The Security Rule establishes 18 standards to provide a uniform framework for information security. Nine of these standards are administrative, four are physical and five are technical.
These standards are either straightforward in their requirements (e.g., "Assigned Security Responsibility") or contain implementation specifications that are considered "required" and "addressable." Although they are not optional, organizations may assess whether an addressable specification is a reasonable and appropriate safeguard for the organization. If not, it may choose a reasonable alternative.
The Security Rule is summarized in a table known as the Implementation Matrix, a copy of which can be downloaded from www.cdva.ca.gov/hipaa. Before organizations grapple with the details, they should understand the framework and take the first step toward effective compliance.
The Road to Compliance
Because Security Rule compliance deals with administrative, physical and technical standards, it is best for most organizations to handle implementation through a committee representing expertise in each of these areas. Including a member of your legal counsel on the implementation committee can be invaluable for understanding the risks and benefits of one implementation strategy in comparison to another. Effective counsel can help your committee avoid making the same mistakes as other organizations and potentially avoid litigation and costly fines. Finally, executive support is critical, not just because compliance is mandated, but because the organization needs to understand how information security will help everyone achieve the common mission.
Risk analysis is the primary implementation specification of the first standard in the rule. It is perfectly positioned: All determination of "reasonable and appropriate" safeguards must flow from that assessment of risk.
The National Institute for Standards and Technology, part of the U.S. Department of Commerce, has a series of publications that provide a great deal of information on information security. In its commentary on the HIPAA Security Rule, the U.S. Department of Health and Human Services recommended that entities look to NIST for guidance on technical matters.
NIST's Risk Management Guide for Information Technology Systems (Special Publication SP 800-30) provides a straightforward system for assessment that can satisfy the Security Rule's requirement for risk assessment, as well as a second part on risk mitigation that can help entities satisfy the second Security Rule Implementation Specification.
Compliance with the Security Rule can be a straightforward process. First, understand what information security is about and why your organization needs it. Second, understand what risk is, and use existing mechanisms to assess it. Creating your own methodology might seem easy at first but could quickly turn into a nightmare if you find yourself answering an inquiry by an oversight agency. Third, know what the rule says and use the Implementation Matrix as a checklist to help you achieve compliance without performing the same work twice. Finally, assemble your compliance team, including legal counsel, and get to work. After all, you only have until April 20, 2005 to make sure your organization is compliant.
C. Matthew Curtin, CISSP is founder and CEO of Interhack Corporation, an information assurance, data forensics and technology outsourcing provider. Peter M. Hazelton is an attorney with the law firm of Mallory & Tsibouris.