The security rule also requires the physician to train his staff periodically on security policies and procedures and to come up with a contingency plan in cases of calamities like an earthquake, fire or other events that can destroy his information systems. Experts estimate that 70-80% of the administrative policies and procedures and 20-30% of the technology of the security rule constitute its implementation specifications and other approaches in meeting them. Some approaches are required while some are addressable. Dr. Lazarus says that a particular implementation specification that is addressable allows a physician to perform something else that is equivalent to it but not to ignore the specification. What applies to a solo medical practitioner will not apply to a 200-physician alliance or a 00-bed hospital, for example, but whatever it is, must be in fine shape and carefully documented. Walsh Consulting said that a physician basically needs information systems with five types of technical controls and most vendors or systems have these capabilities within them (Chin).
The HIPAA security rule requires controls that will allow access, identify and track down authorized users (Chin 2004). One of these controls is a unique user ID and the other is an automatic log-off and an "addressable" element. It also requires audit controls that record and examine what goes on within a system; integrity controls that will protect data from intentional or un-intentional damage or modification; authentication controls that will ensure those accessing are genuine and actual through passwords, personal identification numbers, tokens, biometric technology or digital certificates; and transmission security controls to protect the information moving through an electronic network (Chin).
Dr; Kibbe explains that encryption is an "addressable" implementation specification under the HIPAA security rule (Chin 2004). A physician is not required to encrypt emails to patients but he must determine if encrypting is the proper option. If he is a solo or small practitioner, he may do away with encryption, but the option is altogether different for a 16-doctor practice, which should use encryption in sending emails through a secure server Dr. Kibbe adds. One problem encountered in using encryption, however, is that patients must use the same software to decrypt the email messages, according to experts. Physicians can, nonetheless, use secure web portals, secure messaging networks or virtual private networks to avoid or solve this problem One such secure messaging network is Medem, Inc., which is partly owned by the American Medical Association.
Physicians complying with HIPAA's security rule need not use anti-virus software but good practice dictates it to keep a computer set running well, according to Paramore (Chin 2004). Compliance costs will vary from physician to physician and depend on individual needs in meeting requirements. Adjustment or compliance with HIPAA rule will not occur overnight but gradually and is better begun early. Meeting the risk analysis requirement alone will take time, as a physician cannot proceed very far without first determining or identifying where to best spend one's money and effort in reducing or containing security risks, Dr. Lazarus emphasizes. This phase alone will take up half a day up to several weeks, depending on the complexity of the organization (Chin).
Privacy and security are major issues for the medical profession, which the HIPAA seeks to address as part of a broad and overall attempt at reforming the health care system (Website Tonight 2003). HIPAA consists of the Transaction and Code Sets, the Privacy Rule and the Security Rule. The Privacy Rule became effective on April 16, 2003 and requires all those covered to thoroughly review their privacy measures and analyzes risks and gaps so that they can take appropriate steps in upgrading their practice standards.
Most of HIPAA's requirements became effective on June 30, 1997 (Public Law [HIDDEN] ). From thereon, group health plans are obliged to comply with all the non-discrimination, pre-existing and crediting of prior health coverage requirements. The Secretary of the Labor is the enforcer of HIPAA portability requirements on group health plans under ERISA and including self-insured arrangements. Participants or those covered may file actions or suit under ERISA. The Secretary of Treasury enforces the health care portability requirements on group health plans, including self-insured arrangements. A violating taxpayer may be subjected to the payment of excise tax.
Local governments exercise control over group and individual requirements imposed by HIPAA on health insurance issuers and these include sanctions available under local laws (Public Law [HIDDEN] ). If the State does not act in those areas within its responsibility in the event of a question or problem, the Secretary of Health and Human Services may perform the function or exercise that right or duty of the State by declaring that it has failed to "substantially" enforce the law, by declaring its federal authority to take over the enforcement responsibility and from there, impose sanctions on insurers, including civil monetary penalties, according to law (Public Law 104-191).
HIPAA does not require an employer to offer or provide health coverage for an employee, because health coverage is voluntary, neither does HIPAA restrict the amount or nature of employee benefits (Public Law [HIDDEN] ). If a new employer does not provide health coverage, the employee may continue to pay for his or her previous employer's plan under the COBRA continuation coverage. An employee who is unable to obtain group coverage may obtain an individual insurance policy from an insurance company. HIPAA guarantees this right to eligible persons who have had coverage for at least 18 months, especially under a group health plan in the most recently covered period; who have not had their group coverage terminated because of fraud or the non-payment of premiums; are ineligible for continuation coverage under COBRA or have exhausted their COBRA benefits; and are not eligible for coverage under another group health plan, by Medicare, Medicaid or an equivalent. An employee can avail of an individual insurance policy whether he or she is laid off, fired or quits a job (Public Law).
American Medical Association. HIPAA-Health Insurance Portability and Accountability Act, June 23, 2004. http://www.ama-assn.org/ama/pub/category/4234.html
Centers for Medicare and Medicaid Services. The Health Insurance Portability and Accountability Act of 1996, 2004. http://cms.hhs.gov/hipaa
Chin, Tyler. Data Guard: the Next HIPAA Mandate. American Medical News. Mobile edition. http://www.ama-assa.org/amednews/2004/05/10/bisa0510.htm
Employee Benefits Security Administration. The Health Insurance Portability and Accountability Act of 1996 (HIPAA). U.S. Department of Labor. http://www.dol.gov/ebsa/pdf/fshipaa.pdf
Gellman, Robert. Medical Privacy in the Electronic Age. HIPAA Basics: Medical Privacy fact sheet 8 (a). Privacy Rights Clearinghouse, 2003. http://www.privacyrighs.org/fs/fs8a-hipaa.htm