10-Step Compliance Program   Avi Baumstein

Worried about HIPAA? Our guide will help you stay right with the law.

We expect to see the Centers for Medicare and Medicaid Services-the unit within the Department of Health and Human Services responsible for compliance with the Health Insurance Portability and Accountability Act-place greater emphasis on proactive enforcement in the coming year. The impetus is a report issued in October by the HHS inspector general that faults CMS for not providing effective oversight and enforcement of HIPAA security. We're also watching closely to see how the pending appointment of a Cabinet secretary for HHS and the Obama administration's plan to update the nation's electronic medical records system affect HIPAA enforcement.

A common complaint about HIPAA is that the details tend to be fuzzy-there's no product companies can buy to magically get compliant, and there's no sanctioned checklist to guide you to certification. This is, to a large extent, by design: One goal of HIPAA was to be a one-size-fits-all, technology-neutral regulation.

Many information security pros enjoy this flexibility, while some wish for more guidelines. Whatever your stance, HIPAA requires that IT groups tailor a security program to their specific environments. To help, we pulled together 10 steps that should put companies well on their way to building a security program that will pass muster, just in case the feds come knocking. We've included the basics here; find an expanded version in our special InformationWeek Analytics HIPAA Alert at compliance.informationweek.com.

1. Assign A Security Official

Sounds basic, and most large organizations have designated an information security officer. But smaller shops may not recognize the value of having a single person responsible for coordinating all HIPAA activities. This doesn't mean the security official does all the work; rather, this is the person who tracks compliance requirements and brings projects to the internal groups responsible for implementation.

2. Determine Your Individual Risks

The essence of HIPAA is establishing a sustainable security management process to reduce risks and vulnerabilities to a reasonable level. This process consists of assessing risk, mitigating identified risks, and documenting risk management processes and procedures. It all starts with a risk assessment, which must be conducted at least every five years.

Your risk assessment will guide nearly all of your other implementation steps. But remember: Any assessment is just a snapshot of a point in time, and computing environments are constantly changing. This is why the concept of a security management process is so important. Every time a new system comes online, or a change to an existing system is proposed, the risks need to be assessed. It's at this point that you can decide whether the risk is acceptable, can be transferred using insurance or some other strategy, or needs to be mitigated.

3. Document Everything

Government security requirements are big on documentation, and HIPAA is no exception. The need for documented policies and standards comes up often in HIPAA's Security Rule. CMS provides a list of sample questions for HIPAA security audits; most involve review of documentation, starting with policies and procedures (see www.cms.hhs.gov/securitystandard).

What needs to be included in your policies and procedures? A good place to start is with the standards in the Security Rule. This introduces a key concept in HIPAA: Standards are either "required" or "addressable." Obviously, required standards have to be implemented, although most of them still provide enough room to customize to your environment. Addressable standards are interesting because they can be met by deciding (and documenting) that a standard isn't applicable to your environment, or that you've addressed the standard in an alternative manner.

4. Know Your Users

CMS says that information access management and access control are the two most commonly violated provisions of the Security Rule. Information access management comprises your policies and procedures to authorize access to personal health information. Once a user is authorized to access that information, for example, how will she gain that access? In many organizations, it was common practice for people, especially providers moving among patients, to use a common account for access to patient systems, even leaving computers logged on for the next user. If you fell for this convenience, now is the time to repent. Every user must have a unique identifier to access patient data.

5. Prepare For Incidents

HIPAA requires that procedures be in place to identify and respond to security incidents, minimize the harmful effects of incidents, and document them and their resolution. Your incident response needs will be driven by your risk assessment. If Internet attacks are a high risk, you may decide that complex intrusion-detection systems are called for. Large companies may need to have standing incident response teams with forensics experts on staff, while smaller companies could assign these duties to existing staff and plan to outsource specialized tasks during an incident. Whatever your size, documentation of incidents that happen is crucial.

6. Expect The Worst

HIPAA isn't just about protecting data from unauthorized access. As more information needed for patient treatment and billing becomes electronic, it's crucial to ensure that systems are available and the data is trustworthy. Your contingency plan must cover backup and recovery of personal health information, along with preparations for recovering from disasters. Your plan also needs to include preparations for operating under emergency conditions-how business can continue without access to the electronic personal health information, and how you will continue to protect data on your systems during disasters.

7. Control Your Media

The management of devices and media used to store patient information is another top source of HIPAA violations, according to CMS. The Security Rule includes four provisions covering devices and media. HIPAA also includes provisions for tracking storage media and devices as they're moved around the facility and disposed of, as well as data backup.

8. Train Users, Then Remind Them

Users are crucial to security, but it's very easy for information security pros to assume they already understand the issues. All members of your workforce need ongoing security training. HIPAA leaves it up to you to decide what's appropriate and how training should be conducted, although the provision describes the training as "periodic security updates."

9. Log/Audit

HIPAA requires that covered entities record and examine activity in systems that store or use personal health information. The type of high-risk threats you identified in your risk assessment will help you decide what needs to be logged in order to meet this requirement, but it's important to understand the context. The Security Rule goes to great pains to ensure that users are uniquely identified and authenticated. Oftentimes, in a medical setting, it's hard to predict who will need to access which patient's data, and strong limits on this access could cause dangerous delays in treatment.

Instead, reasonable access restrictions should be implemented and followed up with audits of access trails to ensure that employees aren't looking at or modifying records they shouldn't.

10. Clean Up Old Data

This step will simplify your HIPAA compliance efforts by reducing the amount of data you need to protect. Hopefully, when you did your inventory for your risk assessment, you didn't just focus on the systems in day-to-day use but scoured the data closets for older gear and unused databases.

Once you've used your inventory to identify outdated data and systems, you need to make the classic closet-cleaner's decision: toss or keep? If there's reason to keep the data, does it need to be accessible? If not, archive it to durable media and store it in a vault or with an off-site data storage company. Data on a tape in a vault isn't susceptible to hackers or curious employees.

Your Fines May Vary

Sure, $100,000 might not break the bank, but CVS felt the sting

$2.25 million
Settlement agreed to in February by CVS pharmacy chain, HHS, and the FTC over potential HIPAA violations

$100,000
Fine levied against Providence Health System in July 2008 for security lapses

Data: U.S. Department of Health and Human Services

With Which Regulations is Your Organization Required to Comply?

HIPAA 34%

Sarbanes-Oxley 32%

PCI 16%

Can-Spam 9%

FISMA 8%

FCRA/FACTA 7%

COPPA 3%

Other 9%

None 37%

Data: InformationWeek Analytics 2008 Strategic Security Study of 1,097 business technology professionals

Avi Baumstein is an information security analyst at the University of Florida's Health Science Center. Write to us at iweekletters@techweb.com.

www.informationweek.com
Copyright © 2009 United Business Media LLC. All rights reserved. Worried about HIPAA? Our guide will help you stay right with the law. We expect to see the Centers for Medicare and Medicaid Services-the unit within the Department of Health and Human Services responsible for compliance with the Health Insurance Portability and ...