INTRODUCTION
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It has two distinct titles—title I is devoted to protecting workers from losing health insurance coverage when they change or lose their jobs. Title II requires the establishment of National standards for electronic health care transactions and the security and privacy of health care data via electronic means.

It is Title II that most concerns electronic record keepers. The Security Rule that took effect in April 2003 demanded certain technical and physical safeguards. The law dictates that security standards be put into place that help to prevent, detect security events, and allow for the correction of HIPAA security violations.

Since HIPAA has been around for a number of years, most health care providers are familiar with its requirements. However, changing business realities as well as the fast-paced technological landscape necessitate that a repeatable compliance process be in place. This cycle should repeat every 2-3 years, or as business realities change.

First Step: Review, Audit and Analyze
Organizations should conduct a structured audit and subsequent risk analysis so the vulnerabilities and possible risks can be evaluated. This helps to understand not only how protected health information (PHI) can be compromised, but also identifies the potential cost for such transgressions. Areas to be analyzed should include applications, workstations, server and network resources, physical configurations, user-related credential and access policies, data backup, and business practices. With this information, business leaders can determine an appropriate level of investment for their HIPAA compliance program.

Second Step: Establish or Adjust Policies/Procedures
The second step is to take information from step one and formulate policies and procedures to prevent PHI from being compromised. Such policies might include password change requirements, decisions about employee access to programs and information and which supervisors/IT personnel can modify access to records, as well as logging of all patient data access, and retention policies. Procedures may relate to instructions on data interchange with other providers, techniques to ensure patients to not accidentally interact, and doing test restores and rotating data off-site as part of a backup and recovery plan. Other decisions to be made relate to incident response - identifying security breaches and how to respond to such incidents.

The number of areas to cover may be daunting. Engaging a company or consultant with HIPAA compliance experience may be necessary to meet audit requirements, or if doing it yourself, to provide an approach and guidance on areas to cover and streamline audit and compliance efforts.

BEST PRACTICES
Organizations should assign a security analyst or security officer to help identify who is responsible for maintaining and enforcing the HIPAA standards within the organization. He or is she may also manage the Audit/Analysis and Establishment/Adjustment processes of the two-step cycle described above, as well as ensure quality of standards.

Organizations should provide regular HIPAA training for all employees. Every individual in the organization, including management personnel, should receive regular HIPAA training updates. Training subjects could include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware protection, and best practices related to business processes.

The security officer for the organization along with management should evaluate the effects of the training. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies along with the end result of the incident to help prevent any further incidents.

SUMMARY
Especially with the attention that the federal government is paying to health care, HIPAA and its associated provider responsibilities are here to stay. Once compliant, health care organizations should integrate HIPAA requirements into every critical business decision at the earliest point – this will ensure requirements are integrated into business solutions, not just “bolted on.” Ultimately this makes the process easier and eliminating expensive post-audit remediation or retooling efforts.

Worried about compliance? Click here for a free copy of InfoStructures' HIPAA Compliance Evaluation Summary.