Congress passed the Health Insurance Portability and Accountability Act in 1996 to simplify, and thereby reduce the cost of the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information. The HIPAA Privacy Rule, which had a compliance date of April 14, 2003, is the first regulation to establish standards for the protection of patient health information. The Security Rule, with a compliance date of April 21, 2005, focuses specifically on standards to protect the confidentiality of electronically transmitted patient information.
State law imposes requirements similar to the HIPAA Security Rule on all health care providers. This includes providers who do not conduct electronic transactions or undertake other activities that would designate them as HIPAA covered entities. Compliance with the HIPAA Security Rule makes compliance with the CMIA security provisions simple. The Office of Health Information Integrity (OHII) provides information about the law.
The state requires that if electronic recordkeeping systems are only utilized in the dental office, the office must use an offsite backup storage system, an image mechanism that is able to copy signature documents, and a mechanism to ensure that once a record is input, it is unalterable. The dentist must develop and implement policies and procedures to include safeguards for confidentiality and unauthorized access to electronically stored record, authentication by electronic signature keys, and systems maintenance. The electronic health record system must automatically record and preserve any change or deletion of electronically stored health information and requires the record to include, among other things, the identity of the person who accessed and changed the information and the change that was made to the information.
Implementation of the HIPAA Privacy Rule requirements is eased by the flexibility of the regulatory standard within the rule. The Privacy Rule compliance standards for regulated entities (i.e., health care providers who conduct certain transactions electronically) include reasonable measures to protect the confidentiality of patient information. What constitutes reasonable measures for a particular practice are largely determined by such things as the size of the practice, the physical layout of the office, how patient information is used and conveyed within the practice, even such factors as cost. What might be a reasonable measure to protect patient information within a hospital setting is going to be different from a reasonable measure in a dental practice with one or two dentists. Measures that are reasonably necessary for a hospital to protect against the unauthorized release of patient information are likely going to be unreasonable for a small private practice.
The standard of compliance for the Security Rule is the same: the regulated entity must install reasonable measures to secure patient information. What are reasonable security measures for a large entity like a hospital are likely to be unreasonable for a small entity like a private dental practice. There is also some overlap between the requirements of the Privacy Rule and the Security Rule, meaning that what a dental practice did to comply with the Privacy Rule ensures that the practice is already in partial compliance with the Security Rule.
There are differences between the concepts of privacy and security, however. Privacy deals with what might be termed “leakage” of protected personal health information. Such leakage occurs and can be controlled by how patient files are used, how they are moved through the office during the day, and whether they are ever left in a place where they might be accessible to other patients. Leakage also deals with where conversations take place with patients about their oral health condition, discussions about recommended treatment of their condition, and conversations about how they will be paying for that treatment. Obviously, such conversations should not take place in the office waiting room or reception area, or within earshot of other patients.
Whereas the Privacy Rule protects against leakage of protected information, the Security Rule deals with unauthorized invasion of confidential patient records or interception of electronic transmissions. The scope of the rule addresses the protection of patient information that has been electronically created or stored. In this regard, the Security Rule does not address patient information that is in a written document or communicated orally. The focus of the Security Rule is to protect against hackers breaching a computer network’s firewall, the interception of viruses that are attached to emails, the use of passwords to ensure only authorized access to electronically stored patient information, protection against interception of electronic transmission patient information, and the like.
Passage of the 2009 federal economic stimulus package included the Health Information Technology for Economic and Clinical Health Act (HITECH), which contains several modifications to HIPAA guidance and regulations. The new act expands the responsibility of covered entities and business associates in securing the privacy of health information.
HITECH mandates business associates comply with the HIPAA Security Rule and makes them subject to the same civil and criminal penalties as covered entities. Previously, business associates were only contractually obligated to comply with HIPAA through agreements with covered entities. For information on business associates and business associate agreements, refer to the resource, HIPAA Business Associate Agreement.
In complying with the HIPAA Security Rule, covered entities and business associates should begin by recognizing three basic elements:
Covered entities and business associates must comply with the Security Rule standards that are categorized as follows: administrative safeguards, physical safeguards, and technical safeguards. Essentially, administrative safeguards involve documented, formal practices to manage the selection and implementation of security measures; physical safeguards control physical access to information systems, especially at times when there is a loss of power or natural disaster; and technical safeguards involve processes that protect and monitor information access, and protect data that is transmitted over a network.
Many of the compliance standards include implementation specifications. The implementation specifications are either “required” or “addressable.” Required specifications must be implemented. Addressable specifications should be implemented if the business, after it conducts its risk analysis, deems the specification reasonable, appropriate and applicable. Where there is no implementation specification for a standard, compliance with the standard itself is required.
Many of these safeguards have been added to current versions of practice management software. Dental offices should contact their practice management software vendors to inquire about the development and availability of upgraded versions that are compliant with HIPAA’s Security Rule. Also, be aware that the security standards were written to be technology neutral, that is, use of specific technologies is not mandated so that entities are not bound by systems or software that may become obsolete.
Through its enforcement actions and audits, the U.S. Department of Health and Human Services (HHS) has identified the lack of, or an incomplete, risk analyses as a key factor in the failure of covered entities to adequately safeguard information. A risk analysis is a required administrative safeguard. It is intended to be an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity. “Risk” is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact. “Vulnerability” is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally or intentionally) and result in a security breach or violation of security policy. Covered entities must evaluate the risk levels and, for high risk items, describe how the risk is mitigated or how it will be managed.
The ADA Practical Guide to HIPAA Compliance (2013) includes a dental practice-specific risk assessment tool. Also, HHS offers a risk assessment tool online. The link to the tool is listed under Resources below. Be sure to read the user’s guide and watch the videos that accompany the tool in order to understand the scope of work required.
It bears repeating that HIPAA allows covered entities flexibility in reasonably and appropriately implementing safeguards. The regulation states:
§ 164.306 Security standards: General rules.
For further information on the Security Rule, or other HIPAA requirements, contact CDA Practice Support, 800.232.7645, or [email protected]