After grueling efforts to meet last year’s Privacy Rule deadline of the Health Insurance Portability and Accountability Act (HIPAA), it may seem that hearing health care facilities are now free to move on from their HIPAA-related projects and concentrate once again on other business and patient-related matters. However, many health care facilities are now facing the standards of another upcoming HIPAA mandate—the Security Rule—and it is likely that the majority of hearing care facilities will have to comply with this rule in the near future.

The Security Rule, which goes into effect April 21, 2005, is different from the Privacy Rule in that it applies only to protected health information (PHI) in electronic form. By contrast, the Privacy Rule covers protected health information in any form (oral, written, or electronic record). (Authors’ Note: For a general description of HIPAA regulations and how they apply to hearing care professionals, see the authors’ article, “HIPAA and Hearing Care Professionals,”¹ which appears in the March 2003 HR.)

The US Department of Health and Human Services (HHS) believes that the final Security Rule meets the objective of being comprehensive and coordinated to address all aspects of security. Likewise, the new regulations have been designed to be scalable, so that they can be implemented by health care providers of all types and sizes. And, finally, HHS contends that the regulations are not linked to specific technologies, thereby allowing the use of future technological advancements.

HIPAA Security Review
Although HIPAA regulations were detailed in a previous article,¹ some review of the basic Security provisions is warranted. Security is defined in the HIPAA regulations as the health care provider’s responsibility to control the means by which individually identifiable health care information remains confidential. Implementation of the Security Rule encompasses the following four essential safeguards for PHI in electronic form (discussed in greater detail later):

• Administrative safeguards.
• Physical safeguards.
• Technical security services safeguards.
• Technical security mechanisms safeguards.

There are numerous methods available to secure the patient health information maintained in your practice. Depending on the rigor with which you modified your practice procedures in accordance with the HIPAA Privacy Regulations, many of the necesssary security provisions are likely to be in place already (eg, rooms/facilities secured with locks, security systems in place, employees trained, etc). Other examples include data management systems that can be secured through single sign-on systems, user IDs, passwords, firewalls, and intrusion-prevention systems.

Likewise, the Hearing Industries Association (HIA), hearing instrument manufacturers, and related suppliers have been making excellent progress on HIPAA-related issues. For example, eTONA (which stands for electronic Transfer Of NOAH Actions) has been designed to work with NOAH 3 software so that orders and updates can be sent and received using encryption.² The eTONA data is designed to be securely transmitted between the manufacturer and dispensing office/practice much like the encryption methods used for online banking.

Required Activities
The Security Rule requires that health care providers undertake the following activities regarding electronic patient protected health information:

• Ensure the confidentiality, integrity and availability of all electronic protected health information that is created, received, maintained, or transmitted.
• Protect against any reasonably anticipated threats/hazards to the security and integrity of such information.
• Protect against any reasonably unanticipated uses and disclosures of this information.
• Ensure compliance by the members of your work-force.

In addition, health care providers should be aware that there may be certain patient-related information (eg, infectious diseases, genetic disorders, etc) that is required to have special protections pursuant to federal or state statutes.

HHS requires covered entities to conduct a risk analysis to evaluate their own office/practice relative to the security risks inherent in their electronic PHI. The risks that are identified will determine the degree of response needed. Obviously, smaller practices with smaller facilities and fewer workers generally assume less risk and, in terms of the scalability of HIPAA, the response to that risk can be developed on a more appropriate scale.

While it may be the case that you have security measures already in place as a result of the Privacy Rule, you are still required to conduct a comprehensive gap analysis to assess current procedures against the new security standards. An essential aspect of this gap analysis is the risk analysis to determine the nature, extent, and probability of occurrence of protected health information security incidents. The results of the gap analysis must then be considered in the context of the four categories of safeguards:

1) Administrative safeguards. Intended to ensure that organizations provide a structure in which an information security program can be developed and implemented. It includes the implementation of policies and procedures to prevent, detect, contain, and correct security violations. This includes access controls, risk analysis, risk management, work-force sanction policies, information system activity reviews, assigned security responsibility, and work-force security.

2) Physical safeguards. Intended to ensure the protection of computer systems (and related physical structures in which these systems are housed) from fire, other natural and environmental hazards, and intrusion. This safeguard is also meant to limit physical access to electronic information systems and ensure that only authorized employee access is allowed. This includes contingency operations, facility security plans, access control and validation procedures, maintenance records, workstation use, and security. Safeguards might also include the use of locks, keys, and administrative measures used to control access to computer systems and facilities, as well as back-up systems (eg, off-site duplicate data storage) for the recovery and use of health care data in the event of a natural or man-made disaster.

3) Technical security services safeguards. Intended to guard data integrity, confidentiality, and availability, and to protect, control, and monitor information access. This safeguard protects the information systems (eg, computers and software) that maintain electronic PHI information, and includes items such as unique user identification, emergency access procedures, and encryption/decryption mechanisms.

4) Technical security mechanisms safeguards. Intended to protect electronically transmitted PHI over open networks against interception or interpretation by parties other than the intended recipient. These mechanisms are also intended to protect information systems from intruders who attempt to gain access through external communication points.

Getting More Specific: Creating Security Rules for Your Office
The following are some required security policies and procedures that need to be implemented by health care providers:

• Audit controls on hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Business associate contracts or agreements (BAA) need to ensure that the business associate will implement administrative, physical, and technical safeguards that are reasonable, and appropriately protect the confidentiality, integrity and availability of electronic protected health information that it creates. This applies to information that the business associate receives, maintains, or transmits on behalf of the health care provider. (For more information on BAAs, see the March 2003 HR, p. 14, or the HIA Web site: www.hearing.org/hipaa.) 
• Data back-up plan policies and procedures should be implemented to create and maintain retrievable exact copies of electronic PHI.
• Device and media controls for the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
• Disaster recovery procedures to restore any loss of data.
• Disposal policies and procedures concerning the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
• Reuse procedures for the removal of electronic protected health information from electronic media before the media is made available for reuse.
• Person or entity authentication procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
• Risk analysis, which will allow entities to evaluate their own operations and determine the security risks involved.
• Risk management of security measures sufficient to reduce risks and vulnerability to a reasonable and appropriate level.
• Sanction policies and procedures to apply appropriate sanctions against work-force members who fail to comply with the security policies and procedures.
• Security incident response and reporting procedures to document the response and reporting of a security incident involving electronic PHI. This should include documentation of that sanctions applied.
• User access control identification so that access to the electronic protected health information is available only to authorized users.
• Workstation physical safeguards for all workstations that access electronic protected health information.
• Workstation use policies and procedures that specify the proper functions to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI.

Other Addressable Specifications
HHS lists numerous specifications that health care providers must consider for possible implementation. It divides specifications into “required” and “addressable” categories, with the required specifications being mandatory (see above), and the addressable specifications having some flexibility with respect to compliance.

The decision as to whether a particular specification will be implemented by a health care provider should follow a detailed risk analysis, consideration of the security measures already in place, the cost of implementation for a given addressable specification, the health care provider’s technical infrastructure, hardware and software security capabilities, and the probability and “criticality” of potential risks to electronic PHI. After analyzing your facility’s current status, you can choose to implement the recommended specifications, implement an alternative security measure to accomplish the same purposes of the standard, or not implement anything if the specification is already met.

Recommended specifications for implementation are:

• Automatic logoff of access to information systems. Electronic measures that terminate an electronic session after a predetermined time of inactivity.
• Contingency plan testing and revision procedures. Facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
• Data backup and storage. Create a retrievable exact copy of electronic protected health information, when needed, before movement of equipment.
• Data priority analysis. Implement procedures to determine the relative priority of specific applications and data in support of other contingency components.
• Encrypted and decrypted access control. Create a mechanism to encrypt and decrypt electronic health information.
• Encryption. Encrypt electronic protected health information.
• Facility access contingency plans/operations. Allow facility access in support of restoration of last data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
• Facility access controls and validation. Control and validate a person’s access to facilities based on their role or function, and control of access to software programs for testing and revision.
• Facility maintenance records. Document repairs and modifications to the physical components of a facility which are related to security.
• Facility security plan. Safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
• Information system log-in monitoring. Assign a unique name and/or number for identifying and tracking user identity. Implement procedures for monitoring log-in attempts and reporting discrepancies.
• Integrity controls. Ensure that electronically transmitted electronic PHI is not improperly modified without detection until disposed of.
• Mechanisms to authenticate electronic PHI. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
• Media control accountability. Govern the receipt and removal of hardware and electronic media that contain electronic protected health information, and the movement of these items within the facility.
• Password management. Implementation of procedures for creating, changing and safeguarding passwords. Passwords can no longer be shared among members of the work-force.
• Software systems integrity measures. Maintain a record of the movements of hardware and electronic media, and any responsible persons.
• Work-force clearance procedures. Implementation of procedures to determine that the access of a work-force member to electronic protected health information is appropriate.

Toward a Private, Secure Health Information System
As we observed in the previous article on HIPAA Regulations,1 it is probably an understatement to say that there are some hearing care professionals who have little or no knowledge of the HIPAA Security Rules. Based on our analysis of the HIPAA legislation and experience with compliance implementation projects, the authors can summarize the most salient feature of HIPAA in one sentence: Every hearing care practice, regardless of size, should comply with the HIPAA security and privacy regulations. HIPAA is mandatory, not optional.

A recent HR article³ reported on comments by Alan S. Goldberg, a partner with Goulston & Storrs in Boston, who gave the following advice on what organizations should do to avoid civil HIPAA penalties:

• Use reasonable diligence to know as much as you can about HIPAA.
• Establish policies that evidence a reasonable approach to protecting PHI for both privacy and security.
• Avoid being neglectful or reckless.
• Try to cure breaches within 30 days.
• Ask for extensions if necessary.
• Seek technical advice when needed.
• Document everything.

HHS has made it fairly clear that it is not interested in fostering a “gotcha” reputation in the enforcement of HIPAA regulations. However, the Department has also made it clear that it expects due diligence from health care professionals, and it has backed up its enforcement efforts with stiff penalties for those who fail to comply. The penalties are designed to gain the serious attention of the health care field—and, for the most part, they have!

As in the case of HIPAA’s Privacy Rule, conforming to the final Security Rule’s required and addressable compliance specifications will be a demanding, but necessary, undertaking. However, when all applicable HIPAA regulations have been fully implemented, you will be able to assure your patients (and the HHS) that you have taken the measures necessary to safeguard their health information from accidental disclosure and misuse.

Correspondence can be addressed to HR or Paul Popp, 7771 O’Bryan Place, Centerville, OH 45459; email: NaiaPedFound@aol.com;   or Beth Lane, Beth Lane & Associates, 12722 Charloma Drive, Tustin, CA 92780; email Bethlaneassoc@hotmail.com.

References
1. Popp P, Lane B. HIPAA and hearing care professionals. Hearing Review. 2003; 10(3):44-51, 96.
2. Peterson S. Made to order: How eTONA will serve you and your clients. Hearing Review. 2003; 10(3):38-41,95.
3. Van Houten B. Getting hip to HIPAA. Hearing Review. 2003; 10(2):36-39.