News/Events
Introduction
April is not only tax time—for those social workers who
must comply with HIPAA, it is also compliance time for the new
HIPAA Security Standards. April 21, 2005 is the compliance
deadline for this new set of Health Insurance Portability and
Accountability Act (HIPAA) obligations. This Legal Issue of
the Month article presents an overview of the security
requirements for HIPAA covered entities.
Overview
In contrast to the Privacy Rule, the Security Standards
apply only to information in electronic form. This
information, known as electronic protected health information
(ePHI), is comprised of individually identifiable health
information that is electronically received, created, stored,
or transmitted by a HIPAA covered entity. Like the privacy
requirement, i mplementation and compliance for the Security
Standards must be documented with written policies and
procedures, and employee training is required for all staff.
Review of Security Standards
The Security Standards are divided into three categories:
administrative, physical, and technical, although in some
instances, specific requirements are mentioned in more than
one category.
Security Officer
Like the privacy regulations, the Security Standards
require the appointment of an individual in the practice
setting to take primary responsibility for compliance: the
Security Officer. Solo practitioners will find that they have
many HIPAA hats to wear. Once this essential responsibility is
delegated, the first step is to conduct a risk analysis. This
involves a thorough review of all the locations in a social
worker's practice setting where ePHI may exist and an
assessment of the risks of improper disclosure due to system
vulnerabilities. Upon completion of the risk analysis, the
next step is to develop a written Risk Management Plan that
details how the agency or office will address electronic
system vulnerabilities.
Employees and ePHI
A number of personnel policies are required. Like the
privacy regulations, the Security Standards mandate a sanction
policy for employees who violate the new standards. This can
simply be incorporated into the existing employee disciplinary
process. A process for authorizing appropriate employees to
gain access to ePHI must be detailed in writing, and protocols
should be developed for the close supervision of employees who
do not require access to ePHI, but who nonetheless require
access to work areas where ePHI is present. The hiring process
must include workforce clearance procedures to ensure that
applicants are appropriately screened for security risks.
Likewise, when an employee ends employment, termination
procedures must be detailed in writing and implemented to
ensure that access to ePHI is not continued. For example,
computer passwords should be terminated immediately and
portable electronic devices containing ePHI must be accounted
for and returned to the office.
Procedures and Protocols
Computer systems should be equipped with log-in monitoring
so that individual access to electronic systems and databases
can be reviewed. Protocols should be developed for management
of computer passwords, for example, to prohibit employees from
sharing passwords, training them on how to develop strong
passwords, and requiring that they change passwords
periodically. Staff members also require training as to what
constitutes a security incident and to inform them of the
procedures for reporting security incidents. Of course, the
agency or practice will also need to develop written
procedures for responding to security incidents to mitigate
any harm and prevent future occurrences.
Computer Audits/Protective Software
Periodic computer audits must be conducted to review
electronic system activity. These features are available on
some commonly used operating systems, but additional training
as to these advanced features of the system may be needed if
the agency or practice does not have specialized information
technology staff available. Security reminders should be
provided for employees on a regular basis, but the means for
doing this can be tailored to the work setting. The options
range from security briefings in staff meetings to built-in
computer system reminders. The need for e ncryption software
must also be addressed. Encryption programs are a low-cost,
readily available, and highly effective means for protecting
ePHI during transmission of data and can be purchased online
from computer specialists, or from a variety of retail
locations. 128-bit secure socket layered (SSL) is the current
industry standard for encryption. Decryption will also be
needed if coded data are received. Installation of virus
protection software is standard operating procedure for all
computer systems that connect with others via e-mail or the
Internet, and is also a requirement of the Security Standards.
Business Associates
Covered entities will need to revise business associate
contracts to include provisions for compliance with the
Security Standards. Business associates are required to assure
the confidentiality, availability, and integrity of ePHI that
is created, maintained, received, or transmitted by the
business associate on behalf of the covered entity.
Securing Equipment/Work Stations
Covered entities are required to inventory all electronic
devices and electronic media that contain ePHI (e.g. laptops,
handheld computers, disks), and to create policies for how
these devices will be disposed of, re-used (if at all),
accounted for (log-out procedure), and how data will be backed
up and stored. Covered entities must evaluate how individual
workstation use will be authorized and secured. For instance,
in a hospital setting, how will the organization ensure that
only authorized personnel can access a workstation located in
a busy area frequented by employees, patients, and visitors?
The feasibility and need for automatic logoff mechanisms
should be addressed by every covered entity. This feature is
available on recent versions of commonly used operating
systems.
Disaster Plans
The Security Standards require advance planning for the
possibility of an emergency or disaster. Three related and
overlapping plans are required. A Data Backup Plan is required
so that crucial information can be accessed if the computer
system crashes, or data is lost or destroyed. This requires
regular duplication of client files that should be stored in a
secure location, preferably away from regular electronic
systems. This can be accomplished in a variety of ways,
including manually storing backup disks in a secure location
or transmitting data electronically to a secure, remote
server. An Emergency Mode Operation Plan addresses how the
organization will operate during an emergency until normal
operations can resume. Each covered entity must consider and
document such issues as where to operate during an emergency
and how ePHI will be secured. The third advance plan required
is the Disaster Recovery Plan. This is required to plan how
the agency or practice will regain access to needed data and
computer systems in the event of a disaster such as a flood,
fire, or tornado. The plan will focus on what steps to take on
the path to regaining normal system usage. Finally, covered
entities must test and revise their contingency plans, and
take steps to address any weaknesses.
In order to plan for emergencies, covered entities are
required to inventory, or list, computer programs and hardware
and prioritize each for emergency use. This will assure that
key systems can be restored on a priority basis. Covered
entities must also address how to control access to the
premises and validate employee identity during normal
operations and emergency mode. Maintenance records must also
be retained. This provides information about who has had
access to systems and may assist in determining the chain of
events leading to a security incident or system failure, or
will provide key information for use in restoring systems.
The HIPAA Security Plan, including policies, procedures,
incidents reported, contingencies, and technical solutions,
must be reviewed periodically. This review should be put into
writing and conducted, at a minimum, on an annual basis,
although the regulations do not specify the frequency.
Conclusions
The HIPAA Security Standards set out requirements for
electronic health record security that are in accord with
accepted information technology industry standards. Although
these requirements may present new information for social
workers who are unaccustomed to computer system technology,
the regulations primarily standardize what is already standard
operating procedure in many information-intensive businesses,
and assure that covered entities take all reasonable measures
to protect client data. It is appropriate for social workers
to keep pace with the security needs presented by any new
technology used to maintain client records. Compliance with
the HIPAA Security Standards will ensure that this occurs.
Resources
-
- National Association of Social Workers. (2005). HIPAA
security standards [Online]. Available at: http://www.socialworkers.org/hipaa/security.asp
- National Association of Social Workers. (2004). HIPAA
awareness and compliance training [Online]. Available
at: http://www.hipaaprof.com/nasw
-
- National Association of Social Workers. (2003). NASW
HIPAA desk reference available for members. Available
at: http://www.socialworkers.org/hipaa/deskForm.asp
Latest News | Events | Seminars
|
