How Do You Know if HIPAA Applies to You?
The regulations define the “covered entities” - those that must comply - to be:
-Healthcare providers (hospitals, doctor offices)
-Health plans (insurers, HMOs, group health plans)
-Healthcare clearinghouses (service organizations that submit claims for providers)
Even if you are not one of these organizations, you still may be required to comply with HIPAA. If one of the covered entities does business with another organization, then that “business associate” is required to have the same level of security as the covered entity. The reason is that security is only as good as the weakest link. If a highly secure organization sends health data to a business associate with weak security, then the security of that data may be compromised. The FAQ section of the Department of Health and Human Services web site goes on to state that a business associate of a business associate has the same duty of compliance to the covered entity as the primary business associate! The reach is far.
There are businesses that conduct business with covered entities that are not required to comply with HIPAA. For instance, if you are a housekeeping service that comes in and mops the floors at a covered entity, then you are not a business associate as defined by the regulations. The standard for whether you are a business associate or not is that you transmit individually identifiable health care information. If you do not deal with healthcare information, or if the health information is not individually identifiable, then you do not fall under the regulations.
A medical research organization that only receives statistical medical data with no personally identifiable fields would not have to comply.
Since the HIPAA regulations are so new, it is not yet clear exactly how far the reach will be. There are some consultants who believe that HIPAA will eventually reach out into most human resources departments because employee files may contain health information. Self-insured corporations may have a greater need to be compliant. The claims processor is a covered entity, and therefore the self-insured corporation would be a business associate of the claims processor. At a minimum, to the extent that individually identifiable health data is transmitted to the self-insured organization, that process must be secure to HIPAA standards.
What Do You Have to Do to Comply?
HIPAA has several components. The part of the regulations that pertains to business continuity is the “Administrative Procedures”. The bulk of the Administrative Procedures are concerned about protecting access to personal health information. Your security officer will be responsible for implementing these portions. You, the business continuity planner, will be responsible for the part of the regulations that demand that healthcare information be “available.” The following list contains the minimum requirements:
-You must conduct an “applications and data criticality analysis” (business impact analysis).
-You must have a data backup plan.
-You must have an emergency response plan.
-You must have a contingency plan.
-You must be able to recover applications and data in a reasonable amount of time.
-You must have a plan testing and revision program.
No particular recovery technology is required. No set recovery time objective or recovery scope objective is demanded. Your strategy and your plan simply must be reasonable for your organization. I expect that over the next several years de facto standards will arise.
If you think your organization falls under the HIPAA regulations, meet with your security officer to discuss an action plan. One of the first projects required is a gap analysis. Your current security and business continuity policies and practices must be measured against the standards in the regulations. The result will be a HIPAA implementation plan to fill in the gaps and move toward full compliance before the deadline.
How Long Do You Have to Comply with HIPAA?
The start of the implementation period will probably be this year (before December 2001). Most organizations have two years, until 2003 to implement compliance. Some smaller organizations have three years, until 2004. So, by the time you read this the starting gun will be ready to fire.
The deadline for completing your HIPAA security and disaster recovery plan is already set in federal regulations.
What About Enforcement?
The Office of Civil Rights is given authority to enforce HIPAA. But, there will be no government auditors checking your HIPAA program. There is no HIPAA police. You must follow the necessary steps to become compliant, and then you simply self-certify that your organization is in compliance. The enforcement comes in several indirect ways.
First, your attorney will be writing your self-certification statement. She will not put her name on the statement unless she is satisfied that your organization is indeed compliant. Your own lawyer will be your first auditor.
Second, before you can conduct healthcare-related business with a covered entity or a business associate, your organization will be required to sign a Chain of Trust Agreement. This ensures that there is no weak link in the transmission of healthcare data from one organization to another. In the Chain of Trust Agreement you will make a legally binding statement that you are in compliance. No corporate executive will sign such an agreement unless they are confident in their HIPAA compliance.
Once the requests for Chain of Trust agreements start flying between organizations the completion of a business impact analysis and business continuity plan will become a top priority. There is a risk of lost revenue because a covered entity will no longer do business with you.
The third inducement for compliance is that the government sets civil and criminal penalties for non-compliance. Civil fines can be up to $25,000 per calendar year per each provision that is violated. The maximum criminal penalty is 10 years in prison and a $250,000 fine. The criminal penalties are greatest for willful noncompliance or an attempt to sell health information for personal gain. Those news stories of hackers breaking into computer systems will now be followed with news stories of fines levied against the organization that was hacked.
What Does HIPAA Mean to You?
From the point of view of the top executives of your organization there will be a good reason to combine security and disaster recovery into one HIPAA Compliance Department. To the executive this is one big, expensive problem. They will want one person to deal with. That one person will be given the title Privacy Officer, and they will be tasked with ensuring compliance. A significant amount of this person’s time will be taken with giving HIPAA training classes to his organization. Every single employee, without exception, must be trained at least once a year. If you are a good consultant (more business-oriented than technical-oriented), and have a good relationship with your CIO, then you are in line for this position. If you have a strong security officer, they are likely to get this position, and you may end up reporting to them.
The upshot is that we are entering a new age for business continuity planners. Once, the budget for your planning projects could always be put off to next year. Now (at least for the healthcare industry) there is an immutable deadline, just like Y2K. But,Y2K went away after about 24 hours. HIPAA is here to stay.
For More Information About HIPAA
There is a wealth of information available on the web. Use any search engine and type in “hipaa security”. Google.com provides many hits. However, dogpile.com will find additional sites that google.com does not find. A full copy of the regulation is available at http://aspe.hhs.gov/admnsimp/. The file is very large.
The North Carolina Healthcare Information and Communications Alliance (www.nchica.org), a privately funded, nonprofit organization that promotes the advancement and integration of information technology into the healthcare industry, has released EarlyView™ a HIPAA Gap Analysis tool based on Microsoft Access 97 Version 7 SR2. The tool has over 500 audit questions and a variety of reports. It should help you speed up the gap analysis significantly.
The tool can be downloaded for $250 by nonmembers.
Reinhard Koch is Disaster Recovery Product Manager at Strategic Technologies, Inc. He has conducted over 40 recovery planning consulting engagements, and has personally been involved in three declared disasters requiring hotsite recoveries. He welcomes your comments at firstname.lastname@example.org.