HIPAA Security Standards — Missing the Boat…?

HIPAA Security Rule

Feisal Nanji
Executive Director,
Techumen LLC.

The HITECH act of Feb 2009 and subsequently the Health Care Reform act of 2010 has created a frenzy of activity in trying to decipher the requirements for HIPAA Security and Privacy. Information and compliance officers seem to be in a muddle as to what to do and what to prioritize. The abbreviated internet blog-post below by Stephen Gantz, Associate Professor at the UMC Graduate School of Management and Technology is illustrative of this misplaced concreteness.

“The January 1, 2011 date looks increasingly unlikely, for two primary reasons. First, the language of the HITECH Act instructs HHS to first adopt standards for accounting for disclosure, and then promulgate regulations about what information health care entities (and presumably business associates, since HITECH also made business associated directly responsible for complying with HIPAA requirements) must record about each disclosure (§13405(c)(2)). No such standards have yet been proposed, much less adopted, and at present HHS is still in the process of reviewing comments it received in response to the request for information it published in May of this year. Second, the EHR certification criteria proposed by the Office of the National Coordinator (ONC) in an interim rule published last winter included accounting of disclosures, and so represented a key driver influencing health IT vendors to make sure their EHR systems offered the capability in their products. However, in the revised certification criteria released last week in conjunction with the final version of the meaningful use…….

Even the risk analysis requirement (the only explicit security measure in meaningful use) was reduced in scope between the interim and final versions of the rules, as under meaningful use the required risk analysis only needs to address the certified EHR technology the organization implements, not the organization overall. This is markedly less than what is already required of HIPAA-covered entities (and, under HITECH, of business associates as well) under the risk analysis provision of the HIPAA Security Rule…”…..

We believe this incessant focus on deadlines and standards misses the boat, since standards and technology change so quickly.  Instead, the HIPAA Security Rule requires, as correctly pointed about by Gantz’s post”,   that a health entity conduct a risk based approach suitable for its environment.  Worrying about the final standards and rules of disclosure and other such minutiae of HITECH completely misses the boat.   If you are “covered health entity” under HIPAA, you are still fully responsible for meeting the security requirements under the HIPAA Security rule.

What the Government wants then is for any Covered Health Entity to takes step to understand and assess risks to its security posture by using an annual “Risk Based Approach”.  In our view the best possible approach is from the government itself and is known as the NIST 800-30 document entitled “Risk Management Guide for Information Technology Systems

So if you are a health entity, small or large, my advice is first to follow the NIST  800-30 framework diligently;  see what results you end up with and then make your decisions or prepare your road-map.   The government does not expect all providers to have the security of Fort Knox, but it does expect you to be diligent in understanding your own posture and taking steps to secure it. Using a risk based approach is an excellent approach and one that should keep you out of trouble.

About Feisal Nanji

Mr. Nanji is the Executive Director at Techumen. He has extensive experience in developing and creating security programs for health, financial services, and core infrastructure clients. Overall, Feisal has over 20 years of experience in technology strategy and information security. Feisal was with Ernst & Young from 2003 – 2008. At Ernst & Young, Feisal led the National Application Security service line. While there, Feisal led a team to analyze and help remediate application and network security weaknesses for a Health Provider with an installed base of three million Electronic Health Records (EHR). This is perhaps the largest private (non-governmental) installation of an EHR system in America. Feisal holds degrees from Harvard University and the University of Notre Dame. He has held the accreditation of Certified Information Security Systems Professional (CISSP) since 2003..

Like our HITECH Posts? Sign up for our free newsletter and e-mail alerts for delivery to your inbox.