A few years ago, you put together policies and procedures to comply with the HIPAA privacy rules. At that point, you probably hoped that you were done! Unfortunately, HIPAA also has a set of security rules. For an employer that sponsors a small health plan (one with less than $5 million in annual claims/premiums), the compliance deadline is April 20, 2006. While some of the issues you addressed with the privacy rules (such as the location of computer monitors) also address security rule requirements, there is not that much overlap. The bottom line is, you're going to have go through another round of HIPAA compliance.
Unlike the privacy rules, which apply to protected health information (PHI) in all forms, the security rules only apply to electronic forms of PHI. The rules set forth security goals that your system must meet, but leave it up to you to determine how best to achieve those goals. This gives you a great deal of flexibility in how to implement the security rules, but also means that there is no standard solution that applies to everyone. Here are some steps you may want to follow as you work to comply with the security rules:
- Appoint a Security Officer who is ultimately responsible for your compliance with the HIPAA security rules.
- Form a committee that includes individuals with detailed knowledge of your computer systems and of your operations that involve PHI.
- Evaluate the electronic PHI on your computer systems (e.g., where PHI is stored, where it is transmitted, who has access and for what purpose, etc.)
- Conduct a risk analysis of your system, identifying the vulnerabilities in the system and the consequences if the security, integrity or access to your system is compromised.
- Evaluate the security measures that you currently follow to address these risks and determine whether they are adequate or if additional measures are required.
- Develop an implementation plan to address risks, identifying which risks will be addressed immediately, which risks will be addressed in the future, and which risks you will tolerate.
- Evaluate your current security policies and procedures and update them to reflect the HIPAA security standards.
- Identify any business associates who have receive, create, or otherwise have access to your electronic PHI and make sure that you have a business associate agreement in place that requires them to implement appropriate security measures on their computer systems.
- Train your employees on your updated security policies and procedures.
The Department of Health and Human Services (DHHS) recently released final regulations describing how it will go about assessing civil monetary penalties for HIPAA violations. The good news is that DHHS plans to continue to work with health plans and other HIPAA covered entities to reach voluntary compliance without assessments. But when the Department believes it is not getting any cooperation or that voluntary compliance will not result in a satisfactory outcome, it will assess a penalty. And in appropriate circumstances, it will refer matters to the Department of Justice for criminal investigations.
Under HIPAA, the civil penalties are $100 per day per violation, up to a maximum of $25,000 per year per violation. (Keep in mind that if you do have a HIPAA problem, you may very well be violating more than one provision.) A violation involving knowingly wrongful disclosure of protected health information can be a criminal violation, punishable by imprisonment for up to 10 years and a fine of up to $250,000.
If you have any questions about the HIPAA security rules, or any other HIPAA issues, please call Norbert F. Kugele of Warner Norcross & Judd LLP at (616) 752-2186.
* * *
Norbert K. Kugele, is a partner with Warner Norcross & Judd LLP and he focuses his practice in areas of employee benefits and privacy, particularly with respect to health records and privacy issues relating to the Internet. He also counsels clients on computer, copyright, and e-commerce and intellectual property litigation. Norbert may be reached in the Grand Rapids office at 616.752.2186. Warner Norcross & Judd is a full-service law firm with offices in Grand Rapids, Holland, Metro Detroit and Muskegon. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice.