HIPAA Security Implementation, Version 1.0

Thousands of US health-care organizations have been waiting for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to be finalized. First proposed nearly five years ago, the rule has now been issued in final form. The Security Rule is just one part of HIPAA-federal legislation that was passed into law in August 1996. The act is meant to provide better access to health insurance, limit fraud and abuse, and reduce the overall cost of health care. This article will provide a detailed overview of the final HIPAA Security Rule. First, the basics:

What: The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form.

Who: Covered Entities (CEs) must comply with the rule's requirements. These are health plans, health care clearinghouses, or health care providers who transmit any protected health information in electronic form.

How: CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI.

Why: The basic purpose of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained , or transmitted.

When: The final Security Rule will be effective as of April 21, 2003. Most CEs will have until April 21, 2005 to comply; small health plans (those with annual receipts of $5 million or less) will have until April 21, 2006.

Unlike other security best practices or standards, the HIPAA Security Rule is federal law. There are clear, defined consequences in the event of infringement; CEs who violate the rule can face penalties of up to $250,000 in fines and 10 years in jail. CEs that do not comply with the Security Rule may also find themselves subject to adverse publicity and a dwindling customer base if customers don't believe their health data is being appropriately protected. Business partners may be unwilling to exchange data with non-compliant organizations. Non-compliant CEs may also be subject to lawsuits from business partners or customers.

GUIDING PRINCIPLES

There are several principles upon which the final Security Rule is based:

• Scalability. All sizes of healthcare entities must be able to comply with the rule.

• Comprehensiveness. The rule is meant to result in a unified system of protection for EPHI. CEs must use a defense in depth security approach.

• Technology neutral. The rule contains no specific technology recommendations (e.g., specific type of firewall, IDS, access control system). Each CE must choose the appropriate technology to protect its EPHI.

• Internal and external security threats. CEs must protect EPHI against both internal and external threats.

• Minimum standard. The Security Rule defines the least that CEs must do to protect EPHI. They may choose to do more.

• Risk analysis, (the cost of a security measure vs. the cost of not having the measure). The Security Rule requires CEs to conduct a thorough and accurate risk analysis that considers 'all relevant losses' that would be expected if specific security measures are not in place. 'Relevant losses' include losses caused by unauthorized use and disclosure of data and unauthorized modification of data.