HyperionLIVE!

On February 18, 2009, President Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Among other things, this health information technology legislation improves and expands current Federal privacy and security protections for health information.

One important intent of the law (among many) is to ensure that new entities not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers (called "business associates"), are subject to the same privacy and security rules as providers and health insurers.  

Because of the HITECH act, law firms who handle health-related information are now bound by the same HIPAA security and privacy guidelines as healthcare providers, including penalties for data security breaches and/or non-compliance with Federal regulations.  February 2010 is when the new guidelines go into effect. 

The laws are varied and complex and will take time (and resources) to implement, so the time to get started is now. Contrary to popular belief, this is not just an IT issue.  About 30% of the rules apply to the security of electronic protected health information ("ePHI").  The remaining rules apply to administrative and/or facilities safeguards, polices and employee training/ awareness, so getting your firm into compliance is more about administrative management and control than pure IT security protocols. And more importantly, it will most certainly take a team of IT and administrative personnel working together to get your firm into compliance by February 2010. 

Step One - HIPAA Security/Privacy Risk Assessment

The first requirement is to complete a risk assessment to determine your firm's current level of compliance. This risk assessment must be comprehensive and address the physical security and privacy of ALL locations of ePHI.  That means you need to determine all the places these data are being housed and/or transmitted to/from, including:

·     All practices, personnel, offices that use/store/view ePHI

·     All network/data locations (including backup tapes/storage devices) that store ePHI

·     All other devices/tools that ePHI may be stored on such as desktops, laptops, flashdrives, attorney home computers, CDs, intranets, extranets, databases, PDAs (iPhone, Blackberry)

·     All means by which data are transmitted such as email, fax, voice mail, PDAs

Understanding all the potential locations of ePHI is not as simple as it sounds.  Law firms use these data in many practices such as labor/employment, insurance defense, product liability, medical malpractice, healthcare and many areas of litigation.  To ensure the risk assessment is comprehensive, consider discussing the types and location of ePHI (as well as non-electronic sources) in all practices within your firm.  It is better to be thorough than take the chance of missing something important.  Then document all security and privacy protocols currently in place for data in transit and data at rest.

Once you know your baseline, your risk assessment must then include an honest analysis of your current compliance levels relating to administrative, technical, and physical/facilities safeguards around ALL of your firm’s ePHI.  Note that not all of the safeguards are required.  However, if your firm chooses not to implement a safeguard, you must document why you chose not to. (To get educated on the issues, there is a lot of information on the internet about HIPAA compliance, or you can call us at 217.778.6976 for an overview).

It is important to remember that the safeguards are designed to be flexible and reasonable for every sized organization.  They are not intended to be overly burdensome, so it is important to weigh the risk versus the cost when implementing them.  Keep in mind, many of the safeguards are just good business practices, such as password management, encryption, and application/network access monitoring, so you may not be that far out of compliance now.  When deciding which safeguards to implement, consider:

·         Likelihood of the threat occurring (e.g., lost flash drive containing ePHI, network hacking)

·         Current capabilities (have you already starting taking some steps to safeguard protected health information?)

·         The hardship that implementing the safeguard may present (costs, internal resource limitations)

As always, let common sense prevail.  Be prudent in mitigating risk, but sensible in deciding the level of compliance your firm can reasonably accommodate.  It is important to show the firm’s willingness to at least try to implement safeguards, but if getting into compliance with some safeguards is overly burdensome, document why the firm has chosen not to comply and maintain those records for 6 years (this is the records retention requirement for all Security Rules compliance documentation). 

Two other important items to note:

·         State laws may be even more restrictive that federal rules for privacy and security of protected health information (this is true in 80% of the cases where states have privacy laws).  State law supersedes federal laws if they are more restrictive, so make sure to understand the rules governing your state for privacy and security.

·         Disaster recovery and emergency access planning is a Federal requirement now for all sources of ePHI.  Implementing a technology disaster recovery architecture is time (and resource) intensive, so it is vitally important to get started on this aspect of compliance as soon as possible. 

The issues and processes surrounding HITECH compliance are complex and will take time and resources to understand and then implement.  The professionals at Hyperion Global Partners can assist in all phases of risk assessment, and designing data protection and access strategies to meet the February 2010 compliance deadlines.  Let us know how we can help!