A giant HIPAA: new guidelines reach far beyond health care industry - 2003 Technology & Business Resource Guide: Privacy Protection - Health Insurance Portability and Accountability Act

HIPAA. No, it's not a massive thick-skinned herbivore living in Africa. It's a 289-page rule that covers the handling of EPHI--electronic protected health information, or health information in electronic form.

The Health Insurance Portability and Accountability Act also provides patients with access to their medical records, control over how their health information is used and disclosed, and avenues of recourse if their medical privacy is compromised, among other privacy rights.

Larger firms had until April to comply with the act, while smaller firms-those with fewer than 50 people-have until April 2006.

The act is aimed at the health care field, but any business handling confidential client information should follow the regulations. Further, CPAs can use their skills in understanding and examining information flows within organizations, as well as assessing internal controls and processes for the systems that contain information.

While the act (www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-212-03.pd f) deals with privacy, it does not contain specific actions to take. HIPAA was designed to be flexible, allowing companies to select technologies and processes that are most appropriate to them.

SAFEGUARDS

There are three safeguards to keep in mind: administrative, physical and technical.

Administrative safeguards ensure that day-to-day operations regarding the handling of private patient data is documented, managed and controlled. An individual must be assigned the responsibility for the security of this information. Employees that handle the information must be trained to ensure that a constant state of private document handling is maintained.

Next, the rules require policies detailing who has access to the data, who properly authorizes that access and the levels of appropriate access. The security plan should further document emergency procedures needed if systems containing this private information are damaged. When third-party vendors are used to process and handle data, their procedures must follow HIPAA guidelines.

These safeguards need to be periodically reviewed to ensure they are in compliance. Reviews should discuss sources of threats, ranging from internal users to the public; probability of exploitation; the impact of the exposure; and recommended actions to fix the problems. The report should reflect the true risks and include analytical insight from experts, not just a reliance on audit tools.

Physical safeguards include securing access to information systems as well as structures. Ensuring that the firm has documented natural hazards, as well as technical hazards (unauthorized intrusions) are key. Access to workstations, servers or network utility rooms should be reviewed. Again, the emphasis is on limitation and approval of authorized access.

Also necessary is the documentation of how the hardware that contains this private information is handled. For example, ensuring that hard drives are properly erased of data before they are removed from the office.

Technical safeguards include using technology to protect and control access to private data. Access controls must be put in place to ensure that only certain people can get to stored data. Can you record the activity in information systems that contain this private data? It is a key part of HIPAA that recording and documenting activity that occurs in that data is maintained. Furthermore, ensuring that you can prove the integrity of that data is key.

A firm covered by these HIPAA regulations must maintain this documentation for six years from the date of its creation or the date it was last in effect, whichever is later. This documentation must be reviewed, revised and updated to ensure that the private electronic medical data is kept confidential, maintains integrity and is available when needed.

TRICKLE-DOWN THEORY

While the regulations only cover health care providers, there are signs that every firm needs to follow the same thought process when providing confidential data. A recent California law, for example, requires all firms that house private information to inform their clients if their information is disclosed in a security breach.

It's only a matter of time before HIPAA guidelines trickle down and are required for all firms handling confidential private data. Ask yourself these questions: Do you have documented policies and procedures in place to assure the proper handling of confidential data? Does it include proper handling instructions of old hard drives? Plans for disasters? Do you perform periodic evaluations of your practices?

Review the HIPAA regulations--even if you are not a health care organization. It's a best practices guideline for us all.

Susan Bradley, CPA, CITP, MCP, GSEC is a partner with Tamiyasu, Smith, Horn & Braun in Fresno. You can reach her at sbradley@tshb.com.

COPYRIGHT 2003 California Society of Certified Public Accountants
COPYRIGHT 2003 Gale Group