03 Mar The HIPAA Security Regulation: The Journey to Compliance
For health care providers, health insurance companies and health care clearing houses April 21, 2005 is too close. This is because these organizations have to prepare to become compliant with the HIPAA (Health Insurance Portability and Accountability Act) security regulation. The healthcare organizations that have to comply with HIPAA are called covered entities. The HIPAA laws have been adopted by Health and Human Services and the Centers for Medicare & Medicaid Services. CMS is responsible for implementing various provisions of HIPAA.
The regulations began as a way for covered entities to submit claims and send payments, and then expanded into protecting the privacy of people’s health care information. The HIPAA Regulation could impact organizations that may not think they are a covered entity. For example, some self-insured organizations may be under the definition of a covered entity. The best way to determine whether or not your company is a covered entity is to go to the CMS Web site.
There is good news and bad news for covered entities. The bad news is that these organizations are going to spend a great deal of resources to become HIPAA compliant. The good news is that if a process is followed, then the journey can be accomplished comfortably, efficiently and without investing too much on the implementation and maintenance of compliance procedures and mechanisms.
The first place to start your compliancy efforts is by implementing policies and standards that are relevant to your business model. Once your policies and business standards are established, then the procedures and technology mechanisms can be implemented to support the policies and standards.
The HIPAA regulations have many parts. For most covered entities the privacy law went into effect April 21, 2003 and the transaction code set laws went into effect Oct. 16, 2003. The HIPAA security requirement, due April 21, requires over 45 policies.
It is not only important to have the policies, but it is also critical to have them properly structured. Some recommendations to follow for properly written policies are:
· It has a purpose, scope and a sanction statement
· It addresses the HIPAA regulation intended for compliance
· It requires for change control authorization needed before implementation
· It provides guidance on how to implement securely
· It has best practice statements
· It has a revision history
· It states that revisions may be made as the business and technology evolve
Once policies are in place, then technology mechanisms and procedure documentation can be implemented to support those policies. There are going to be technology implementations and configurations made to support the HIPAA required policies. Some areas where information technology resources will be required are:
· Disaster recovery and business continuity implementation
· Redundant infrastructure
· Secure infrastructure design
· Access and authorization mechanisms
· Simplified authentication mechanisms
· Security incident mechanisms
· Physical safeguard mechanisms
· Automatic log-off mechanisms
· Encryption and decryption mechanisms
· System and data logging, monitoring and auditing
· Secure system mechanisms (anti-virus, intrusion detection and prevention, patch management, etc.)
The National Institute of Standards and Technology (NIST) Web site provides a checklist and resource guides on implementing the above securely. The site has information for securely implementing and administering wireless technologies, operating systems, infrastructure systems and many more security related solutions. The site is located at:
NIST also has a Web site devoted to special publications that provide detailed information and guidance on self-assessments, contingency, risk management and many other information security topics.
For additional assistance in compliancy there is also an exceptional organization in Wisconsin: The HIPAA Collaborative of Wisconsin (HIPAA-COW.) HIPAA-COW is a non-profit organization open to entities considered to be covered entities, business associates and/or trading partners under HIPAA, as well as any other organization impacted by the HIPAA regulation. The Web site has incredible amounts of information to assist organizations.
My recommendation is that covered entities should work closely with their IT solutions provider. Most IT consulting organizations have engineers and consultants that specialize in implementing and maintaining systems. But make sure they are familiar with HIPAA policies and procedures and information security training.
2004 is going to be a busy year for Covered Entities and their partners. If a well-defined process is in place, complying with the HIPAA security regulation can be achieved without a lot of discomfort for these organizations.
Larry Boettger is a data security and business technology specialist for Inacom Information Systems.
The opinions expressed herein or statements made in the above column are solely those of the author, & do not necessarily reflect the views of Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.