HIPAA: Safeguarding Information
by Jennifer Daw Holloway
Monitor on Psychology, Volume 36, No. 1 January 2005
January 1, 2005 -- The new year inevitably brings new resolutions--for patients and for psychology practitioners. This year, one goal on practitioners' lists should include preparing to comply with the Health Insurance Portability and Accountability Act (HIPAA) security rule -- which seeks to safeguard electronic patient health information -- by the April 20 deadline.
Who, specifically, does this affect? "Anyone who determined that they needed to be compliant with HIPAA's privacy rule will also need to be in compliance with this rule," says Russ Newman, PhD, JD, APA's executive director for professional practice.
While the privacy rule applies to all communications -- written, oral and electronic -- of patients' confidential information, the security rule only applies to electronic information. "There are more technology aspects to this rule than the privacy rule," says Newman. "But the real issue is about protecting against security breaches for health information that is either maintained or transmitted by electronic means."
However, many practitioners who implemented measures to comply with HIPAA's privacy rule may have already taken some of the steps needed to comply with its new security rule.
THE BASICS
The security rule requires practitioners to assess the risks to the confidentiality, integrity and accessibility of their electronic patient information and determine how to best minimize those risks.
"Practitioners will need to evaluate how they operate their practice and use the rule to help identify where there are gaps in security and then plan to correct those gaps," says David Nickelson, PsyD, JD, assistant executive director for technology policy and projects in APA's Practice Directorate.
The rule encompasses three broad categories of standards in which psychologists must address and document safeguards:
Administrative standards. This section addresses security issues in a practice's day-to-day administrative operations, such as training staff to comply with the rule, authorizing staff access to and use of confidential patient information, developing an emergency operation plan and choosing a staff member to be responsible for all security activities.
Physical standards. These standards cover access to a psychologist's office or other workspace, such as placing locks on doors or installing a security system so that electronic patient information in the office cannot be physically removed by unauthorized individuals.
Technical standards. This section concerns access to systems that contain electronic patient information. These standards require a psychologist to create mechanisms to ensure that only authorized staff can access these systems, such as requiring a password for access to particular computers or software programs.
Each of the three areas contains several standards and implementation specifications that describe how to meet the standards. Fortunately for small practices, the security rule is flexible, allowing for different kinds of compliance activities depending on the size of the practice, cost of implementing certain safeguards and the practice's technological sophistication. In other words, as with the privacy rule, smaller practices will not be expected to implement the rule on the same scale as larger entities.
"You can really tailor what makes sense for your practice--but you are required to document the rationale and justification for why you've taken the action you've chosen to take," says Newman.
For example, electronic mail encryption may not be cost-effective for some practices, which may instead choose to subscribe to a HIPAA secure e-mail service. These practices must document how they plan to address security concerns as well as the rationale for their actions. Or some practices may choose to back up their computers to tape or disks and keep the backup copy off-site. Others may decide to subscribe to an online backup service, which backs up computers over the Internet. Again, the rationale for these actions must be documented.
"The issue here is, if you have test reports, financial information and patient records on your computer, how are you keeping that information safe?" says Nickelson. "And that ranges from keeping it out of the wrong hands to protecting the information from physical damage. The rule establishes a regular, ongoing security review process that practitioners will need to engage in."
For additional information regarding the HIPAA Security Rule, read the HIPAA Security Rule FAQ and the HIPAA Security Rule Primer.
