Thanks to the efforts of the National Institute of Standards and Technology (NIST), a free toolkit(scap.nist.gov) now is available to help physicians understand and implement requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule(www.hhs.gov).
The security rule, which went into effect in 2005, sets national standards for protected electronic health information that is created, transmitted or maintained by a variety of entities, including physician practices and their business associates.
The NIST toolkit is intended to help practices of all sizes, regardless of their level of expertise in security. However, it was created as a self-assessment tool and does not guarantee that a practice is in compliance with the HIPAA Security Rule, according to NIST.
Steven Waldren, M.D., director of the Academy's Center for Health IT, said HIPAA requires physicians to do a security assessment and then put certain policies and procedures in place. The NIST tool could help family physicians see where they are in that process, as well as enable them to collect and keep all of the necessary documentation in one place.
"If physicians are looking for a free tool, this is one to consider, and there's little risk to downloading and trying it out," said Waldren, who spent some time exploring and previewing the toolkit.
One tip from Waldren: Of the two survey choices offered, most family physicians should download the "standard" version because it was designed for small physician practices.
Be prepared to spend a little time with the 115-page survey, advised Waldren. Survey users first create a profile and then answer a series of questions, including:
- Has your organization developed, disseminated, reviewed/updated and trained on your risk assessment policies and procedures?
- Are any of your organization's facilities located in a region prone to any natural disasters, such as earthquakes, floods or fires?
- Does your organization have a sanction policy for staff, employee or workforce violations?
- Does your organization have a procedure to deactivate computers and other electronic tools and access accounts, including a process that will disable user identifications and passwords?
- Does your organization have authentication mechanisms to verify the identity of the user accessing the system?
- Does your organization provide security awareness training with all new hires before they are given access to protected electronic health information?
- Does your organization have a process or procedure for reporting and handling security incidents?
At the end of the survey process, the user can download or electronically store the completed report.
Security incidents involving protected health information are investigated and documented by the Office of Civil Rights (OCR), the federal agency charged with enforcing the security rule. In March 2011, the OCR issued a report that recorded enforcement activity from mid-2005 to 2010. That report, HIPAA Security Rule and HITECH Breach Notification Trends in Enforcement Activity(www.ehcca.com), notes that 577 HIPAA security complaints occurred during the time span examined.
A review of those complaints indicated that the most frequent security rule issues involved response and reporting, awareness and training, access control, information access management, and workstation security.