It’s gut check time for CIOs and IT managers of companies that keep patient information on their networks.

The Department of Health and Human Services (DHHS) issued its final ruling on the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) in February and those regulations went into effect on April 21st. All organizations that store or transmit health information about a patient have two years from this date to comply with the specifications, except for small health plans that enjoy a one-year reprieve.

According to healthcare consultant Gary Nakashian, the security rule “refers to methods and technology used to protect that information from accidental or intentional misuse.” The technology focus distinguishes the security rule from its more publicized companion ruling on privacy that focused on giving patients access rights to their health records and keeping those records private.

Compliance with the security rule lands squarely on the shoulders of people responsible for ensuring the “confidentiality, integrity and availability of electronic protected health information” on company networks — CIOs and IT managers. Ever since HIPAA was enacted businesses covered by the act, so called “covered entities”, have dreaded the cost and inconvenience of implementing the many mandated requirements of the security ruling.

NCHICA offers help

Fortunately, help is on the way. The North Carolina Healthcare Information and Communications Alliance (NCHICA) has just released an updated version of its HIPAA EarlyView• Security tool (HEVs 2.0) that helps covered entities determine how they stand on compliance with the HIPAA security rule. NCHICA has earned a reputation within the healthcare industry for its pioneering work on standards and initiatives to improve the communication of healthcare information between providers, payers and other entities. When DHHS issued its proposed security rule in 1998 NCHICA took an early lead in developing a diagnostic tool, HEVs 1.1. That software tool presented 521 questions to determine what a covered entity had to do to meet the comprehensive scope of the administrative, technical and physical safeguards in the proposed security rule. The detail and scope of HEVS 1.1 won accolades from industry experts but highlighted the sweep and breadth of HIPAA security requirements.

DHHS responded to the numerous comments from the healthcare industry about the proposed rule’s cost and inflexibility by taking a more reasonable approach with the final rule. Holt Anderson, NCHICA’s Executive Director, notes, “The final rule is technology neutral, permitting the covered entity to select the technology most appropriate to their environment.” Rather than specify that all covered entities have to implement a particular technology or procedure, such as adopting biometric identification, the final rule concentrates more on the end result, verifying “that a person seeking a health record is the one claimed.”

There are far fewer specifications in the final rule but a much greater emphasis on risk analysis by the covered entity. Many of the rule’s specifications are now “addressable” instead of “required”.

Jim Murphy, who headed NCHICA’s HEVS 2.0 task force, explains that under the final rule “organizations have a choice to implement or not, but requiring that the ultimate decision be documented based on the original risk analysis.” Enterprises that keep electronic patient information should not misinterpret the intent of HIPAA security. Addressable specifications can only be waived after the covered entity evaluates and documents the risks to confidentiality, integrity and availability versus the costs and reasonableness of implementing a new technology or procedure.

When the final rule was published, NCHICA formed a task force to update the HEVs tool according to the new mandates. NCHICA drew experts and volunteers with diverse backgrounds and experience to “gain a better understanding of the rule and share knowledge of security and data protection issues.”

Over the course of three months the task force “discussed, vetted, tested and delivered” version 2.0. NCHICA made a deliberate decision to stay true to the HIPAA requirements rather than load the tool with a lot of sensible but unnecessary questions. The updated tool pares the number of questions back to 165 but greatly expands the section on “Things To Think About” that helps clarify the meaning and purpose of the new standards. Murphy states that HEVs 2.0 helps a covered entity to evaluate its existing security processes and “see what is missing and what then needs to be done.”

Gary Nakashian adds that NCHICA’s tool “will assist by providing key management reports to cut to the chase–and accelerate the decision-making process.”

A ‘necessary evil’?

Despite the scaled back number of questions the NCHICA HEVs 2.0 tool delves into many areas of network management from contingency planning to the physical security of the servers. No doubt many healthcare enterprises will view the HIPAA security “as a necessary evil because there are no visible or immediate returns on investment.”

However, CIOs of financial institutions or companies that run mission critical networking applications might view the security rule’s requirements for passwords, backup procedures and audit controls as sensible business practice or normal due diligence. Therein lies a clue to DHHS’s motivation for the security requirements — to improve the ability of covered entities to safely exchange health care data across networks.

Anderson summed up this point, “DHHS views the security and privacy rules as basic to the continuity of healthcare operations.” In the short run, covered entities need to move forward with compliance by evaluating their current gaps in network security while keeping an eye to the future when electronic protected healthcare information can flow freely and securely between healthcare enterprises to provide critical information at the point of care.

HEVs 2.0 can be ordered from NCHICA online at: