HIPAA Security and the Organizational Safeguards

By Jay Masci, PMP

In the last article, we covered the Security Rule standards categories of administrative safeguards, physical safeguards, and technical safeguards. These categories are included in Security Rule final rules and regulations, Appendix A, Security Standards Matrix. There are, however, some additional standards that are not included in the Security Standards Matrix. Whether this was an oversight by the US Department of Health & Human Services (DHHS) or intentional, we may never know. Regardless, they are standards that are required to be implemented.

So we will cover the "secret" standards that I have categorized as the "organizational safeguard" standards, and as always, we will go over each standard in detail and how it is going to affect your O&P organization. So let's get started!

1. Organizational Requirements Standard

Business Associate Contracts or Other Arrangements (Required)

Implementation specification: The contract between a covered entity and a business associate must provide that the business associated will: (A) Implement administrative physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information (PHI) that it creates, receives, maintains, or transmits on behalf of the covered entity as required by the Security Rule; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

What it means to your organization: Your organization should update its business associate contract and have all business associates sign the new agreement. You may also want to consult with legal counsel on wording and your organization's responsibility when it comes to state or other laws that your organization has to comply with.

Requirements for Group Health Plans (Required)

Implementation specification: See the Security Rule.

What it means to your organization: If you are a group health plan, you will need to implement this standard; otherwise it is of no consequence to your organization.

2. Policies and Procedures and Documentation Requirements Standard

This standard requires documenting policies and procedures for the routine and non-routine receipt, manipulation, storage, dissemination, transmission, and/or disposal of electronic PHI. It also states that this documentation should be reviewed and updated periodically.

Policies and Procedures (Required)

Implementation specification: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

What it means to your organization: You must document your organization's policies and procedures to comply with the required or addressable standards. When deciding on your organization's policies or procedures, you should consider the following factors: (1) The size, complexity, and capabilities of your organization; (2) Your organization's technical structure, hardware, and software security capabilities; (3) The costs of security measures; (4) The probability and criticality of potential risks to electronic PHI.

Documentation (Required)

Implementation specification: Maintain the policies and procedures implemented to comply with the Security Rule in written (which may be electronic) form; retain the documentation required for six years from the date of its creation or the date when it last was in effect, whichever is later; make documentation available to those persons responsible for implementing the procedures to which the documentation pertains; review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of the electronic PHI.

What it means to your organization: Your organization will need written documentation of all of your security policies and procedures; retain and update them as required.

3. Compliance Dates (Required)

Implementation specification: A covered healthcare provider must comply with the applicable requirements of the Security Rule no later than April 20, 2005.

What it means to your organization: Your organization has until April 20, 2005, to document and implement all of your security policies and procedures. That is less than a year and a half away! My recommendation is that you get started now, as this is much more time-consuming and requires more planning than the Privacy Rule.

In the next article, we will look at some "frequently asked questions" concerning the Security Rule and hopefully shine additional light on what is actually required for your O&P organization.

While all information in this article is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.

Jay Masci, PMP, is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. Visit www.provaliant.com or contact Provaliant at 480.952.0656.

	HIPAA Security and the Physical Safeguards - November 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 2 - October 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 1 - August 2003
	HIPAA and the Business Associate Puzzle - July 2003 Exclusively Online
	HIPAA Security – Required or Addressable - July 2003 DC Direct
	Here Comes HIPAA Security - May 2003 DC Direct
	HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003 So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct
	HIPAA Privacy: Are You Ready to Comply? - March 2003 Exclusively Online

Table Of Contents - April 2004

	Kids Count! Designing a Child-Friendly Facility How do you appeal to pint-sized patients and keep them smiling throughout their visits? Some facility owners with a sizeable pediatric caseload tell how they do it. Feature
	Practitioners Need Rapport with Kids Feature
	Coaching Athletes with Disabilities: A 12-Step Program Feature
	Who Should Lead the Rehab Team? Feature
	Myo Arm Opens New Vistas “I was scared at first, because I thought that I would need surgery to use a myoelectric arm. It’s really cool. I can now do more things for myself, like holding a cup and pouring myself a glass of water, and I am excited to go to college and study sign language.” Today's Consumer
	Horses and Dogs Find a Friend at Equine Prosthetics Creature Care
	Got FAQs? Got FAQs?
	HIPAA Security and the Organizational Safeguards DC Direct
	Newport JR Hip Orthoses: Early Intervention Aids Joint Alignment Innovations
	Rodney Cook Profile
	Insurance Cuts, Costs: Who's Responsible? Perspective
	Therapy Skills Too Complex To Combine Letters
	From the Editor: Giving Children Wings Viewpoints