This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
Worried you won't meet the HIPAA privacy rule by the April 14 deadline? Well, you're not alone.
We're getting inundated with phone calls... they all want to know: Can you help us by April?
Christopher Berlandier, Securesoft Systems
Attorneys nationwide reportedly plan to deploy decoy patients at health care organizations to see if doctors, dentists, hospitals and insurance companies have the policies, procedures and protections that ensure patients' privacy, as required by the federal Health Insurance Portability and Accountability Act (HIPAA). Those that don't comply risk hefty fines, possible criminal prosecution and costly civil lawsuits. Companies have had two years to educate staff, designate a privacy officer and adopt basic security measures. But there's a good chance some providers will miss the deadline.
"In many cases, it's ignorance. But in some cases, it's a very conscious decision; sort of a protest," says David Chapin, whose Texas-based company, Practisure, provides HIPAA services for small health care providers.
But the U.S. Department of Health and Human Services' Office of Civil Rights will have help in investigating suspected offenders, namely purported victims who slap health care providers with big-money lawsuits.
The threat of lawsuits may be a stronger motivator than government fines or jail time, says Kate Borten, a security consultant and president of The Marblehead Group in Massachusetts.
"The government has publicly stated it will be very forgiving if an organization demonstrates it meant well and has taken steps to become compliant," Borten says. "The greater concern is the private lawsuit or bad press in a local community that will hurt business."
From the editors: More on HIPAA compliance
compliance: How to prepare for upcoming KPMG HIPAA audits
What happens during a HIPAA audit, and what can you do to prepare? That's what compliance expert Mike Chapple discusses in this tip.
do the HIPAA Security Final Rule and meaningful use rule differ?
Learn about the difference between the HIPAA Security Final Rule and the meaningful use final rule, what each requires and how they differ from the HIPAA Privacy Rule?
Though most of the privacy rule revolves around policy and procedure, it does outline some mandatory security measures. Another HIPAA component, the transactions and code rule, includes requirements for using AES-strength encryption for any electronic data transmissions, such as claims sent between medical providers and insurance companies.
Some measures recommended by HIPAA experts are minor in expense, but go a long way toward showing an earnest effort. For instance, computers storing or displaying records should automatically log off or lock up after use to prevent peeping. Also, organizations should establish policies for shredding documents, locking file cabinets and playing white noise or music to inhibit eavesdropping. Each HIPAA-regulated organization also must have a privacy officer to make sure the staff understands and follows HIPAA guidelines.
By 2005, the recently approved HIPAA security regulations will become enforceable. By then, all health care organizations--and, indirectly, their business associates--must have a security program that includes security awareness training, risk assessments and disaster recovery plans.
Those who develop privacy policies may find the security rule a tad easier to develop, having already adopted encryption policies, education programs and authentication and authorization tools to control access to medical records.
Many expect that the current rules will change over time. But "it's always going to be about mitigation of risk," says Christopher Berlandier, CEO and president of Securesoft Systems in California. Berlandier's company makes the Immunity Management Suite (IMS), a software solution that provides compliance assessments and recommendations to fix holes.
"We're getting inundated with phone calls or requests for proposals," Berlandier said in late February. "And with callers, they all want to know: Can you help us by April?"
This was first published in April 2003