Privacy and Security Compliance in the E-Healthcare MarketplaceJune 5, 2000
Healthcare managers must educate themselves and their organizations regarding their duty to ensure that the privacy and security of individually identifiable healthcare information is maintained. An important part of this education is preparing to comply with the new proposed regulations regarding the used and disclosure of personally identifiable health information that is or has been in electronic form. Managers need to establish programs that meet the documentation, procedural, training, and technical requirements of these proposed rules.
Healthcare managers should examine all data-intensive business initiatives with privacy and security in mind. Such initiatives include:
- Arranging data services with a vendor;
- Purchasing hardware or software;
- Negotiating with suppliers or purchasing organizations that seek access to data;
- Centralizing data among affiliated entities;
- Working with physician groups to share a common medical record;
- Reaching out to customers, suppliers, or other providers through the Internet.
Structuring any new contract or program with privacy and security policies in mind can help the healthcare organization avoid the need to restructure the relations hip or renegotiate the contract as case law and Federal and state regulations evolve.
Accreditation and Regulatory Requirements
Healthcare organizations have several incentives to develop internal privacy policies. First, the National Committee for Quality Assurance (NCQA) and the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) each are implementing standards that require healthcare organizations to form an internal review board to create confidentiality policies and review practice s regarding the collection, use, and disclosure of medical information.
Second, a number of states have statutes governing the disclosure of medical information that, in some cases, include criminal penalties for unauthorized disclosure.a Third, privacy regulations proposed by HHS as mandated by the 1996 Health Insurance Portability and Accountability Act (HIPAA) will apply to providers, health plans, and healthcare clearinghouses that transmit health information in electric form.b When the HHS privacy rules become effective, entities must have in place policies and procedures that address provisions of the new rules, including training procedures for all personnel who have contact with health information protected by the regulations.c The proposed rules also detail certification requirements and require the designation of an internal privacy offer to receive complaints and provide information on the organization's privacy policies and procedures.
Implementing privacy-related controls in vendor contracts is one requirement of proposed regulations regarding electronically transmitted healthcare information.
The broad sweep of the proposed privacy rules dictates that the organization develop detailed policies and a mechanism for organizational decision making on privacy issues. For example, the proposed rules expand the limitations on the release of protected health information. Thus, the organization needs to work toward making "all reasonable efforts not to use or disclose more than minimum amount of protected health information necessary to accomplish the intended purposes of the use or disclosure."d To that end, the organization is required to have identified persons who can, on an individual basis, determine what information can be disclosed if the disclosure is within the limits of the entity's capabilities.
Equally important to the healthcare managers engaged in contracting are provisions that, in effect, make the health plan its vendor's keeper. The regulations require the provider or payer to ensure that its "business partners" comply with HIPPA rules by contractually establishing the partner's permitted or required uses and disclosures of identifiable healthcare information. The business partner must be contractually required to use appropriate safeguards to prevent other uses or disclosures of this information and report authorized and unauthorized uses or disclosures to the provider or payer.
The contract also must establish the right and mechanisms by which individuals can access their own protec ted health information. Furthermore, the contract must be terminable if the payer or provider determines that a material privacy term has been violated. Because the proposed rules charge providers and payers with taking "reasonable steps" to ensure that each business partner complies with all HIPAA requirements, a compliance policy that includes vendor contract review is essential. Contracts should be designed to allow amendment by the provider or payer where necessary to bring its relationship with the vendor into compliance with the final HIPAA rule. Vigilant healthcare managers seeking vendors that can comply with HIPAA privacy regulations may want to use checklists to determine the level of the vendor's compliance on such issues as disclosure logs and the creation of third-party beneficiary rights for patients.
Regulatory Requirements for Data Security
The proposed security standards apply to all health plans as well as those healthcare clearinghouses and providers that transmit, maintain, or receive any healthcare information electronically."e The security standards fall into four categories: administrative procedures, physical safeguards, technical security for data integrity and confidentiality, and technical security against unauthorized access.
First, the proposed regulations call for administrative procedures to guard data integrity, confidentiality, and availability. A compliance program should include internal or external certification of the conformance of computer systems and networks with internally developed security requirements. It also should incorporate a routinely updated contingency plan, including criticality analysis, data backup plans, disaster recovery plans, and emergency operations plans. Furthermore, it should emphasize form al procedures for the receipt, manipulation, storage, transmission, and/or disposal of health information.
Moreover, the proposed regulations require the establishment of procedures for implementing access authorization rules and for modifying these rules a s necessary. Internal audit records need to be maintained regarding log-ins, file access, and security incidents. Personnel security should include documented policies for determining access levels and clearance, training and job exit and termination procedures. Finally, the policies must provide for overall security configuration management in the form of written plans and procedures, hardware and software maintenance and testing, inventories of hardware and software, virus checking, security testing, incident procedures, and breach identification and correction procedures.
Second, the proposed regulations require the implementation of numerous physical safeguards. For instance, policies should be in place governing the receipt, installation, and removal of hardware and software that emphasize accountability, backup, retention, and disposal. Access controls should include policies for validating access privileges and limiting access to those with a "need to know," records of repairs and modifications to the physical components of a facility, sign-in procedures and escorts for visitors to the facility, as well as guidelines on work-station surroundings and physical safeguards, e.g., locked rooms that are located away from outside traffic.
Third, the proposed regulations include technical security requirements. Thus the manager's purchasing decisions should acknowledge the future need for audit controls, authorization control (role- and/or user-based), data authentication, and entity authentication. The regulations require authentication procedures to use either password, personal identification number (PIN), telephone call-back, token (key card), or biometric identification.
Finally, the proposed regulations require the use of technical security mechanisms to protect data transmitted over internal or external networks. The required mechanisms would include integrity controls, message authentication, and one of two implementation features: access controls of encryption. Any use of network controls to protect information must include all of the following: alarms, an audit trail, entity authentication, and event reporting. Thus, healthcare managers need a detailed shopping list to facilitate the search for the right network vendor, equipment, and software.
Promise and Peril
Organizations involved in the collection, maintenance, and dissemination of healthcare information have long been subject to privacy-related duties under the common law (e.g., torts and invasion of privacy and defamation ), state licensure laws, and ethical codes. Even before HIPAA, some states had enacted healthcare information confidentiality statutes,f and a number of years ago the Federal government enacted a Privacy Act applicable to Federal contractorsg and strict rules relative to the confidentiality of the drug and alcohol treatment information.h
The proposed HIPAA rules on individually identifiable health information that is stored or, in the case of the security regulations, transmitted electronically, have raised the stakes for providers and payers. The wrongful disclosure of individually identifiable health information now is a Federal offense and a felony.i The Internet holds tremendous potential for new efficiencies in healthcare business-to-business and business-to-consumer interactions. However, electronic transactions, whether they take advantage of the Internet or not, now carry with them a set of serious duties and compliance obligations.
The complexity of the proposed regulations and the need to apply them to a variety of operational events should spur healthcare managers to develop formal privacy and security procedures and compliance policies. Experts in a variety of disciplines (medical, technical, ethical, and legal) should be consulted when developing and administering the policies. Selection of business partners that are compliant, and documentation of arrangements with such partners, will need to be the norm. Moreover, healthcare organizations must develop internal controls, training, and reporting that keep data security and confidentiality central to the organization's mission.
a See for example, Tenn. Code Ann. § 68-11-311 (1983).
b 64 Fed. Reg. 59918 (Nov. 3, 1999).
c Covered entities (except small health plans) must comply no later than 24 months after the rules are made final.
d 64 Fed Reg. 60054 at § 164.506(2)(b)(1)(November 3, 1999).
e 63 Fed Reg 43242 (August 11, 1998).
f See, for example, Minn. Stat. § 144.355 (1996 & Supp. 1997); 1997 Ca. Sta. 2269 (Codified at Cal. Civ. Code § 1798).
g Pub. L. No. 93-579, 81, 88 Stat 1896 (codified as amended at 5 U.S.C. § 552a ).
h 42 U.S.C. § 290dd-2 (1994).
i Penalties for each offense are a fine of not more than $50,000, imprisonment not exceeding a year, or both. Offenses under false pretenses carry $100,000 fines and/or imprisonment of up to five years. Where there is an intent to sell or transfer the information, imprisonment can be for 10 years and the fine $250,000 for each offense.
This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.