A giant HIPAA: new guidelines reach far beyond health care industry.

• Author: Bradley, Susan
• Position: 2003 Technology & Business Resource Guide: Privacy Protection - Health Insurance Portability and Accountability Act

HIPAA. No, it's not a massive thick-skinned herbivore living in Africa. It's a 289-page rule that covers the handling of EPHI--electronic protected health information, or health information in electronic form.

The Health Insurance Portability and Accountability Act also provides patients with access to their medical records, control over how their health information is used and disclosed, and avenues of recourse if their medical privacy is compromised, among other privacy rights.

Larger firms had until April to comply with the act, while smaller firms-those with fewer than 50 people-have until April 2006.

The act is aimed at the health care field, but any business handling confidential client information should follow the regulations. Further, CPAs can use their skills in understanding and examining information flows within organizations, as well as assessing internal controls and processes for the systems that contain information.

While the act (www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-212-03.pd f) deals with privacy, it does not contain specific actions to take. HIPAA was designed to be flexible, allowing companies to select technologies and processes that are most appropriate to them.

SAFEGUARDS

There are three safeguards to keep in mind: administrative, physical and technical.

Administrative safeguards ensure that day-to-day operations regarding the handling of private patient data is documented, managed and controlled. An individual must be assigned the responsibility for the security of this information. Employees that handle the information must be trained to ensure that a constant state of private document handling is maintained.

Next, the rules require policies detailing who has access to the data, who properly authorizes that access and the levels of appropriate access. The security plan should further document emergency procedures needed if systems containing this private information are damaged. When third-party vendors are used to process and handle data, their procedures must follow HIPAA guidelines.

These safeguards need to be periodically reviewed to ensure they are in compliance. Reviews should discuss sources of threats, ranging from internal users to the public; probability of exploitation; the impact of the exposure; and recommended actions to fix the problems. The report should reflect the true risks and include analytical insight from experts, not just a reliance on audit tools.

Physical safeguards...