Below is a general summary of recommended procedures for implementing the HIPAA requirements.
Implementation procedures for health care providers to become HIPAA compliant will vary among occupations and disciplines.
The purpose of this summary is to encourage a plan, promote information protection and good business practices, point out your responsibilities, and to provide standards and procedures for the management, protection, storage, recovery, restoration and re-distribution of health care information.
A complete information security program consists of policies, standards, training, technical and procedural controls, risk assessment, auditing and monitoring, and assigned responsibility for of the program. Information security policies are the basis for all other aspects of effective information security programs.
Computer-based patient records offer the potential for achieving much greater protection of health information over paper-based patient records and should be seriously considered as a standard operating procedure. However, to comply with HIPAA regulations and to ensure an appropriate and consistent level of information security for computer-based patient records, both with individual health care providers, and within group practice/organizations, and throughout the entire health care delivery system, formal information security programs must be established by every health care provider, practitioner or group practice/organization entrusted with health care information.
The first component of an information security program is information security policies which incorporate all HIPAA regulations and which are designed by the health care provider, practitioner or group practice/organization to meet HIPAA’s specific needs.
The Need for Security Policies
Patients entrust health care providers with their private health information. Most people believe and expect that the privacy, security and integrity of their health information will be preserved by all who use and maintain that information. Every health care provider, practitioner or group practice/organization which creates, uses, stores, and communicates health care information, has a legal and ethical responsibility to honor this trust.
Health care providers, practitioners or group practices/organizations are also required to protect sensitive and private records about physicians, nurses, staff members and employees, and other caregivers. These obligations and responsibilities to protect information must be considered and fulfill the implementation of HIPAA regulations.
The policies developed by health care providers, practitioners or group practices/organizations within the health care industry to protect the confidentiality, integrity, and availability of patient and administrative information is significantly influenced by their unique mission, culture, and management.
The foundation for a successful information security program are comprehensive information security policies. These policies must define every health care providers, practitioners or group practices/organizations philosophy and direction for the protection of information. The policies must be thoroughly documented and promulgated.
While the majority of the information maintained by health care providers, practitioners or group practices/organizations consists of patient records, they also maintain sensitive and valuable business records. The security, confidentiality, integrity, and availability of these business records must be protected to enable the continued successful functioning of the health care providers, practitioners or group practices/organizations. Therefore, the recommendations in this summary apply to all information created, maintained, and used by every health care provider, practitioner or group practice/organization utilizing paper or computer-based patient records.
The objectives of this summary are to:
- Encourage the facilitation of an effective system for complying with HIPAA requirements for data security, confidentiality, integrity, availability and privacy.
- Promote consistent protection of information for all health care providers, practitioners or group practices/organizations
- Communicate the responsibilities for the protection of information and foster information security awareness.
- Foster good business practices related to protecting health care information.
- Provide the basis for information security standards and procedures, and standards for the management, storage, recovery, restoration and re-distribution of health care information.
This summary is designed to be used primarily in the establishment of information security policies for all health care providers, practitioners or group practices/organizations implementing HIPAA requirements. While it may be helpful in specifying security controls, features, and functions, it is primarily intended to be used to define management policies. These management policies will form the basis for the development of the standards and procedures that dictate the specific security controls to be implemented.
Every health care provider, and small and medium size group practices in every discipline of health care with paper or computer-based patient records should develop information security policies. While, larger, multi-functional organizations with more diverse information needs may require more extensive policies than individuals and smaller organizations making more limited use of the information, basic information security policies are required for every health care provider and organization.
For maximum effectiveness in group practices, these policies should be issued at the highest level of the organization and should apply to all employees, independent contractors, and agents, and to all units of the organization. The policies should define the obligations for protection of information to be included in the agreements with all payers, contractors, vendors, accreditation organizations, and all other outside agencies who will be granted access to the information owned by, or in the custody of, the organization.
Policies should be established for the release and use of information for providing patient care, protecting the public health, ensuring quality of care, managing the organization, supporting research activities, paying for care, obtaining insurance coverage, and any other purpose.
Because the security of the information maintained on computer-based patient record systems is partially dependent upon the security of information maintained in other forms, the information security policies should apply to all information owned by, or in the custody of, the individual practitioner or organization regardless of its form or storage media. The policies established by individuals and organizations should be applicable to all types of information used, including but not limited to:
- Patient health information
- Patient demographic information
- Patient financial information
- Research information
- Information about physicians, nurses, and other caregivers
- Peer review information
- Information about payers
- Business records including financial records, personnel records, practice patterns, quality assurance statistics, strategic plans, and similar information.
- Computer software
Relationship to Legal and Regulatory Requirements
The information security policies should specify your practice or organization’s complete policy for information protection. The policies should include all measures necessary for the organization to comply with all HIPAA regulatory requirements.
Distribution and Promulgation
The policies must be made available to all employees, professional staff members, faculty, students, volunteers, vendors, contractors, researchers, and others who may be granted access to information by the organization. All persons being granted access to the organizations information should formally acknowledge an understanding of the policies and make a formal written commitment to comply with those policies prior to being entrusted with access to the information. Provisions should be made for periodic review and renewal of these agreements.
The policies should not be confidential and may be made available to the public. Policies may be distributed via computer-based systems or as paper documents.
The following sections identify the topics for which the health care provider, practitioner or group practice/organization should consider developing policies. Individual policy statements addressing these subjects should be combined to comprise the contents of the organization’s information security policy document.
A. Philosophy for the Protection of Information
Each health care provider, practitioner or group practice/organization using a computer-based patent record system must define its philosophy for the protection of information. Although much of the information maintained represents patent information, most health care providers, practitioners or group practices/organizations also create and maintain business records. These business records are a primary asset and must be protected in a manner commensurate with their value. Therefore the philosophy statements for the protection of information should be applicable to all information created, collected, stored, and processed. This includes all information that is the property of the health care provider, practitioner or group practice/organization, the patient, caregivers, researchers, or any other party, and has been entrusted for use and safekeeping.
B. Patient Rights with Respect to Information Security
The policies should define how each health care provider, practitioner or group practice/organization will respect the rights of the patient with regard to information. In addition to the rights preserved by HIPAA regulatory law, health care providers, practitioners and group practices/organizations may wish to grant additional rights to the patient based on its mission and philosophy.
Areas for consideration in developing the policies are:
- Right to be informed of their rights. Responsibilities for implementing procedures for ensuring that the patient is informed of the policies related to patient information should be defined.
- Right to privacy. Relevant patient information may only be disclosed to those directly involved in the care of the patient, for the protection of the public health as provided by law, for the payment of services as authorized by the patient, to assist researchers as authorized by the patient, or for any other purposes required by law or authorized by the patient.
- Right to review information. Patients are entitled to know which information about them is in the possession of the health care provider, practitioner or group practice/organization and are entitled to review that information. Any category of information that may be withheld from the patient in accordance with the law should be defined in the policies.
- Right to clear and complete presentation of information. Policies related to making information from the computer-based patient record available to the patient in a clear, logical, understandable format should be developed. Any policies for presenting information in a format not maintained by the organization should be defined. Health care provider, practitioner or group practice/organization policies related to the costs associated with presentation of information should also be defined.
- Right to append correct information. Information cannot be deleted, but erroneous information can be marked as such and correct information appended. The rights of the patient to provide supplemental information or an appendix should also be defined.
- Right to block release of specific information. The patient’s rights to segment information and block the release of specific information should be clearly stated. The rights of the health care provider, practitioner or group practice/organization to identify and explain any consequences of such blockage should also be included.
- Right to notification of disclosure of information. The patient’s rights to know which individuals, organizations, and government agencies have authority to access, and have actually gained access to, specific information identified with the patient should be clearly defined in the policies.
- Right to protection of information released to third parties. The policy should define the commitment for protection required from a third party prior to the release of information to that organization. The policy may also specify the responsibility for monitoring these commitments.
- Right to integrity and availability. Records must be protected from unauthorized modification and destruction. The patient has the right to expect that the health care provider, practitioner or group practice/organization will take appropriate and reasonable precautions to protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Policies should require that provisions be made for the patient records to survive in the event of mergers, bankruptcy, catastrophic failures and similar events.
Protection of Caregiver Information
The health care provider, practitioner or group practice/organization policies should define how information related to caregivers is to be protected. Because caregivers may be employees, independent contractors, and agents of the organization, applicable good business practices and laws pertaining to employee records and contractual agreements should be considered in addition to the requirements for protecting health information. Areas for consideration include:
- Privacy. The caregivers’ personal privacy should be preserved. Relevant caregiver information may only be disclosed for the protection of the public health as provided by law, for any other purposes as required by law, or as authorized by the caregiver.
- Review of information. The caregiver is entitled to know which information about the caregiver is in the possession of the health care provider, practitioner or group practice/organization. Caregivers’ are also entitled to know which information they have a legal right to review. Caregivers should have the right to review information they have placed in the patient’s record.
- Clear and complete presentation of information. Information about the caregiver and patient information authorized to the caregiver should be made available in a clear, logical, understandable format.
- Appendment of corrected information. The caregivers’ rights to identify erroneous information and append correct information pertaining to their employment or contractual arrangements should be defined.
- Release of specific information. The caregiver may be granted the right to segment information and block the release of specific information where permitted by law.
- Notification of disclosure of information. The caregiver is entitled to know which individuals, organizations, and government agencies have authority to access and have actually gained access to information about the caregiver.
- Protection of information released to third parties. The policy should define the commitment for protection required from a third party prior to the release of information to that organization.
- Integrity and availability of records. Records must be protected from unauthorized modification and destruction. The caregiver has the right to expect that the health care provider, practitioner or group practice/organization protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Provisions must be made for the records to survive the organization in the event of closure, mergers, bankruptcy, catastrophic failure and similar events.
- Responsibility to protect information. The caregivers’ responsibility for the protection of the information to winch the caregiver has access should be stated.
The Privileges and Obligations of Researchers
Whether or not patient or caregiver identifiable information will be made available for research, and how that access to information will be authorized, should be included in the policies. The policies should define the role of the institutional review board with respect to information protection. Some of the topics to consider related to the use of computer-based patient record information for research are:
- Opportunities for access to information. Policies for granting access as authorized by the appropriate party or as permitted by law should be established.
- Obligation to protect the information. Researchers’ responsibilities to protect the information in their custody should be included in the policies. This includes information that may be removed from the health care provider, practitioner or group practice/organization’s premises. If researchers are authorized to release information, the policies should define researchers’ responsibilities to notify recipients of information of the protection requirements.
- The researchers expectation of accurate information. The policy for ensuring that researchers are made aware of the sources and the accuracy of information being provided should be considered.
- Right to control disclosure of information. The researcher or health care provider, practitioner or group practice/organization generally has the right to control which individuals and organizations have authority to access information resulting from the research provided the information does not identify specific patients or caregivers, and cannot readily be used to do so.
- Right to integrity and availability. Records must be protected from unauthorized modification and destruction. Within the provisions of any agreements with the organization, the researcher has the right to expect that the health care provider, practitioner or group practice/organization will protect the information from destruction as a result of accidents, vandalism, fire, flood, earthquake, catastrophic failure or other disasters. Provisions must be made for the records to survive the organization in the event of closure, mergers, bankruptcy, and similar events.
The Rights of Society
Although the requirements for release of some patient information are defined by HIPAA, health care providers, practitioners or group practices/organizations using the computer-based patient records should develop policies addressing the responsibilities and determining the methods of complying with these HIPAA regulations.
The health care provider, practitioner or group practice/organization policies related to complying withHIPAA for the release of patient, caregiver, and institutional information to public health authorities should be defined.
The policy for the release of information for criminal proceedings, and civil and administrative litigation should also be defined. The policies should state how the institution will resolve conflicts in the rights of the patient, the caregiver, and society.
Factors to consider in the release and sharing of information include:
- Which information may be released?
- To whom may information be released?
- Who authorizes release or is responsible for ensuring that the appropriate person has authorized release?
- Who is responsible for developing procedures for release
- What responsibility does the institution have regarding the protection of information it has released from its custody?
- Who is responsible for managing shared databases and networks?
Collection of Information
Each health care provider, practitioner or group practice/organization should define its policies for collection and authentication of information. The policy should specify who is responsible for determining which information is to be collected and retained. Responsibilities for the review of information collection policies and retention periods should be specified. Responsibilities and provisions for verifying the accuracy of information should be defined.
Retention and Destruction
Business and patient records must be readable and usable for the life span of the records. The policies should define the necessity and responsibility for developing procedures to ensure that the records are maintained and are accessible for the minimum lifetime of the record as required by law or by business and patient care requirements. Policies specifying the responsibilities for determining the time periods for retention should be included.
Policies to ensure that the health care provider, practitioner or group practice/organization provides for preservation of the records during the migration to new technologies are essential. Policies defining the responsibilities for destruction of information should be included.
Information Security Program
Every health care provider, practitioner or group practice/organization should, as a matter of policy, maintain a formal information security program. The responsibility for management of the program and the functions of the program should be described in the policy document.
Responsibilities for the periodic review and maintenance of the information security policies should be specified.
Accountability and Responsibilities
Specific responsibilities and accountability for information security should be defined in the policies. Factors to consider are:
- Licensed Professional/Owner/Health Care Provider/Organization responsibilities including recognizing the importance of information security, establishing policies, establishing the information security program, and authorizing funding.
- Owners/Partners/Managers/Security Officers responsibilities including ensuring appropriate contracts are in order with all vendors, service providers, contractors and temporary employees.
- Responsibility for reporting of violations.
- Responsibility for determining and administering discipline and penalties.
- Responsibility for assessing and accepting risk.
- Patient responsibilities.
Penalties and sanctions for failure to comply with the policies and to fulfill responsibilities should be specified.
Access to Information
Access to information should be defined as a matter of policy. Access should be limited to those entitled to access on the basis of a specific patient care, business need, or research requirement for access as authorized by the patient for patient information and as authorized by the caregiver for caregiver information. Access to patient-specific information, caregiver-specific information, and health care provider, practitioner or group practice/organization information by those with authority to protect the public health should be granted as provided by law, or to a greater extent, as authorized by the patient or caregiver.
Access to information for law enforcement, litigation, or other purposes not authorized by the patient or caregiver should be granted only to the extent required by law.
The health care provider, practitioner or group practice/organization should establish policies specifying that access to the health care provider, practitioner or group practice/organization business records will be based on assigned job responsibilities.
Responsibility for verifying the legitimacy of requests for access, granting access, and revoking access should be specified. The responsibilities for establishing procedures for resolving disagreements, and for actually resolving disagreements, related to access to information should be defined.
The extent and policy for enforcement of individual accountability for the creation, modification, deletion, or disclosure of information should be defined.
Classification of Information
- Information which may be made public.
- Information internal to the health care provider, practitioner or group practice/organization which may be disclosed to anyone within the organization.
- Information that must be protected from disclosure to anyone other than those specifically authorized access to the information by job function.
- Information that may be disclosed only to certain identified individuals and for which a record of disclosure is maintained.
Records of Access
The policy of the health care provider, practitioner or group practice/organization to maintain records of access to information should be defined. Policies should specify in general how long records of access should be maintained and who is responsible for determining which records of access must be preserved. The policies should also be applicable to third parties who have access to the health care provider, practitioner or group practice/organization information or to which information has been released.
Disaster Recovery/Business Resumption Plan
This policy should specify the health care providers, practitioners or group practice/organizations requirement for developing and maintaining business resumption plans to ensure that the information remains available for use in the event of a natural disaster, vandalism, system failure or catastrophic failure. The policy should define the responsibility for developing, maintaining, and testing the plans, and define responsibilities for actual recovery.
Information Security Awareness Training
The policies should define a formal information security awareness-training program to be established by the health care provider, practitioner or group practice/organization. Responsibilities for determining training requirements and conducting training should be defined. The content, frequency of training, and specific training programs and material should be defined in the health care providers, practitioners or group practice/organizations information security standards. Policies for documentation of attendance at training sessions should be established.
Suggested Method for Policy Development
Information security policy development should be accomplished as a formal project, fully sanctioned, and supported by senior management. The following are recommended steps for policy development:
Responsibilities and objectives for monitoring of the information security program and for auditing for compliance with the information security policies, standards, and procedures should be specified in the policy document.
- Establish a formal, fully funded project to develop the policies.
- Assign responsibility for the project and appoint an information security manager.
- Use the topics in this summary as the basis for writing policy statements.
- Submit the proposed policies to the health care providers, practitioners or group practice/organizations legal counsel for review.
- Submit the draft policies to the management and owners of the health care provider, practitioner or group practice/organization for review.