HIPAA Security and the Organizational Safeguards
April 2004 Issue
In the last article, we covered the Security Rule standards categories of administrative safeguards, physical safeguards, and technical safeguards. These categories are included in Security Rule final rules and regulations, Appendix A, Security Standards Matrix. There are, however, some additional standards that are not included in the Security Standards Matrix. Whether this was an oversight by the US Department of Health & Human Services (DHHS) or intentional, we may never know. Regardless, they are standards that are required to be implemented.
So we will cover the "secret" standards that I have categorized as the "organizational safeguard" standards, and as always, we will go over each standard in detail and how it is going to affect your O&P organization. So let's get started!
1. Organizational Requirements Standard
Business Associate Contracts or Other Arrangements (Required)
Implementation specification: The contract between a covered entity and a business associate must provide that the business associated will: (A) Implement administrative physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information (PHI) that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the Security Rule; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
What it means to your organization: Your organization should update its business associate contract and have all business associates sign the new agreement. You may also want to consult with legal counsel on wording and your organization's responsibility when it comes to state or other laws that your organization has to comply with.
Requirements for Group Health Plans (Required)
Implementation specification: See the Security Rule.
What it means to your organization: If you are a group health plan, you will need to implement this standard; otherwise it is of no consequence to your organization.
2. Policies and Procedures and Documentation Requirements Standard
This standard requires documenting policies and procedures for the routine and non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of electronic PHI. It also states that this documentation should be reviewed and updated periodically.
Policies and Procedures (Required)
Implementation specification: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.
What it means to your organization: You must document your organization's policies and procedures to comply with the required or addressable standards. When deciding on your organization's policies or procedures, you should consider the following factors: (1) The size, complexity, and capabilities of your organization; (2) Your organization's technical structure, hardware, and software security capabilities; (3) The costs of security measures; (4) The probability and criticality of potential risks to electronic PHI.
Implementation specification: Maintain the policies and procedures implemented to comply with the Security Rule in written (which may be electronic) form; retain the documentation required for six years from the date of its creation or the date when it last was in effect, whichever is later; make documentation available to those persons responsible for implementing the procedures to which the documentation pertains; review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of the electronic PHI.
What it means to your organization: Your organization will need written documentation of all of your security policies and procedures; retain and update them as required.
3. Compliance Dates (Required)
Implementation specification: A covered healthcare provider must comply with the applicable requirements of the Security Rule no later than April 20, 2005.
What it means to your organization: Your organization has until April 20, 2005, to document and implement all of your security policies and procedures. That is less than a year and a half away! My recommendation is that you get started now, as this is much more time-consuming and requires more planning than the Privacy Rule.
In the next article, we will look at some "frequently asked questions" concerning the Security Rule and hopefully shine additional light on what is actually required for your O&P organization.
While all information in this article is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.
Jay Masci, PMP, is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.