When you talk about the HIPAA Security Rule, the fundamental thing about it is that there’s a lot of flexibility. But the counter point to that is you have to do a lot of analyses so that you can make sure that you’re applying the rule correctly for you because there are no easy checklists solutions.
If you thing about the privacy rule when that came along, the HIPAA privacy rule, everybody could download a kit from the internet that’s said, “Do you have this policy and procedure in place? If no, then do this. Adopt this policy and check it off. You’re all set.”
Well, it’s not really that easy for information security. You need to figure out what’s right for you to do for your facility and make sure you justify why you think that’s the right thing to do because there is so much flexibility in a security rule.
You have to understand how your operations at work and where the information comes from and goes to. And you have to do a HIPAA risk assessment and you have to document a lot of information. You really have to have that kind of flexibility to make it work.
Now looking at the general rule, the HIPAA Security Rule general rules in Section 164.306, right away you’re off to a bad start because the first thing in 164.306(a)(1), they say you have to ensure confidentiality, integrity and availability of electronic information.
And right away, you see a problem because ensure if you ask your lawyer friends is a word with very strong legal meaning. It means you got to do this. You have to do a good job at this. You can’t just try very hard. You have to ensure these things. And as I mentioned before, you have a built-in conflict because you have confidentiality and availability working against each other.
So you have to perfectly do something that inherently can’t be done perfectly. And the other thing is that how you make your decisions is based on HIPAA risk assessment. And there are no hard and fast answers of which risk is greater or not. These things depend on your particular situation. You’re not really sure which risk may become greater or lesser over time.
So you’re really in a nasty position to be in compliant. And you have to protect against really, really anticipated threats or hazards and improper uses and disclosures of health information.
You can see there’s a linkage to privacy rule. There are a few places where the security rule has some linkage to the privacy rule. Keep in mind that the security rule is there because you need to have extra definition of how to handle electronic information. It’s there to support the privacy rule not to supplant it and not instead of and it doesn’t apply to paper information for HIPAA anyway.
But the HIPAA security rule gives you the other information that you need - the framework for you to be able to deal electronic information. And you do ensure compliance by your workforce. Make sure you meet all the standards and then deal with the implementation specifications.
There are 18 HIPAA security standards and then there’s the number of implementation specifications that most of the standards have - 12 of the 18 standards have implementation specifications. And there are some details that can help you understand how to deal with things. And those come in two ways. They’re either a required or addressable.
And for the required, once you have to meet them pretty much as they say and the addressable ones - addressable is not optional. Addressable just means you have more flexibility where you need to do what you can to meet them. But you can do something else instead as long as you explain why and document why that works for you and why it does a better job.
Now, an example of an addressable specification is one of the requirements that calls for having an automatic logoff of systems. But for some people in automatic logoff for your system might be kind of a drastic thing to have happened. The idea is if you leave your system alone for a number of minutes that you’ll get shut off of it so somebody can’t come along and sit down and use your system under your name and pretend to be you because that kind of the story is the audibility of the integrity of it, audit trail of who’s been looking at information.
So, one of the things that a lot of organizations are doing instead of having a specific logoff of systems is they’re using the Windows Screensaver instead because it accomplishes the same objective. Remember, the objective here is to make it to those who can’t sit down in your computer and use it without you knowing it and use it under your name.
Now, certainly logging out of your system is the only way to do it. But having the Windows Screensaver can accomplish the same thing. Somebody has to type a password to get back in again.
So most organizations are doing that but since that’s not strictly following the HIPAA regulation, they’re interpreting the addressable specification in a way that’s helpful for them that accomplishes the same objective. But you have to say, you know, we're not doing exactly what’s called for. We're doing this instead which does just as good a job and that’s why we're doing this.
And so that’s the whole issue with addressable specification is it gives you some room to move but at the same time you have to be able to document that and justify it. And also regular reviews are important.
And the flexibility section itself 164.306(b) says you can use any security measures that allow you the (inaudible), the CE to reasonably and appropriately implement the standard and specifications as specified. And they say that you have to consider a number of factors - the size and complexity and capability of your organization. In other words, some health care providers or single physician doctor’s office and some of them are a multi-state colossus with multiple hospitals and tens of thousands of employees.
Get more HIPAA training on HIPAA security compliance and risk assessment, visit our HIPAA conference page.