pril 20, 2005, is the deadline for compliance with the Security Rule, part of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Security Rule is a much easier proposition than either the Privacy Rule or the Transactions and Code Sets Standards. Your practice management and information technology staff have probably done what is necessary to make you compliant already — but let us make certain.

Protecting the security of electronically stored and transmitted information is not just a HIPAA mandate, it is good practice, period. The Security Rule mandates preservation of the confidentiality, integrity and availability of electronic protected health information (e-PHI), breaches of any of which could cause difficulties for the anesthesiology group. Imagine discovering that the patient information on which you depend has been altered or destroyed by a computer virus or in another unauthorized manner.

Without security there is no guarantee of privacy. That is why your Privacy Rule activities have likely satisfied some of the Security Rule standards, too. For example the Privacy Rule states that you must “reasonably safeguard” PHI from intentional or unintentional disclosures for improper purposes. That is one of the standards of the Security Rule as well. One major difference between the two is that the Privacy Rule applies to all forms of PHI: verbal or paper as well as electronic. The Security Rule only covers e-PHI.

The goal of this article is to give ASA members enough information that they can feel comfortable in delegating responsibility for compliance, not to spell out the 18 standards or 36 “Implementation Specifications” of the Security Rule. Anesthesiology group leadership should know that the rule is intended to be flexible, “scalable” and technology-neutral. Each group’s security program should be based on that group’s risk level and should be proportionate to the risks. Size, complexity and capabilities of the practice are all relevant in choosing how to satisfy the specific standards. As stated by the Workgroup on Electronic Information (WEDI), “Don’t build a $5,000 fence for a $3,000 horse.” WEDI does spell out the standards and how they can be met in a free monograph that should be in your possession. It is titled “Small Practice Security Implementation White Paper” and is available at <www.wedi.com>.

Information for the Anesthesiology Group’s CEO or COO
The Security Rule requires “covered entities, which include all physician practices that transmit or store patient information electronically, to adopt safeguards to protect the privacy of protected health information [PHI].” One of the first standards mandates the designation of one person as the security official. This could be an anesthesiologist or the practice administrator, and in smaller anesthesiology groups, it might easily be the same individual who serves as the privacy official.

The security official is responsible for developing and implementing the policies and procedures required by the rule. By now, this individual will undoubtedly have conducted the requisite risk assessment and gap analysis, identified and prioritized measures to reduce vulnerabilities and developed a budget to manage risks. Between now and April 20, the security official, together with the practice administrator and information systems vendor, should complete any outstanding steps among those outlined in Table 1.

To make those steps more meaningful, those ultimately responsible for the practice’s compliance need to understand the basic anatomy of the Security Rule. There is a hierarchy consisting of three types of safeguards that the practice must put in place: administrative, physical and technical, and their associated standards and implementation specifications. Each implementation specification is either “required” or “addressable.” The term “required” is self-explanatory. “Addressable” means that the security official will assess whether the specification is reasonable and appropriate for the practice and either implement it or not, documenting the decision. “Addressable,” it should be noted, does not mean “optional.”

Administrative safeguards include:

Physical safeguards include:

Technical safeguards include:

The Security Rule is fairly prescriptive with respect to documentation. In addition to policies and procedures, it requires the documentation of the rationale for many of the practice’s security decisions and for specific events such as security incidents and their outcomes.

Finally, what are the risks of noncompliance? Although the statute refers to “ensuring” protection for e-PHI, the Centers for Medicare & Medicaid Services (CMS) acknowledged in the introduction to the security regulations that there is no such thing as a totally secure system. The regulations did not establish any particular penalties for breaches of security. Enforcement is going to be complaint-driven, and there is every indication that CMS’ attitude will be educational, not punitive, as has been the case with enforcement of the Privacy Rule.

The more realistic risks of noncompliance are the potential costs of losing patient data, finding your claims corrupted or having servers go down. The Security Rule is a roadmap for preventing such losses.

Source Material:

• Small Practice Implementation White Paper Version 2.0. Workgroup on Electronic Data Interchange/Strategic National Implementation Program. April 2004. <wedi.org/cmsUploads/pdfUpload/WhitePaper/pub/2004-04-20SmallPractice.pdf>.

• Security 101 for Covered Entities and other papers in CMS’ Security Series, <www.cms.hhs.gov/hipaa/hipaa2/education/Security%20101_Cleared.pdf>.

• HIPAA Security Rule Action Plan. Physicians EHR, <www.physiciansehr.com>.