The Road to HIPAA Security Rule Compliance

The topic of information security gets a lot of attention but can be difficult to address seriously in any organization. Developing and maintaining an effective information security system can be a challenge. However, if you understand what...


The topic of information security gets a lot of attention but can be difficult to address seriously in any organization. Developing and maintaining an effective information security system can be a challenge. However, if you understand what information security is, how others have succeeded with it and exactly what a regulation requires, you have a much greater chance of success.

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is designed to provide greater confidentiality, integrity and authorized availability of protected electronic health information through the implementation of reasonable and appropriate administrative, physical and technical safeguards. In other words, patient information needs to be safe. This article provides insight on the overall importance of the HIPAA Security Rule and outlines issues you should consider when planning a compliance strategy for your organization.

The Objective of Information Security
Information security is fundamentally about handling information appropriately. What constitutes "appropriate" handling can vary wildly, depending upon the type of information and the information owner's concept of appropriate level of risk.

Before we can understand what "appropriate level of risk" means to information, we need to step back and look at how we use information in our organizations. Everyone in the organization-whether a member of the board of directors, a security team manager or an administrative assistant-should understand the objective of the organization. The best way to achieve this organization-wide understanding is to define and publish a mission statement that is clear and easy to understand.

A hospital that provides palliative care may have a mission statement that reads, "To provide quality care for patients with advanced cancer and their families throughout the illness and during bereavement."

This simple statement means a lot of things. Providing quality care for patients and families requires that caregivers receive a great deal of support. Consider the information that needs to be managed in connection with providing such care-everything from precise diagnosis to treatment history, pre-existing conditions and current medications. Information is also required to handle billing and interactions with payers. Still other information is critical to effectively communicate with the patient's family.

Information technology, which includes paper-based management systems as well as more sophisticated electronic systems, makes it possible for physicians, nurses and administrative staff to access and update patient records quickly and accurately. The organization cannot accomplish its mission unless it takes these actions. This is where information systems, in affording greater access, provide a return on investment to the organizations that purchase them. Are there any actions that would prevent the organization from accomplishing its mission? Consider the following three examples:

  • What if a system designed to provide billing information to a third-party payer (such as an insurance company) revealed the information incorrectly, perhaps making it available to any Internet user who happened to look in the right place? Would the hospital be able to state that it provides quality care, or would it be giving patients and families more to worry about?
  • Imagine a system that, when asked to retrieve allergy information for one patient, displays information about another patient. How would that affect treatment? Would it result in quality care?
  • What if a physician could not access a patient's medical records at a critical moment, when a decision must be made on whether to administer a particular type of treatment? If the physician must guess whether similar procedures have worked for the patient in the past, what kind of care would the patient receive?
This content continues onto the next page...