NAPLES, FL - Once again, the U.S. government has put the cart before the horse. The Centers for Medicare and Medicaid Services (CMS) issued the final privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) before it released the final rule on security. Unfortunately for radiology administrators, privacy cannot be assured without security, and the final security rule isn’t expected until sometime later this summer.
"Privacy defines who is authorized to access information, which is the right of individuals to keep information about them from being disclosed," said Cynthia Smith, senior manager of HIPAA security services for PricewaterhouseCoopers in Pittsburgh.
"In essence, it is about the individual’s right to exercise control over their health information," she said. "Security is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss."
Smith offered her views on the impact of the final privacy rule on security implementation at the 2002 Radiology Business Management Association summit this week.
With the April 2003 implementation deadline less than 10 months away, administrators and their facilities are running out of time to prepare for what amounts to a sea change in business practices. If an imaging center waits until the final security rule is published in August to start implementing its security plan, it will probably have waited too long to meet the April 2003 deadline, Smith said.
Close enough to final
While the security rule isn’t final, there is enough substance in the proposed rule to build a HIPAA security backbone, according to Smith. The rest of the body of security can be derived by looking at what assets the final privacy rule sets out to protect.
"The commonalities of the privacy and security rules are what an administrator should look at to define their implementation policy. For example, security boundaries are established by who and what is covered in the privacy rule," she said.
Safeguarding protected health information is another issue common to both privacy and security rules. Both rules also share the administrative responsibilities of documentation via procedures and policies, training requirements for staff and management, and the responsibilities of trading partners and business associates.
"For example, a business associate contract must be in place for any contractors who receive or can access protected health information from a covered entity in order to perform a function for or on behalf of the covered entity," Smith said. "This means an imaging center will need to have contracts in place for its designated providers, brokers, IT vendors, external review services, translation services, document-management vendors, and PACS and RIS vendors."
Synergy and symbiosis
The final security rule will be in harmony with the final privacy rule. As administrators hammer out the appropriate administrative, technical, and physical protections to safeguard protected health information for privacy, they can use much of this work to draft security policies and procedures.
The proposed security rule is technologically neutral in that each organization gets to determine the technology to achieve the outcome. However, the requirements are comprehensive, not piecemeal, so a facility will need to think of its security in both a systemic- and role-based model, according to Smith.
Because the rule does not prescribe security implementation, each center has latitude in making its implementation decisions. The proposed rule does call for a covered entity to enact measures reasonably required to protect health information from intentional or unintentional violations.
"No matter what decisions your facility comes up with in regards to privacy and security, be sure to thoroughly justify and document each and every decision," Smith said.
One of the first crossover areas from the privacy rule to the security rule that Smith suggested tackling is to match minimum access with each job description. By defining role-based access levels for privacy, a facility can then implement the security necessary to ensure access for those roles only at their assigned level.
Tracking, trailing, and training
The privacy rule requires accounting of each disclosure of protected health information. Likewise, the proposed security rule requires audit trails for access of this information, with no implementation provision.
"File access, log-on, log-off, and security instances are provided as examples of auditable events in the proposed regulation. A good rule of thumb is that if the regulation suggests something, you should probably do it," said Smith.
Privacy policies should be in writing, and designed to facilitate compliance with the rule. It’s reasonable to assume that general security policies addressing personal, physical, and technical safeguards will also need to be documented. And both sets of policies will need a formal mechanism in place to reflect revisions and changes to the organization and its workflow.
"Whereas the privacy rule will probably require individual policies in place for each job title within your organization, you can probably have one security policy in place for your end users. A separate set of policies will, however, be required for your information systems (IS) department," Smith said.
Smith recommended taking the following items into consideration in devising security policy and procedure:
- Contingency planning and disaster recovery
- Security incident handling
- Formal record processing
- Risk analysis and management
- Audit trails and monitoring
- Media controls
- Personnel security and termination
- Configuration and change management
- System and physical access controls
- Workstation location and use
- Awareness training
The privacy rule requires training for employees, agents, and contractors of an organization on the policies and procedures used to safeguard protected health information. Security awareness training will also need to be conducted for these individuals and representatives.
"Your group will need to determine and document what precisely is a security incident, such as sharing a password with another employee, and where, when, and in what format it must be reported. You’ll then need to train your users in what is expected from them, and you’ll need to create a mechanism for ongoing reminders," said Smith.
Smith recommended customizing the security training for job responsibilities in the facility. The broad focus of the training should be on the issues of use, confidentiality, and security. The specifics should be about password management, virus control, and incident reporting.
"For the purposes of radiology business managers and administrators in HIPAA compliance and implementation, both the privacy and security rules address the processes for safeguarding health information. The bottom line is that privacy is the rule and security supports the rule," said Smith.
By Jonathan S. Batchelor
AuntMinnie.com staff writer
June 7, 2002
Related Reading
Security planning can prevent PACS attacks, May 3, 2002
CMS issues model for extending transaction code compliance, April 1, 2002
HIPAA to make challenging, costly demands on radiology, March 18, 2002
HIPAA, compliance programs fit like gloves, February 1, 2002
A roadmap for implementing HIPAA in radiology, July 26, 2001
Copyright © 2002 AuntMinnie.com