What Are Covered Entities And What Must They Do?
Covered entities are defined in the rule as “…healthcare providers, healthcare clearinghouses, health plans, and other healthcare institutions, must protect the integrity, confidentiality and availability of electronic protected health information or PHI that they collect, maintain, use or transmit.”
Why Do We Need These Regulations Now?
According to the published security rule, “Currently, no standard measures exist in the health care industry that address all aspects of the security of electronic health information while it is being stored or during the exchange of that information between entities.”
Required vs Addressable
The contingency planning standard of the security rule is composed of what the regulators call, implementation specifications. Each is further identified as either “required” or “addressable.” Originally all the implementation specifications were required. However some, (testing and application criticality) were later re-categorized as “addressable” to allow covered entities to determine if they are already in compliance and can document how the standard is being met.
Experienced contingency planning professionals understand that testing and application data criticality is required to protect the business. Consequently, their first challenge is going to be convincing management that even “addressable” standards must be met. They can refer to the following quote from the Security Standards:
“In this final rule, we adopt both ‘required’ and ‘addressable’ implementation specifications. We introduce the concept of ‘addressable implementation specifications’ to provide covered entities additional flexibility with respect to compliance with the security standards.
In all cases, the covered entity must meet the standards….”
Covered entities vary in size and scope of operations. Some may be small institutions with limited healthcare practices and consequently limited funding capabilities, while others may be large institutions or health care providers with more flexibility to absorb the costs associated with regulatory compliance. In order to be sensitive to these and other constraints, the security regulations allow for non-implementation of an addressable specification, if it is determined to be inappropriate and/or unreasonable by the covered entity and an alternative to the specification can be documented and also meets the standard.
Let’s take a look at the five implementations specifications for contingency planning featured in pages [271-272] of the security rule. Later I will discuss how the rule relates to contingency planning.
Security Standard –
Standard: Contingency plan
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required).
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required).
Establish (and implement as needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required).
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
(D) Testing and revision procedures (Addressable).
Implement procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable).
Assess the relative criticality of specific applications and data in support of other contingency plan components.
Table of Specifications
As a guide to healthcare contingency planners charged with the task of compliance with the new regulations, I have created a table outlining the five key implementation specifications featured in the security rule. On the left column of the table are the implementation specifications and in the right column you will find my interpretation of the relevant contingency planning activities. It is not meant to be a complete list, but it will help demonstrate our due diligence to reach compliance.
What Do The HIPAA Security Regulations Mean To Contingency Planners?
Hopefully, the HIPAA security regulations will make it easier for healthcare contingency planners to get the funding needed to meet the requirements of the security standard.
If you are a contingency planner in the healthcare industry, you are already aware of the many challenges affecting the implementation of a complete business recovery program.
Funding, for example, is limited due to changes made by the federal government in the way they decide whether or not to pay healthcare claims.
Contingency planners across all industries are familiar with this challenge and some have seen an improvement in funding because their industry requires business continuity planning. For example, both the banking industry and securities industry promote contingency planning.
What Is The Impact Of HIPAA On The Healthcare Industry?
Although the ink is hardly dry on the Security Standards, healthcare industry watchdogs have already compared the effort needed for compliance as comparable to Y2K in regards to cost. This places an even greater burden on already strained IT budgets (sound familiar?).
Many healthcare systems are looking into “outsourcing” as a way to control costs. However, the introduction of third party management to run critical hospital applications further complicates HIPAA compliance efforts, especially when you consider that not all information technology is under the corporate IT umbrella. Many departments run their own mini-data centers and server rooms that interface with the hospitals’ core applications on the mainframe.
In closing, I think compliance with the contingency planning standards of HIPAA can be achieved through teamwork, cooperation, support and funding. Good luck!
My discussion here has been focused only on the contingency plan section 164.308(a)(7) of the HIPAA security standard. A matrix of the full set of the Security Standards can be found in Appendix A to subpart C of part 164 of the published Security Regulations.
Angelo Cardona, CBCP, is currently associate director of business recovery. He has more than 14 years experience in contingency planning and is a member of the Contingency Planning Exchange.