In the wake of our March cover feature, Anticipating HIPAA: An Exercise in Patience and Preparation, the U.S. Department of Health and Human Services handed down the final security standards governing the protection of individually identifiable health information when it transmitted electronically.
That means the guessing game is over. It also means that the issue of securing patient data can no longer be ignored, put off or denied. The deadline for compliance now has real numbers attached to it, and they read like this: April 21, 2005.
Stephen L. Grimes, chairman of the American College of Clinical Engineering (ACCE) task force formed to help educate clinical engineers and biomeds about their responsibilities under HIPAAs security provision, observes that the final rule narrows the scope, for the time being, to cover just what they call electronic protected health information (PHI) information that can identify a patient in some way, be it name, phone number, zip code or treatment date.
Not covered in the final rule but acknowledged as a candidate for security standards down the road is all health information or protected information in a nonelectronic form.
In contrast, the proposed rule had suggested covering in one swoop all health information related to an individual.
I think what theyre trying to do is narrow the scope in order to align it more closely with the privacy rule and also to give a smaller bite for folks to take on over the next two years, Grimes opines.
But a less comprehensive rule doesnt necessarily translate to less work for clinical engineering departments and biomed shops.
One reason is pragmatic: If your department is putting forth the effort to do an inventory on healthcare data, to do a risk assessment on several hundred medical devices, why do the job halfway and be forced to repeat some of that exercise to accommodate changes in the rule? And dont forget that the continuing march to integrate technologies and systems means that, sooner or later, all information will be considered electronic protected health information and subject to the HIPAA security proviso. Think Integrating the Healthcare Enterprise (IHE) initiative, already in its fourth year.
Another is the fact that its just good practice.
You may have a monitoring system that doesnt identify a specific patient but has health information related to that patient, offers Grimes. You should be aware of the type of information that the monitoring system or device contains. You should be aware of what the risk to the compromise of integrity, availability or confidentiality that information is, for even though that information is not individually identifiable, at some point youre going to be asked to establish policies, procedures and systems to make sure those things are protected.
But the bottom line is, we need to do good practice, he says. Thats the standard youre going to be held to.
The final rule isnt devoid of heart, by the way. Subsection 164.306(b) affords healthcare providers flexibility in their approach to securing electronic PHI. And that continues a trend that Grimes deems important. Remember when the Joint Commission on Accreditation of Healthcare Organizations dictated that electrical safety inspections be conducted four times a year on all biomedical equipment? Now clinical engineering departments determine their critical items and set their own inspection timetables.
From an intelligent and best-practice standpoint, its important to have that flexibility, Grimes remarks. You need to be able to prioritize your issues, deal with the ones that are most critical at first.
Individual biomeds and clinical engineers, meanwhile, would do well to scope out the rules particulars. Begin by looking up the exact wording in the Feb. 20 Federal Register. Attend seminars. Read articles. Get involved with others in your organization who also have a stake in ensuring HIPAA security the Information Services or Information Technology folks, for example.
And above all, continue with good practice.
Marie S. Marchese