Government publishes HIPAA security standards

More than four years after it first proposed health information security standards, the Department of Health and Human Services (DHHS) published a trimmed-down final version of the standards on Thursday.

The publication of the “final rule” for health information security standards as part of the 1996 Health Insurance Portability and Accountability Act (HIPAA) met with mixed reaction from health-care experts, with some saying a lack of specific requirements will create confusion in the health-care industry, and others applauding the government’s hands-off approach. The final rule was announced last week and published in the Federal Register Thursday.

Most of those asked about the final rule were still digesting the almost 300 pages of changes and modifications to the government’s first draft and said that it was too early to tell what effect it will have.

“(The standards) haven’t been out long enough for me to absorb everything yet, but I don’t think they’ve dramatically changed,” said Pat Johnston, director of health information privacy and security at Texas Health Resources, a nonprofit health network based in Arlington.

The security standards establish protections for electronic health information, implementing requirements laid out in the Administrative Simplification subtitle of the HIPAA legislation. The standards directly affect the way health plans, health-care clearinghouses and certain health-care providers handle patients’ private health information, requiring a number of steps to comply with the law.

Among other things, affected entities are required to:

• Conduct a thorough risk analysis of their organizations and review electronic information handling procedures, information system activities and policies to develop measures that ensure the integrity of patient health information.

• Develop clear policies for detecting and reporting security violations, as well as contingency and disaster recovery plans to guard against patient data loss.

• Make business associates and partner companies aware of security policies and procedures, either through written contracts or other less formal means.

Noticeably, however, the government backed away from many of the requirements it laid out when the standards were first proposed in 1998, after health-care organizations complained that implementing those requirements would be prohibitively expensive.

For example, the final rule narrows the focus of the security standards to apply to information in electronic form, removing a concern about more requirements for paper documents on top of those stipulated by the HIPAA health information privacy rules that have already been released.

The government also backed off certification requirements in the final rule, a move that raised the eyebrows of some security experts, who worry that consumers will have to be more vigilant about how their private health information is being used.

“With privacy, you only know if it’s being enforced by exception,” said Marne Gordan, director of regulatory affairs at security consulting company TruSecure. “First you have to have your privacy violated, so that puts the burden on the consumer who may not be aware of (HIPAA).”

In the absence of clear government standards, Gordan worries that it will fall to lawyers to sort out what does and doesn’t count as compliance with the new regulations. “This whole thing is going to be determined by case law in civil court. The first big breach, there will be plaintiff’s attorneys who are dying to try this case and it will be decided by two smart lawyers. That will determine what’s effective and what’s not.”

The government may also have been too willing, in the face of resistance from the private sector, to back off of straightforward security requirements that would be easy to understand and implement, Gordan said.

In a marked contrast to their proposed format, the final security standards leave it up to health-care organizations to assess their own level of compliance to the government’s standards, adopting the notion of “required” and “addressable” implementation specifications.

Intended to provide covered entities with flexibility in complying with security standards, “addressable” specifications allow an affected organization to choose whether or not to implement a specific security measure depending on the organization’s assessment of whether it is applicable to its security framework.

That determination can be based on considerations such as the organization’s risk analysis, security measures it already has in place or the cost of implementing the security measure.

“This has got to be the first time I’ve seen the introduction of risk tolerance for institutions in a federal regulation,” said Gordan.

“Usually federal regulations are just a checklist. ‘You must accomplish this for this date.’ But the final rule says it’s up to organizations to determine their level of risk tolerance,” Gordan said.

But the shift in position from requirement to suggestion is appropriate given the strong reaction to the government’s first draft, according to Amith Viswanathan, senior industry analyst at Frost & Sullivan.

“I think from an overall standpoint, the first issuance of the security ruling was way too specific in its requirements for covered entities. The natural reaction was to receive a high load of comments back. In response, the government has taken appropriate measures to remove overly specific requirements,” Viswanathan said.

While novel, however, the approach may offer little solace to health-care organizations looking for specific guidance and worried about the potential legal consequences of failing to comply with the letter of HIPAA, according to Gordan.

“I’m hoping that it won’t leave people at a loss as to what to do,” Gordan said.

“It’s a double-edged sword,” said Johnston of Texas Health Resources. “On the one hand, you sure don’t want the government dictating technology standards. On the other hand, you never know if you’re doing enough.”

“A lot of what they listed as ‘addressable’, I would have listed as ‘required’,” Gordan said.

Termination procedures for employees and basic “cyber hygiene” requirements to prevent hackers from obtaining patient information are two areas where the DHHS should have taken a stronger stand, Gordan said.

The absence of hard requirements in those areas leaves health-care organizations and their patients vulnerable, especially in cases where no in-house security expert is available to assess an organization’s exposure, Gordan said.

Johnston agreed, saying that requiring 128-bit encryption, for example, would clarify her organization’s IT purchasing decisions and leave it less vulnerable to the scare tactics used by technology vendors.

“It’s going to be a mess, because all these vendors will be saying ‘You’re not compliant unless you implement this technology’, but it’s not clear,” Johnston said.

In general, however, Johnston and others complimented the new rules, saying they are firm where necessary while giving flexibility to health-care providers.

“Disaster recovery must be addressed … and user authentication is also a must. I think the final rule adequately addresses those areas, but is sufficiently broad so as not to be overly interpreted,” Viswanathan said.

“They’ve moved from telling us how to do things, to telling us what we need to do, and we need to figure out how to do it,” Johnston said.

The hard work ahead will come in evaluating existing procedures in light of the new security standards and making the appropriate business decisions, she said.

“We’re going to use (the security standards) as an opportunity to review every aspect of our operations — determining how consistently standards will be applied, documenting things that have not been documented but understood, and also making sure things are enforced. This is all good in terms of making us invest in areas that we hadn’t invested in,” Johnston said.

Organizations affected by the privacy rules have until April 14, 2003 to show compliance, with small health plans getting an additional year to comply. Compliance with the Electronic Health Care Transactions and Code Sets provisions of HIPAA is due by Oct.16, 2003.