Administering employee health plans is complicated by two rules designed to protect plan participants' health information: the HIPAA Privacy Rule and the HIPAA Security Rule. Compliance with the Privacy Rule was required by April 2004. Compliance with Security Rule will be required for large plans by April 2005. To comply with the Privacy Rule, most plans drew upon the skills of employees from a variety of disciplines, such as operations, finance, compliance, legal and information systems. To comply with the Security Rule, however, some plans are relying solely on their information technology professionals. While the requirements of the Security Rule are generally more technical than those of the Privacy Rule, compliance with the Security Rule is not just for techies; it also requires input from, at a minimum, risk management and compliance professionals.
The Security Rule requires plans to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity and availability of individually identifiable health information. Unlike the Privacy Rule, however, the Security Rule protects health information only if it is stored or transmitted in electronic media ("electronic protected health information" or "EPHI"). Examples of electronic media include hard drives, magnetic or optical disks, or the Internet. The kinds of safeguards that plans must implement to protect EPHI may include encryption, workstations that automatically log off after a period of inactivity, access audit mechanisms and restrictions on physical access to information systems.
Given these technical requirements, plan sponsors may be tempted to leave compliance entirely to informational technology professionals. But technological expertise alone is insufficient to achieve compliance. Security Rule compliance also requires the skills of risk management and compliance professionals.
Risk management is a critical component of Security Rule compliance. Entities covered by the Security Rule (from small health plans to large health systems) are so varied in terms of their existing technology, resources and relative risk that it is impossible to dictate specific solutions usable by all covered entities. Accordingly, the Security Rule requires plans individually to assess the potential risks and vulnerabilities to their EPHI. Based on that assessment, plans must implement security measures sufficient to reduce the risks and vulnerabilities to reasonable and appropriate levels, taking into consideration the plan’s size and existing technology, the cost of security measures, and the criticality and probability of potential risks.
In addition, plans do not have to implement certain measures (called "addressable implementation specifications") included in the Security Rule that plan sponsors determine to be unreasonable or inappropriate. Rather, the plan must document why the measure is not reasonable and appropriate and, if possible, implement a reasonable and appropriate alternative measure. While the input of an information technology professional is critical in conducting risk analysis and analyzing the Security Rule's addressable implementation specifications, risk management professionals will be better suited to analyzing the criticality of threats, the proper allocation of resources in response to those threats, and most importantly, producing the documentation necessary to demonstrate compliance with these requirements.
While the administrative and physical requirements of the Security Rule have a technological component, compliance professionals, who are more familiar with the rules in their totality, may more reliably handle satisfying the requirements. For example, policies and procedures that address the manner in which required safeguards shall be put into place must be prepared and implemented. Those who are responsible for administration of the plan must be trained in the proper handling of EPHI. Documents and contracts with certain service providers to the plan, which have been amended for compliance with the Privacy Rule, must be amended to provide for the protection of EPHI according to the Security Rule.
With so much to do, plan sponsors should take steps now toward compliance with the Security Rule by April 2005. Compliance with requirements as far-reaching as the Security Rule will necessitate the input of experts in risk management, administrative compliance, information technology and possibly other areas. The time to bring together this group of professionals is now.