Beruflich Dokumente
Kultur Dokumente
HIPAA
SECURITY
COMPLIANCE
Protecting your patients’ health
information is more difficult
and more important than ever.
The author’s strategy will help
you meet this month’s deadline.
The final rule adopting HIPAA standards for the security of electronic health information was published in the Feder-
al Register on Feb. 20, 2003 [and goes into effect April 21, 2005]. This final rule specifies a series of administrative,
technical and physical security procedures for covered entities to use to assure the confidentiality of electronic protected
health information. The standards are delineated into either required or addressable implementation specifications.
– Statement on the Centers for Medicare & Medicaid Services Web site
regarding the Health Insurance Portability and Accountability Act 1
A
s family physician Dan Brewer, MD, once wrote and the costs or hassles associated with inadequate
on an e-mail discussion list, “I believe I would protection than you realize.
rather eat live cockroaches than learn about Consider these examples:
HIPAA security.” Nothing, it seems, could • Have you ever been the victim of a computer virus,
be more boring and less related to the practice of family or do you know someone who has?
medicine than computer security. • Are you concerned about what would happen if
But don’t be fooled into complacency. You and your the computer hard disk storing your patients’ medical
I L L U S T R AT I O N B Y J O H N U E L A N D
patients are probably more familiar with security risks information failed?
Dr. Kibbe is director of the AAFP’s Center for Health Information Technology (CHiT). He thanks Steven E. Waldren, MD, CHiT’s assistant director, for his
assistance on this article. Conflicts of interest: none reported.
sending you e-mail is truly the person he or a computer or monitor and see what’s on the SPEEDBAR ®
she claims to be? How do you know the per- screen. Do you want everyone in the office,
son whose name is attached to an electronic including patients, family members or your
health record (EHR) entry really made it? cleaning crew to be able see what is dis- ➤➤
It’s difficult. Hackers use computer viruses played on a computer screen? Of course not.
In addition to protect-
to get into e-mail programs and propagate But you probably work in a busy, sometimes
ing important data,
their nastiness by sending new e-mails that hectic, environment that makes it difficult
computer security is
appear to come from a friend. As the public to closely monitor the flow of people and
also needed to protect
does more online shopping, identity theft information at all times.
you and your practice
using computers has become a common way This means two things. First, you
from the risk of legal
for criminals to steal money and goods. should carefully consider the location and
liability.
The bottom line is this: Computer secu- design of display devices in your office.
rity is a requirement for any sound business, Don’t place monitors in busy corridors, and
including your medical practice. Computer ensure that the display image has a 30-sec-
security is needed to protect the privacy of ond time-out feature. Second, employees
those whose information you store and man- and staff must have a heightened awareness ➤➤
age. It is also needed to protect you and your regarding access to computers, monitors,
Most computer secu-
practice from the risk of penalty and legal printers, fax machines and other display
rity breaches occur
liability if private information is used or devices. They should strive to avoid creat-
when insiders exercise
released by your practice. ing insecure situations.
bad judgment or fail
You have two choices: Either delay learn- Password management is another area
to follow established
ing about computer security and risk playing that requires staff to be security conscious.
protocols.
catch-up when an attack or accident causes Passwords and IDs allow computers to
harm to a patient or your practice, or be control access to personal health informa-
proactive and begin to install protections tion based on a person’s role, authority or
that will allow you to detect and prevent need to know. They identify or authenticate
trouble down the road. a computer user via a secret password. ➤➤
Obviously, passwords should be kept secret
2 Make certain your colleagues and to avoid unauthorized access to or manipu-
Monitors should not
be placed in high
staff take security as seriously as you do. lation of protected information. But pass-
traffic areas, and
The HIPAA security standards require your words are clumsy to use and difficult to
time-out features
practice to have written security policies remember, especially as they become more
should be used.
and procedures, including those that cover complicated (thus increasing their secrecy).
personnel training and sanctions for security It’s tempting for users in small offices to
policy violations. Your office staff and col- share passwords or keep them written on a
leagues must truly understand basic secu- piece of paper tucked into the top drawer ➤➤
rity logic and take their role in protecting next to the computer station. I’ve even
Computer passwords
should never be
shared or kept near
patients’ privacy very, very seriously. Most found passwords on sticky notes attached
security breeches occur when insiders – peo- to computer monitors!
ple working for the organization – exercise These actions completely undermine the
faulty judgment or fail to follow protocols in security system. Why pay for a software
which they’ve been trained. system that uses passwords if you don’t take
Consider two highly people-dependent the protection they provide seriously?
areas of computer security: physical access So while it does make sense to worry
and password management. about hackers and intrusions from outside
Physical access to computers and software your office walls, remember that your
is a foundation of computer security. Physi- co-workers pose the most likely security
cal access means that someone can approach risk. Your computer security is only as
April 2005 ■ www.aafp.org /fpm ■ FA M I LY P R A C T I C E M A N A G E M E N T ■ 45
SPEEDBAR ® good as the weakest human link in and procedures on this analysis, which must
your office. be specific to your practice. Second, it’s the
only reasonable way to assess your risk of
➤➤ 3 Catalog all the information system security breeches in your current systems
components that interact with protected and protocols. Finally, this exercise can be
HIPAA requirements
health information in your office. To valuable in the acquisition and use of EHR
include a detailed
assess your office’s current security risk, systems if your practice is moving in that
description of how
you have to know, in detail, the capabili- direction.
your hardware, soft-
ties and weaknesses of your information The HIPAA security standards require
ware and network
systems. No two medical practices have your practice to appoint someone as the
components collect,
exactly the same information system com- security manager, so you might want to
access, store and
ponents, nor do they manage the flow of assign these tasks to that person. However,
transmit patient
information precisely the same way. Some I can’t stress enough the need for physicians
health information.
practices still manage most information on to take responsibility for understanding how
paper and have a single computer for billing health information technology is used in
and accounting purposes. However, most their practice, especially small and indepen-
practices, even small ones, have complicated dently owned ones.
information technology environments that
➤➤
The HIPAA security
include multiple components. These might 4 Prepare for disaster before it occurs.
include the following: An important aspect of computer security
standards also require
• Hardware – Computer workstations involves protecting electronic data from loss
your practice to
in the front office, tablet computers in the or corruption – that is, ensuring its integrity.
appoint a security
clinical areas, printers in the back office, Although there are many ways data integ-
manager.
server in the computer closet, personal digi- rity can be affected, the most common is
tal assistants, scanning devices and modems loss of data from some sort of emergency or
used to connect to the Internet. disaster, including human error, mechanical
• Software – Operating systems, billing hard disk failure, equipment damage due to
➤➤ software, practice management software, flooding, or computer virus infection.
browsers, e-mail client software, EHR soft- A solid computer-system contingency
Even if someone else is
ware, and database and office productivity plan is composed of a number of steps,
named as the security
software. including performing backups, preparing for
manager, physicians
• Network components – Routers and continued operations in an emergency and
need to understand
hubs, dedicated phone or cable lines, wire- recovering from a disaster.
completely how health
less systems, firewall software and firewall The most important part of a contin-
information technol-
hardware. gency plan is having a backup system. A
ogy is used in their
You should make a detailed list of all of backup system is a combination of hardware
practices.
the components that play a role in either and software that lets you retrieve exact cop-
system should store all of the critical data and Web browsing. In terms of risk to your SPEEDBAR ®
needed to run the practice in the event of a computer’s data, connecting to the Internet
disaster. Practices should conduct an analy- is the most dangerous activity in which you
sis to identify these critical data. can engage. ➤➤
Malicious software, sometimes called
5 Make sure your network and com- malware, has become a familiar form of
If your computer is
attached to a network,
munications safeguards are intact and computer attack. Viruses, worms and “Tro-
you need to make sure
robust. It is increasingly difficult to find a jan horses” are among the most common
that network is pro-
computer that is not attached to some sort forms of malware that your computer secu-
tected by a firewall.
of network. Most computers in your practice rity must protect against.
business partner.” Every entity with which work more closely with the vendor to ensure SPEEDBAR ®
you share information electronically is an that all the facets of your computer system
extension of your practice, whether you satisfy your practice’s HIPAA security plan.
want them to be or not. Some EHR vendors will even help you do a ➤➤
gap analysis as part of their purchase
9 Demand that your vendors fully program. But because most EHR vendors
The integration
offered by some EHRs
understand the HIPAA security stan- don’t install the hardware and networking
can simplify your
dards. As you become better informed components, your choice of a local contrac-
practice’s effort to
about computer security and the HIPAA tor for these services should be made with
comply with the HIPAA
security standards, you will realize the HIPAA in mind. Be certain that your local
security standards.
extent to which compliance makes you contractor is fully aware of the HIPAA
dependent on hardware, software, network security standards and is willing to assist
and other information technology (IT) you before you proceed.
vendors. Their products and services,
whether out-of-the-box computer hardware 10 Start with a plan – and the end – ➤➤
or hands-on-in-the-office IT services, will in mind. My hope is that after reading to
Some EHR vendors
enable you to meet many of the security this point you have a much better idea of
will help you do a gap
standards – or not. the breadth and scope of the HIPAA secu-
analysis.
A good example is the requirement for rity standards, and that you are better pre-
audit controls. Audit controls that permit pared to tackle the task of assessing your
you to record and examine activity in infor- practice’s current state of computer security.
mation systems can require a combination There are some excellent tools that can assist
of hardware, software, network and proce- you in performing a gap analysis for this ➤➤
dural mechanisms to act in concert. If these purpose without having to hire a consultant.
If you are thinking
components have been purchased from sepa- (One place to start is the Needs Assessment
about converting to
rate vendors, it might be necessary to coor- page on the CHiT Web site, available at
an EHR, be sure that
dinate their setup and configuration to meet http://www.centerforhit.org/x69.xml.)
your hardware and
the audit control requirement of the HIPAA Remember that there is no cookbook
networking contractor
security standards. Who will perform this or one-size-fits-all approach for computer
is aware of the HIPAA
coordination in your office? security. What counts is being “reasonable
standards before
proceeding.