HIPAA Today

The next wave: The security standards

How would you answer the following question?

Dr. Smith is prescribing a medication for Mr. Jones, and asks if he would prefer to (a) have the prescription telephoned to the pharmacy, (b) have a written (paper) prescription faxed to the pharmacy, or (c) have an electronic prescription e-mailed to the pharmacy.

Of the above "forms of transmission," which is subject to the HIPAA security standards to be implemented by April 20, 2005?

HIPAA security standards

As this issue of Drug Topics arrives, pharmacies will have one year to prepare for and implement the HIPAA security standards. Over the coming months, various aspects of these standards will be addressed to assist with your implementation of these requirements.

The security standards are in addition to the Health Insurance Portability & Accountability Act's privacy standards. The privacy standards focus on rules for use and disclosure of protected health information (PHI); the security standards focus on administrative, physical, and technical safeguards to protect the availability, integrity, and confidentiality of "electronic PHI." The security standards are designed to protect electronic PHI while "stored" in the pharmacy and in transmission.

Although the focus is different, the standards are linked. An electronic prescription claim can be used as demonstration. The privacy standards apply in relation to the pharmacy's use and disclosure of the PHI (i.e., name of patient and medication) contained in the prescription. The security standards apply in relation to protection of the PHI while stored in the pharmacy computer and to the safeguards present during the on-line adjudication/claim process.

There are 18 security standards and 36 implementation specifications in the privacy standards. An example standard is the requirement that a covered entity adopt "policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic PHI." Associated with this standard are the following implementation specifications:

• Data backup plan (required)

• Disaster recovery plan (required)

• Emergency mode operation plan (required)

• Testing and revision procedures (addressable)

• Applications and data criticality analysis (addressable)

If an implementation specification is designated as required, it must be implemented by the pharmacy. If designated as addressable, the pharmacy must assess whether the specification is an appropriate and reasonable safeguard in its environment, when analyzed with reference to its likely contribution to protecting the pharmacy's electronic PHI. The pharmacy must implement the specification if it is appropriate and reasonable. If not, the pharmacy must document why not, then implement an equivalent, alternative measure that is appropriate and reasonable.

The answer to the question

To answer the question, you must know three things: The security standards are applicable only to electronic PHI; electronic PHI is defined as PHI that is maintained in or transmitted by electronic media; electronic media are defined as:

(1) electronic storage media, including memory devices in computers (hard drives) and any removable/ transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

(2) transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via telefacsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

If you selected (c) in answer to the question above, you are correct. Choices (a) and (b) are incorrect, since the prescription was never in electronic form. Choice (b) would be correct if, instead of faxing a "paper prescription," the physician entered the prescription into a computer and faxed it directly from the computer to the pharmacy.

Conclusion

A significant knowledge base must be acquired, and several activities carried out, over the coming year. Likely everyone wonders how complying with the security standards will compare with the privacy standards. In many respects they are similar; the security standards require appointing a security official, adopting policies and procedures, and workforce training. As Yogi Berra is attributed with saying, its déjà vu all over again.

By Walter L. Fitzgerald Jr., R.Ph., J.D.

THE AUTHOR , a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy. To access the NCPA Web site, go to: www.ncpanet.org .

 

Walter Fitzgerald. HIPAA Today -- The next wave: The security standards. Drug Topics Apr. 19, 2004;148:62.