The HIPAA Security Rule: 7 Steps for the Next 7 Weeks

In a little less than two months, the next major regulation under HIPAA takes effect – the HIPAA Security Rule. The Security Rule deals with the protection of electronic protected health information (e-PHI). Any PHI in electronic form – whether merely being stored electronically or when being transmitted – must be safeguarded in accordance with the new regulations. And, of course, what would a HIPAA regulation be without an onslaught of new forms, policies and training requirements? There are many new forms and policies you must implement, as well as new training requirements for your staff, in time for the April 20th compliance deadline.

If you are a covered entity under the HIPAA Privacy Rule, you’re also a covered entity under the HIPAA Security Rule. Even if your organization uses paper PCRs (patient care reports), you still quite likely have to worry about the HIPAA Security Rule. For instance, many ambulance services enter their PCR information into billing software for electronic claims filing, or use a billing service who performs this task on their behalf. Of course, this is still the ambulance service’s e-PHI.

Here are seven steps to take to achieve compliance in the remaining seven weeks before the HIPAA Security Rule compliance deadline:

1. Appoint an “Information Security Officer.” Just as with the Privacy Rule, the HIPAA Security Rule requires every covered entity to appoint someone to oversee the organization’s compliance with the regulations. While your Information Security Officer can be the same person as your Privacy Officer, you must formally designate someone to have overall responsibility for your Security Rule compliance. This person should get up to speed on the Security Rule as quickly as possible and help your organization “take the bull by the horns” in the remaining seven weeks to achieve compliance.

2. Conduct a Security Risk Assessment. Effective security compliance begins with an assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of your e-PHI. A security risk assessment doesn’t have to be complicated – it can simply be a matter of reviewing your computer security, your password practices, your data handling practices, backup capabilities and related issues. You can also engage an outside information technology consultant to assist your organization in this task. Regardless of the method you employ, the security risk assessment is the critical initial step in achieving compliance with the HIPAA Security Rule.

3. Implement Security Risk Management Measures. Once you identify the risks and vulnerabilities to your organization’s e-PHI, implement measures to address and manage those risks. Again, this doesn’t have to be a complex process. Security risk management can include things as simple as putting locks on the doors to your computer server room and implementing a user password system. Your security measures must address the administrative, physical and technical safeguards required by the Security Rule. Administrative safeguards deal with things like implementing new forms and policies, providing personnel training and related tasks. Physical safeguards address issues such as securing your building, restricting access to computers and workstations only to those with a legitimate job-related need for access, and implementing data backup and storage security. Technical safeguards deal with topics such as passwords and unique user identification, automatic logoffs when computers or workstations are inactive for a certain period of time, and related issues.

4. Implement New Policies and Forms. The HIPAA Security Rule requires a significant number of new forms and policies to achieve compliance. A few examples include password policies, computer hardware/software inventory, policies regarding granting and terminating access to PHI and e-PHI, computer incident reporting forms, workforce sanction policies for violations of security rules, disaster management/recovery of e-PHI, encryption and decryption, backups and contingency plans, and many more.

5. Update Your Business Associate Agreements. The Security Rule requires that you have a written agreement in place with any person or entity that handles e-PHI on your behalf. Examples include billing companies, outside medical directors, claim consultants or others. Although you may already have a business associate agreement in place under the Privacy Rule, the Security Rule contains some new provisions that must be reflected in your agreements whenever your business associate also handles your e-PHI.

6. Conduct Your Required HIPAA Security Training. The Security Rule, like the Privacy Rule, requires that you train your workforce (which includes paid and volunteer staff, field providers, administrative personnel, managers and supervisors and all other personnel in your organization) regarding your organization’s security policies and practices. This training must be accomplished before the April 20, 2005 compliance deadline. You must also provide “periodic updates” to your workforce regarding your organization’s security compliance. Remember, under the Privacy Rule, you must also train all members of your workforce in HIPAA privacy. There is a continuing obligation to ensure that new personnel who enter your organization receive HIPAA training within a reasonable time of joining your organization. HIPAA does not specify a particular manner, curriculum or length of time for this training – you can accomplish this in many ways.

7. Check Your State Law. Finally, remember that state laws that are more stringent than HIPAA still apply. Therefore, when it comes to HIPAA compliance, one size does not fit all. Your organization’s HIPAA compliance must also reflect applicable state laws and regulations. Make sure you don’t overlook this critical component of compliance.

Once you implement your HIPAA security compliance measures, remember to monitor your compliance, and periodically revise and update your security practices as necessary. HIPAA security is not a static concept – new threats and vulnerabilities to e-PHI emerge every day, and you must strive to stay on top of security needs as time marches on.

April 20th will be here before you know it, but a concerted effort to achieve compliance in the remaining weeks can bring your organization into compliance with the HIPAA Security Rule.

For other EMS Tips of the Week, visit

Courtesy of Page, Wolfberg & Wirth, LLC.

No posts to display