Dentists who transmit certain patient health information electronically will have to comply with the recently released security regulations mandated by the Health Insurance Portability and Accountability Act of 1996, or HIPAA.1 Fortunately, compliance will not be mandatory until April 2005, so dentists will have plenty of time to adopt practices necessary for compliance.
The security regulations contain standards with both ‘required’ implementation specifications and ‘addressable’ implementation specifications.
There is a key difference between the security regulations and the HIPAA privacy regulations. Both sets of regulations apply only to dentists who are "covered entities." In order to be a covered entity, a dentist must transmit certain patient health information electronically, using a format established by the HIPAA transaction standards. However, the HIPAA privacy regulations apply to all communications—electronic, written or oral—of patients’ protected health information. In contrast, the security regulations apply only to electronic protected health information, or PHI.
Under the HIPAA regulations, PHI is defined as information that identifies a patient and relates to that person’s health, health care or payment for health care. Any dentist who is a covered entity will have to adopt the protections for electronic PHI contained in the security rule.
The final version of the security regulations was modified by the U.S. Department of Health and Human Services, or DHHS, to more closely reflect the requirements of the privacy regulations. Thus, a dentist who has implemented measures to comply with the privacy regulations already may have taken some of the steps needed to comply with the security regulations.
Similar to the privacy regulations, the security regulations allow covered entities flexibility to adopt implementing measures that are appropriate for that particular covered entity. That means that a small private dental practice will not need to take the same measures to comply with the security regulations as will a hospital or an insurance company. In deciding what security measures to adopt, a covered entity must consider the following factors:
- – the size, complexity and capabilities of the covered entity;
- – the covered entity’s technical infrastructure, hardware and software security capabilities;
- – the costs of security measures;
- – the probability of and degree of potential harm from potential risks to electronic PHI.
The security regulations contain standards with both "required" implementation specifications and "addressable" implementation specifications. While the required implementation specifications are mandatory, the addressable specifications may not be. In reviewing addressable implementation specifications, a dentist who is a covered entity must
- – assess whether the specification is a reasonable and appropriate safeguard for the dentist’s office;
- – implement the specification if reasonable and appropriate;
- – if implementing the specification would not be reasonable and appropriate, document this fact and implement "an equivalent alternative measure" if reasonable and appropriate.
The DHHS commentary accompanying the regulations states that a covered entity also may decide that a particular implementation specification does not apply to its office and that the particular standard can be met without implementing an alternative measure in place of the addressable implementation specification.
The security regulations require covered entities to adopt administrative, physical and technical safeguards to protect electronic PHI. In addition, covered entities must adopt certain organizational requirements, such as business associate contracts, which are very similar to the business associate agreements required by the HIPAA privacy regulations.
Furthermore, a covered entity must adopt certain policies and procedures, including documentation requirements, to comply with the security regulations. Covered entities will have to retain documentation of their policies and procedures implemented to comply with the security regulations for six years after the date the documentation was created, or the date when it was last in effect, whichever is later.
 |
ADMINISTRATIVE SAFEGUARDS
|
|---|
The administrative safeguards contain several standards that must be followed. The first standard requires covered entities to implement a security management process. Covered entities will be required to conduct a risk analysis to determine potential risks to the confidentiality, integrity and availability of electronic PHI created, received, maintained or transmitted by the covered entity. The covered entity will then have to implement risk management practices to reduce the risks uncovered by this analysis.
The security regulations require covered entities to adopt administrative, physical and technical safeguards to protect electronic protected health information.
Other required standards classified as administrative safeguards will include developing a policy for sanctioning staff members who violate the covered entity’s security procedures, and implementing procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
A key standard under the categories of administrative safeguards and organizational requirements will require covered entities to designate one person as the security official responsible for developing and implementing the entity’s security policies. This mandate is similar to the requirement under the HIPAA privacy regulations for one person to be named as the entity’s privacy officer. Dentists who are covered entities may want to designate the same person as the practice’s security officer and privacy officer, since some responsibilities of these positions may overlap.
Another administrative standard will require covered entities to implement procedures to make sure that all work force members have appropriate access to electronic PHI—and to prevent any work force members who should not have access to certain electronic PHI from obtaining that access. Additional administrative standards will require covered entities to develop policies and procedures pertaining to information access management, and to establish a security awareness and training program for all work force members.
One of the "addressable" implementation specifications for this standard deals with the adoption of password protection for office computer systems. While dental offices that are covered entities will not be absolutely required to implement password protection for their computers, they will have to do this if it would be "reasonable and appropriate" to do so.
Furthermore, covered entities will have to implement an administrative standard for handling "security incidents." A security incident is defined as an "attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system." Covered entities will be required to identify and respond to suspected or known security incidents; mitigate damages resulting from known security incidents, if possible; and document security incidents and their outcomes.
Another administrative standard will require covered entities to develop a contingency plan to deal with incidents—such as fires, vandalism, system failures or natural disasters—that could damage systems containing electronic PHI. Covered entities will be required to implement data backup, disaster recovery and emergency mode operation plans. Covered entities also will be required to conduct periodic evaluations to determine whether their offices remain in compliance with the security regulations.
Another similarity between the security regulations and the HIPAA privacy regulations is that both sets of rules require covered entities to enter business associate agreements with certain outside parties who have access to PHI. As stated above, the security regulations apply only to the use and disclosure of electronic PHI. Since covered entities who will be obligated to comply with the security regulations also will have been required to comply with the privacy regulations, covered entities should already have business associate agreements in place with applicable outside parties who have access to electronic PHI maintained by the dentist.
I explored the requirements for business associate agreements under the privacy regulations in my column in the January 2003 issue of JADA.2 The requirements for business associate agreements under the security regulations are very similar. The security regulations do contain an additional requirement for the contract to require the business associate to notify the covered entity if the business associate becomes aware of a "security incident." Also, the security regulations make it clear that business associates must implement "administrative, physical and technical safeguards" to protect electronic PHI, and must require subcontractors to implement "reasonable and appropriate" safeguards to protect electronic PHI.
|
PHYSICAL SAFEGUARDS
|
|---|
The HIPAA security regulations also require covered entities to adopt physical safeguards to protect electronic PHI. Covered entities will be required to implement a standard requiring policies to limit physical access to the entity’s computer systems and the facility in which they are housed, while ensuring that properly authorized access is allowed. In addition, covered entities will be required to develop policies and procedures for workstation use and physical safeguards for workstation security.
A workstation may include a desktop or laptop computer, along with "electronic media" stored in the immediate vicinity of the computer. The definition of "electronic media" includes computer hard drives and portable devices such as magnetic tape or disks, optical disks and digital memory cards. Electronic media also encompasses "transmission media" used to exchange information already in electronic storage media.
Transmission media can include the Internet, an extranet, leased lines, dial-up lines, private networks and the physical movement of removable or transportable electronic storage media. The regulations note that paper, facsimile and telephone transmissions are not considered transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
An additional physical safeguard will require covered entities to implement policies and procedures governing the receipt and removal of hardware and electronic media containing electronic PHI into and out of a facility, and the movement of those items within the facility. Specifically, covered entities will be required to adopt policies and procedures pertaining to the disposal of electronic PHI and the hardware or other media on which it is stored.
Covered entities also will be required to implement procedures for removing electronic PHI from electronic media before the media are made available for re-use. One of the "addressable" specifications for implementing this standard will be for covered entities to create a retrievable, exact copy of electronic PHI, when needed, before moving equipment.
|
TECHNICAL SAFEGUARDS
|
|---|
As noted above, covered entities also will be required to implement technical safeguards under the HIPAA security regulations. Covered entities will have to implement an access control standard that permits only authorized people or software programs to access information systems that maintain electronic PHI.
Covered entities will be required to assign a unique name or number for identifying and tracking user identity. Covered entities also will be required to establish procedures for obtaining necessary electronic PHI during an emergency. "Addressable" implementation specifications include establishing automatic logoffs after a certain time of inactivity on a system and adopting mechanisms to encrypt and decrypt electronic PHI.
In its commentary accompanying the security regulations, DHHS notes that since there is no generally accepted standard for encryption technology, covered entities might be unable to share encrypted e-mails with patients, and consequently this implementation specification was deemed "addressable." However, the commentary encourages covered entities to consider using encryption technology for transmitting electronic PHI, particularly over the Internet.
Other standards under the category of technical safeguards include implementing mechanisms to record and examine activity in information systems that contain or use electronic PHI, and implementing policies and procedures to protect electronic PHI from improper alteration or destruction.
Still other standards will require covered entities to implement procedures to verify the identity of a person or entity seeking access to electronic PHI, and to implement security measures to guard against unauthorized access to electronic PHI. Furthermore, covered entities will be required to implement measures to protect electronic PHI from unauthorized access during transmission.
|
COMPLYING WITH THE HIPAA REGULATIONS
|
|---|
As noted above, covered entities will not have to comply with the security regulations until April 2005. However, some have argued that the security regulations will have a more immediate impact. The HIPAA privacy regulations require covered entities to have in place "appropriate administrative, technical and physical safeguards to protect the privacy of protected health information."
It is possible that the standards in the security regulations could be used to determine the "appropriate safeguards" to be taken to protect PHI under the privacy regulations. In fact, the DHHS commentary accompanying the security regulations notes that the implementation of appropriate security measures also will support compliance with the privacy standards, while the lack of adequate security also could increase the risk of violating the privacy standards.
In its commentary, DHHS acknowledged that there is no such thing as a totally secure system. While the HIPAA statute refers to "ensuring" protection for electronic PHI, DHHS noted that covered entities would not be required to provide protection regardless of the cost. Covered entities will be expected to balance the risks of inappropriate use or disclosure of electronic PHI against the cost of various protective measures. The size and capabilities of the covered entity also may be taken into account.
Furthermore, the commentary states that DHHS will be publishing guidance to help covered entities comply with the HIPAA security regulations. In addition, the American Dental Association will be developing materials specifically designed to assist dentists preparing to comply with the security regulations.
TOP
ADMINISTRATIVE SAFEGUARDS
PHYSICAL SAFEGUARDS
