The key to a HIPAA-safe computer system

These commonsense precautions will help safeguard patient data, and keep you out of HIPAA trouble.

By Robert Lowes
Senior Editor

Computer security can be as simple as installing a lock on the door to the room where your server sits.

If you've taken that step, you've taken the first step in complying with the security standard of the Health Insurance Portability and Accountability Act.

You've probably read more than you ever want to about other HIPAA standards governing the privacy of patient health information. But, there's more. Next on your to-do list is the security standard, which covers computerized patient data. The final version was published in February, and physicians must bring their practices into compliance with the standard's more than 60 requirements by April 21, 2005.

Don't misconstrue the HIPAA security standard, however, as government gobbledygook designed to tie you in knots. It's simply going to push you to adopt good business practices that you should have instituted long ago. "When it comes to computer technology, let alone security, the medical profession is about 15 years behind the times," says internist C. Frost Lee, a HIPAA expert and president of In-Med, a medical software company in Bend, OR.

The security standard has three goals that nobody can argue with. No. 1 is obvious: ensuring that electronic patient data remains private. Nos. 2 and 3 are maintaining the availability and integrity of that information. Those two goals may sound abstract, but they're life-or-death issues in terms of security, says Margret Amatayakul, a health care computer consultant in Schaumburg, IL.

"If you store patient health data on your server, without offsite backup, and the server is destroyed in a fire, the data's not available anymore, is it?" says Amatayakul, author of HIPAA Made Simple (Opus Communications, 2003). "If a nasty virus turns the data into gibberish, the integrity's gone."

While the security standard sets goals, it doesn't specify how to achieve them, except to say that some safeguards will be administrative (like a ban on sharing passwords), some physical (like that lock on a computer room door) and some technical (like tape backup). Of course, safeguards will invariably overlap, since a technical solution such as tape backup requires a policy on regularly using this technology.

Once you thoroughly understand HIPAA's security standard, you need to conduct a "gap" analysis that compares your practice's current state of computer defenses to what the law mandates. Take an inventory of all hardware and software used in storing, processing, receiving, and transmitting patient data, advises FP David Kibbe, director of health information technology for the American Academy of Family Physicians.

"Be thorough," says Kibbe. "You shouldn't overlook your Palm Pilot or a stand-alone computer that someone uses to write letters to patients." As part of your gap analysis, walk through the office and create a map showing potential security pitfalls.

You'll also need to appoint a security manager for your office. That person—your office administrator, most likely—can be your point person for other HIPAA standards. Much of your HIPAA manager's work will be producing security policies, procedures, and contingency plans that correct problems you find in your gap analysis. You'll need to run all this paperwork by your attorney and then incorporate it into staff training.

The last step toward meeting the HIPAA security standard is an ongoing one—a risk management program that keeps you on your toes. "This means reviewing policies and procedures every year, training new employees, analyzing security breaches and tweaking your safeguards accordingly," says Kibbe. "Security is not a product that you buy. It's a process."

We'll help you get started with the accompanying illustration. For more assistance, see "Breaking through the HIPAA hype" in our Sept. 9, 2002 issue.

Robert Lowes. The key to a HIPAA-safe computer system. Medical Economics 2003;7:62.