GOVERNMENT and LAW

How you can comply with HIPAA's new security rules

While the Health Insurance Portability & Accountability Act's privacy regulations have attracted considerable publicity, the new law's security requirements (Drug Topics, May 19) have received little fanfare. Yet complying with the eclipsed security standards involves more of an undertaking than meeting the privacy regs.

So even though the compliance deadline for security—April 21, 2005—is still 18 months away, pharmacies should not put this initiative on the back burner but rather get started on meeting its requirements today.

That advice came from Michael D. Bell, a lawyer with Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, Washington, D.C., who spoke at the recent National Association of Chain Drug Stores pharmacy and technology conference in Philadelphia. Bell gave attendees many suggestions on how to comply with the new security rules.

According to Bell, the impetus for many pharmacies to address security now is that they're rolling out new technologies for e-commerce and e-prescribing. Bell believes pharmacies should not move forward on these activities without first taking a look at the security requirements, which are designed to protect the integrity, confidentiality, and availability of protected health information (PHI) transmitted by electronic media. Don't look upon the security rules as a regulatory burden, he advised, but as an opportunity to rethink your e-health strategies.

The security standards are inextricably linked with the privacy rules, Bell told the audience. Like those for privacy, the security provisions require many of the same things, from the need to appoint a security officer to having to train employees on the subject. But, unlike privacy, the security mandate is a lot more technology-intensive. This has led some pharmacists to mistakenly believe that the new requirements are solely an IT issue.

Disabusing pharmacists of this notion, Bell said that complying with the security rules reaches beyond a pharmacy's computers and telecommunications equipment. Pharmacies have to implement not just technical but also administrative and physical measures—in short, all parts of their organization would be affected.

Establishing administrative safeguards involves making sure you did a background check before you hired any employees, collected their locks and keys before they were terminated, and other measures. Physical safeguards are such steps as requiring visitors to put on a badge and sign in before entering the facility. Finally, technical safeguards entail requiring passwords, encryption, and digital signatures to protect e-PHI.

According to Bell, many technology vendors view the security mandate as another Y2K—i.e., an opportunity to sell their services—and the measures some companies have proposed have bordered on overkill. He urged attendees to make sure that what's proposed is appropriate for their organization. He thinks there's no need for pharmacies to procure "the latest and greatest in technology." At the same time, they shouldn't use outdated technology. The best course is to stay at least in the middle of the pack. He added that the longer pharmacies wait to select a technology vendor, the higher their fees would probably be.

When deciding which security safeguards to implement, pharmacies should consider their size, complexity, technical infrastructure, the cost involved, and other factors. What's appropriate for one organization might not be a good fit for another. Not everyone is bound to use the same method. And the security rules are very flexible in that they don't decree what measures covered entities should take. Instead, "how you do it is up to you," Bell said.

For those who flout the law, the Department of Health & Human Services can impose civil penalties of $100 per violation, up to a maximum of $25,000. Fortunately, the Centers for Medicare & Medicaid Services, which enforces the HIPAA security rules, has made known that it will not aggressively seek out covered entities that are noncompliant. Instead, based on complaints it receives, CMS will follow up with covered entities and ask them for a corrective action plan. Only when no plan is forthcoming would CMS refer these cases to the Office of Inspector General or the Department of Justice.

Summing up, Bell urged pharmacies to understand the rules, perform a gap analysis to find out what their weaknesses are, plan strategy, start implementation, test what they have implemented, and make changes accordingly. "The earlier you start, the better off you will be," he concluded.

Judy Chi

 

Judy Chi. How you can comply with HIPAA’s new security rules. Drug Topics Oct. 6, 2003;147:88.