Disaster Recovery Journal - Summer 2003 Issue- 1603-06 - Contingency Planning and the HIPAA Security Rule

Return to the Summer 2003 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

HIPAA

Contingency Planning and the HIPAA Security Rule

By ANGELO F. CARDONA, CBCP

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides for the continuation of health insurance coverage to employees for a period of time, prior to their enrollment in a plan with a new employer.
It also provides for the privacy of personal healthcare information and security from unauthorized access. As those who currently work in the healthcare industry know, privacy and confidentiality are very important, and now they are formally protected under the HIPAA Administrative Simplification Compliance Act (ASCA). It covers transactions and code sets, privacy, and security. It is the security rule of HIPAA that includes contingency planning as a requirement for compliance.

Security Rule
The latest rule published under HIPAA is titled, “Health Insurance Reform: Security Standards.” It was published in the Federal Register on Feb. 20, 2003 and became law on April 21, 2003. This is a very important date for hospital administration and contingency planners because it starts the clock for compliance. Failure to comply with HIPAA regulations exposes healthcare institutions to fines, civil and criminal penalties enforceable by the Office of Civil Rights (OCR).
According to the published security rule, “Covered entities, with the exception of small health plans, must comply with the requirements of this final rule 24 months after the effective date of this regulation. Small plans must comply with the requirements of this rule by 36 months after the effective date of the regulation.”
So, the clock is already running.

What Are Covered Entities And What Must They Do?
Covered entities are defined in the rule as “…healthcare providers, healthcare clearinghouses, health plans, and other healthcare institutions, must protect the integrity, confidentiality and availability of electronic protected health information or PHI that they collect, maintain, use or transmit.”

Why Do We Need These Regulations Now?
According to the published security rule, “Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or during the exchange of that information between entities.”

Required vs Addressable
The contingency planning standard of the security rule is composed of what the regulators call, implementation specifications. Each is further identified as either “required” or “addressable.” Originally all the implementation specifications were required. However some, (testing and application criticality) were later re-categorized as “addressable” to allow covered entities to determine if they are already in compliance and can document how the standard is being met.
Experienced contingency planning professionals understand that testing and application data criticality is required to protect the business. Consequently, their first challenge is going to be convincing management that even “addressable” standards must be met. They can refer to the following quote from the Security Standards:

“In this final rule, we adopt both ‘required’ and ‘addressable’ implementation specifications. We introduce the concept of ‘addressable implementation specifications’ to provide covered entities additional flexibility with respect to compliance with the security standards.
In all cases, the covered entity must meet the standards….”

Covered entities vary in size and scope of operations. Some may be small institutions with limited healthcare practices and consequently limited funding capabilities, while others may be large institutions or health care providers with more flexibility to absorb the costs associated with regulatory compliance. In order to be sensitive to these and other constraints, the security regulations allow for non-implementation of an addressable specification, if it is determined to be inappropriate and/or unreasonable by the covered entity and an alternative to the specification can be documented and also meets the standard.
Let’s take a look at the five implementations specifications for contingency planning featured in pages [271-272] of the security rule. Later I will discuss how the rule relates to contingency planning.

Security Standard –
Administrative Safeguards
(§ 164.308(a)(7)(i)) Standard: Contingency plan
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

(ii) Implementation specifications:
(A) Data backup plan (Required).
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required).
Establish (and implement as needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required).
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
(D) Testing and revision procedures (Addressable).
Implement procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable).
Assess the relative criticality of specific applications and data in support of other contingency plan components.

Table of Specifications
As a guide to healthcare contingency planners charged with the task of compliance with the new regulations, I have created a table outlining the five key implementation specifications featured in the security rule. On the left column of the table are the implementation specifications and in the right column you will find my interpretation of the relevant contingency planning activities. It is not meant to be a complete list, but it will help demonstrate our due diligence to reach compliance.

What Do The HIPAA Security Regulations Mean To Contingency Planners?
Hopefully, the HIPAA security regulations will make it easier for healthcare contingency planners to get the funding needed to meet the requirements of the security standard.
If you are a contingency planner in the healthcare industry, you are already aware of the many challenges affecting the implementation of a complete business recovery program.
Funding, for example, is limited due to changes made by the federal government in the way they decide whether or not to pay healthcare claims.
Contingency planners across all industries are familiar with this challenge and some have seen an improvement in funding because their industry requires business continuity planning. For example, both the banking industry and securities industry promote contingency planning.

What Is The Impact Of HIPAA On The Healthcare Industry?
Although the ink is hardly dry on the Security Standards, healthcare industry watchdogs have already compared the effort needed for compliance as comparable to Y2K in regards to cost. This places an even greater burden on already strained IT budgets (sound familiar?).
Many healthcare systems are looking into “outsourcing” as a way to control costs. However, the introduction of third party management to run critical hospital applications further complicates HIPAA compliance efforts, especially when you consider that not all information technology is under the corporate IT umbrella. Many departments run their own mini-data centers and server rooms that interface with the hospitals’ core applications on the mainframe.
In closing, I think compliance with the contingency planning standards of HIPAA can be achieved through teamwork, cooperation, support and funding. Good luck!
My discussion here has been focused only on the contingency plan section 164.308(a)(7) of the HIPAA security standard. A matrix of the full set of the Security Standards can be found in Appendix A to subpart C of part 164 of the published Security Regulations.

Angelo Cardona, CBCP, is currently associate director of business recovery. He has more than 14 years experience in contingency planning and is a member of the Contingency Planning Exchange.

To comment on this article, go to 1603-06 at www.drj.com/feedback.