurance plans are another example of a component requiring security compliance. Both of these employee plans request and contain medical information that is mandated to be kept confidential and protected under the Security Rule.
In addition to the following specifications for electronic protected health information, such security measures can be applied to all important documents and records within an entity-regardless of whether they contain medical information. One provision of the HIPAA Security Rule is designed to enforce documented policies and procedures for recovering valuable health information in the event of a technological emergency or disaster. These same policies and procedures can, however, be translated and modified to other electronic information that is crucial to the operation of any entity. Additionally, by enforcing similar standards as prescribed by the HIPAA Security Rule, an organization can restrict access to certain unauthorized documents within the network to help make the business more secure.
Three Security Rule Standards
The specific listings for each safeguard are either Required by the Security Rule, meaning that they are mandatory in your business, or they are considered Addressable, signifying that your company has the option of choosing not to implement the standard, and as such, the Rule requires a documented explanation as to why the organization chose not to implement the criterion.
Administrative Safeguards – The Administrative Safeguards requires documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to EPHI, and the selection, development, and use of security controls. Overall, businesses are required to implement policies and procedures to prevent, detect, contain, and correct security violations. In addition, a single individual must be designated as having overall responsibility for the security of an entity’s EPHI, including ongoing evaluation. Policies, procedures, and processes must be developed and implemented to ensure only properly-authorized workforce members have access to EPHI. Staff need to be trained in the security process, know what to do if a breach of security occurs, and a Contingency Plan must be in place in case a disaster or emergency damages the entities’ information systems that contain EPHI. Business associates that handle EPHI on behalf of the provider must be covered by a contract, to ensure that they will also appropriately safeguard the information.
Physical Safeguards – The Physical Safeguards are a series of requirements meant to protect an entity’s electronic information systems and EPHI from unauthorized physical access. In order to limit access to only authorized users, covered entities must regulate casual physical access through implementation of physical safeguards and policies that specify what is considered appropriate use for all workstations (computers) that can access EPHI. Additionally, to ensure surrounding security, policies must be installed in regards to the characteristics of the physical environment of workstations that have access to EPHI. Physical Safeguards also mandate the development and implementation of policies and procedures for the receipt and removal of hardware and electronic media that contain EPHI as the equipment travels within and outside of an entity. Furthermore, the disposal and re-use of media also require detailed documentation of events.
Technical Safeguards – The Technical Safeguards are several requirements for using technology to protect EPHI, particularly controlling access to it. All electronic information systems that contain PHI should only allow access to persons or software programs that have appropriate access rights. The Security Rule requires unique User Identification and an Emergency Access Procedure, as well as the implementation of mechanisms to record and examine activity in information systems that contain or use EPHI. To eliminate computer access by fraudulent inquirers, policies must be developed to ensure that those seeking access to EPHI are who or what they claim to be. As many entities transmit EPHI over electronic communication networks (e.g., the Internet), the prevention of unauthorized access is required and such procedures must be documented. This detail includes all computers on the entire network; every workstation/computer that has access to the same network which contains your EPHI, then the entire network is required to have backup procedures and restrictive access.
Things to Consider…
- Does your HR department have unattended printers in your office halls?
- Does every employee have a password to access your computers? Is there a separate password to access documents that contain employee medical information?
- If there are only a few selected computers that contain such EPHI, then how quickly do the screen savers appear when those computers are left unattended? And once that screensaver appears, is the staff member required to log back into the computer?
- If you were to lose power, how many days could your entity operate before suffering financial loss?
- Do your employees use Instant Messenger to quickly transmit information?
Article written by: Karen McKeithen Schaede and Lindsay V. Spears