The April 20 compliance deadline for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule came and went with considerably less stress and anxiety among practitioners than seemed to accompany its predecessor, the Privacy Rule. Unfortunately, by many accounts, psychologists do not appear, so far, to have gone to the same lengths to bring their practices into compliance with the Security Rule as they did the Privacy Rule. I have heard from some psychologists who are under the misimpression that the actions they took to comply with the Privacy Rule are sufficient to also make them compliant with the Security Rule.
While there is some limited overlap between the two rules, the Security Rule is separate and distinct and requires a different set of compliance activities than the Privacy Rule. While the Privacy Rule outlined to whom and under what circumstances psychologists can disclose patient information, the Security Rule outlines the steps a psychologist must take to protect confidential information from unintended disclosure through breaches of security. This includes any reasonably anticipated threats or hazards, such as computer viruses or vulnerability to computer "hackers." The Security Rule creates standards that health-care professionals must meet to ensure that electronic health-care information stays confidential and secure. Unlike the Privacy Rule, which applies to all protected health information (PHI), the Security Rule only applies to PHI maintained or transmitted in electronic form.
So who must comply with the Security Rule? The short answer is that any practitioner who determined that it was necessary to comply with the HIPAA Privacy Rule must also take steps to comply with the Security Rule. The more technical answer is that the Security Rule applies when a psychologist transmits information in electronic form in connection with a health-care claim or one of the eight other claim-related transactions specified by the rule. It is important to note that many health-care analysts have argued that the Privacy and Security Rules standards are likely to become the customary standard of practice followed by all in the health-care industry, whether HIPAA compliance is technically triggered or not.
Complying with the Security Rule requires taking specific steps to ensure the confidentiality, integrity (meaning that information is not changed or altered in storage or transmission), and appropriate accessibility of electronic PHI. The first step is a risk analysis of your practice. This risk analysis is a careful and thorough documented evaluation of whether your practice's administrative activities, physical environment and computer systems are secure, and whether electronic PHI is accessible only to appropriate and authorized individuals. As part of the risk analysis process, it is necessary to assess the likelihood and impact of identified threats and vulnerabilities and take any necessary preventive or corrective actions.
Each stage of the risk analysis must be documented and a completed risk analysis document added to your HIPAA compliance records. (Presumably, you have existing records related to the Privacy Rule.) Relevant policy and procedure documents must also be created that reflect any administrative, physical or technical safeguards implemented as a result of the risk analysis. It is these documents that will serve to demonstrate that you are in compliance with the HIPAA requirements should the Center for Medicare and Medicaid Service (the agency charged with enforcement) ever audit your practice.
If you practice in an institution or facility, it most likely will have a HIPAA security officer (or other so-named compliance officer) to whom you should refer on compliance matters. The requirements for settings larger than solo or small practices are typically much more extensive and complicated. Many provisions of the Security Rule explicitly allow the compliance process to be tailored to the size and complexity of one's practice. One key to compliance, however, is being able to provide a documented rationale for any tailoring you do as allowed by the rule. Such documentation must become part of the necessary compliance documents. Just as with the Privacy Rule, there are civil monetary penalties and criminal sanctions, including imprisonment, for failure to comply with the Security Rule.
Unlike with the Privacy Rule, there is not a complex interaction between the Security Rule and state law. Many states are beginning to enact identity-theft protection laws that require the "victim" to be notified in the event of theft of personal information. Although some have described these laws as "going beyond" the Security Rule, they do not generally apply to patient information. Currently, only Arkansas includes "medical information" in the definition of "personal information."