Simplified Training Solutions

HIPAA Security: Just the FAQs for Protecting Your Medical Practice
By J. David Kirby, CISSP, CHPS

Spring is arriving and so is the compliance date for the HIPAA Security Regulation- April 20, 2005. The Security Rule requires that covered entities, such as the typical medical practice, have a program for seeing to it that their medical practice is protected from problems related to patient information disclosure, corruption, and loss of availability in their computer systems.

While you probably aren’t eager to see the bright side of any new regulation, the good news about the HIPAA Security Rule is that it brings an industry standard set of protective security measures to the attention of medical practices at a point in time when they are becoming more vulnerable to problems with their information systems.

The arrival of this new Rule may have fallen below your radar or you may have confused the Security Rule with the HIPAA Privacy Rule and thought that you had already addressed it. So, if you are just becoming aware of this new regulation, here are a few FAQs to get you started.

1. If I have a Practice Management system how does HIPAA security regulation apply since we still file all our claims via paper?

If you “file” claims by sending them on paper to a billing service that, in turn, sends electronic versions to insurers, then you are still covered by HIPAA. Given that you are covered by the Security Rule, it contains a set of standard security practices related to how you protect patient data on your PM system and any other electronic systems that you operate.

2. Will my IT vendor or internal IT person be able to figure out what I need to do to meet HIPAA security regulations.

Most of the Rule requirements are not technical; they are administrative and physical. So, use your IT service provider as a team mate, but don’t depend on him/her to make you compliant.

3. We are a small medical practice and our practice manager has set up our computer network of three computers and a printer plus a high speed internet connection which we use to file claims with Medicare and 4 insurance companies. Does a group as small as ours need to worry about HIPAA security?

You are covered by the Rule and, given your setup, you have a clear set of information risks to manage. So, be afraid, be very afraid ;-) Seriously, you have some work to do.

4. Do I need to encrypt emails to my patients?

The Rule requires that you use encryption “when appropriate”. Is encrypting emails to your patients appropriate? Normal email has a privacy level similar to a post card sent through the US Mail. If the patient that you are working with is OK with this level of privacy and you are comfortable as well, you might be able to defend not encrypting such email.

On the other hand, the barriers to encrypting email are not high and are getting lower. For small medical providers, some email vendors even provide a free encrypting service today; so cost can’t be much of an issue.

So, you may decide not to encrypt email now and you will likely find it harder to defend not encrypting email later.

5. If I do nothing to secure my computers, what can happen?

One, your risk of an embarrassing, costly security incident is increased; this is bad for business.

Two, you will be non-compliant with the HIPAA Security Regulation; you may be fined. CMS’s enforcement will likely be complaint driven. So who will complain? How about- disgruntled employees, your competition, or one of your more worried patient’s plaintiff attorney.

6. We have been operating our Practice Management software on a Windows 98 platform. If I upgrade the operating system to Window XP does it have enough security?

It sure would help, but neither XP nor any technology alone will make you secure or compliant. What matters is how good a job you do of assessing and addressing your information security risks.

7. I use a billing service that is a small company. They say they meet HIPAA security regulations. I am not sure they have really done anything. What can I ask to prove they are meeting the standard?

Make sure that you have the new Security Rule required clauses in your Business Associate contract with your service.

Try getting an analysis from them of how their security policies match with the HIPAA Security Rule. If they can’t do this easily, then they are not likely compliant. If they can, they are more likely to be compliant. In any case, you have taken an appropriate step to manage risk and that is what is at the heart of the HIPAA Security Rule.

8. I want to work on patient charts from home. Does this open my system to hackers?

Yep! Key protections in this case include:
- Use encryption and authentication for your sessions from home. Most remote control packages support this.
- Open up your firewall only to you.
- Protect your home PC like you do your HIPAA-covered office PC.

David Kirby is the lead author of the HIPAA Security Tool Kit™ for small medical practices. www.simplifiedtraining.com.

		CONTACT: PHONE: DATE:	Rob Karn 919.821.9192 2.28.2005
HIPAA Security: Just the FAQs for Protecting Your Medical Practice By J. David Kirby, CISSP, CHPS Spring is arriving and so is the compliance date for the HIPAA Security Regulation- April 20, 2005. The Security Rule requires that covered entities, such as the typical medical practice, have a program for seeing to it that their medical practice is protected from problems related to patient information disclosure, corruption, and loss of availability in their computer systems. While you probably aren’t eager to see the bright side of any new regulation, the good news about the HIPAA Security Rule is that it brings an industry standard set of protective security measures to the attention of medical practices at a point in time when they are becoming more vulnerable to problems with their information systems. The arrival of this new Rule may have fallen below your radar or you may have confused the Security Rule with the HIPAA Privacy Rule and thought that you had already addressed it. So, if you are just becoming aware of this new regulation, here are a few FAQs to get you started. 1. If I have a Practice Management system how does HIPAA security regulation apply since we still file all our claims via paper? If you “file” claims by sending them on paper to a billing service that, in turn, sends electronic versions to insurers, then you are still covered by HIPAA. Given that you are covered by the Security Rule, it contains a set of standard security practices related to how you protect patient data on your PM system and any other electronic systems that you operate. 2. Will my IT vendor or internal IT person be able to figure out what I need to do to meet HIPAA security regulations. Most of the Rule requirements are not technical; they are administrative and physical. So, use your IT service provider as a team mate, but don’t depend on him/her to make you compliant. 3. We are a small medical practice and our practice manager has set up our computer network of three computers and a printer plus a high speed internet connection which we use to file claims with Medicare and 4 insurance companies. Does a group as small as ours need to worry about HIPAA security? You are covered by the Rule and, given your setup, you have a clear set of information risks to manage. So, be afraid, be very afraid ;-) Seriously, you have some work to do. 4. Do I need to encrypt emails to my patients? The Rule requires that you use encryption “when appropriate”. Is encrypting emails to your patients appropriate? Normal email has a privacy level similar to a post card sent through the US Mail. If the patient that you are working with is OK with this level of privacy and you are comfortable as well, you might be able to defend not encrypting such email. On the other hand, the barriers to encrypting email are not high and are getting lower. For small medical providers, some email vendors even provide a free encrypting service today; so cost can’t be much of an issue. So, you may decide not to encrypt email now and you will likely find it harder to defend not encrypting email later. 5. If I do nothing to secure my computers, what can happen? One, your risk of an embarrassing, costly security incident is increased; this is bad for business. Two, you will be non-compliant with the HIPAA Security Regulation; you may be fined. CMS’s enforcement will likely be complaint driven. So who will complain? How about- disgruntled employees, your competition, or one of your more worried patient’s plaintiff attorney. 6. We have been operating our Practice Management software on a Windows 98 platform. If I upgrade the operating system to Window XP does it have enough security? It sure would help, but neither XP nor any technology alone will make you secure or compliant. What matters is how good a job you do of assessing and addressing your information security risks. 7. I use a billing service that is a small company. They say they meet HIPAA security regulations. I am not sure they have really done anything. What can I ask to prove they are meeting the standard? Make sure that you have the new Security Rule required clauses in your Business Associate contract with your service. Try getting an analysis from them of how their security policies match with the HIPAA Security Rule. If they can’t do this easily, then they are not likely compliant. If they can, they are more likely to be compliant. In any case, you have taken an appropriate step to manage risk and that is what is at the heart of the HIPAA Security Rule. 8. I want to work on patient charts from home. Does this open my system to hackers? Yep! Key protections in this case include: - Use encryption and authentication for your sessions from home. Most remote control packages support this. - Open up your firewall only to you. - Protect your home PC like you do your HIPAA-covered office PC. David Kirby is the lead author of the HIPAA Security Tool Kit™ for small medical practices. www.simplifiedtraining.com. Close Window