Implementing HIPAA Security in a Membership Organization

Transcription

1 him14406.qxp 11/9/00 10:35 AM Page 53 Implementing HIPAA Security in a Membership Organization Lynne P. Hillabrant; Karen E. Gaignard ABSTRACT The upcoming HIPAA security regulations are forcing a change in business and operating procedures that many, if not most, healthcare organizations are ill-prepared to tackle. Of all healthcare organizational structures, membership organizations will most likely face the greatest number of obstacles in preparing for and implementing the HIPAA security regulations. This is because the membership organization as a whole must find a way to accommodate the disparate technologies, business and operating methodologies and processes, and available, limited resources of its individual member organizations, and integrate these into a uniform implementation plan. Compounding these obvious difficulties is the unique challenge of enforcement authority. The individual member organizations are autonomous business entities, whereas the membership organization as a whole merely acts as an advisor or consultant, and has only limited enforcement authority over any individual member organization. This article explores this unique situation in depth. We focus on PROMINA Health System, a nonprofit healthcare membership organization that consists of five disparate member healthcare organizations. We examine the challenges PROMINA has encountered in its quest to institute an organization-wide HIPAA security program and its methodology for accomplishing program implementation. KEYWORDS HIPAA Security Education Assessment Membership organization Risk assessment Gap analysis Baseline assessment Inventory JOURNAL OF HEALTHCARE INFORMATION MANAGEMENT, vol. 14, no. 4, Winter 2000 Healthcare Information and Management Systems Society and Jossey-Bass Inc., Publishers 53

2 him14406.qxp 11/9/00 10:35 AM Page Hillabrant, Gaignard Introduction In recent years, a number of healthcare organizations have published a significant number of articles on a wide-range of subjects related to the Health Insurance Portability and Accountability Act (HIPAA), with the exception of how it applies to membership-type organizations. In spite of this shortcoming, many of these articles have provided a solid educational platform for those of us in the healthcare industry who will be responsible for bringing our organizations into compliance with the HIPAA regulations. They provide a basis from which we can start customizing the implementation process and building a compliance program to meet the needs of our respective organizations. These educational resources provide a starting point and continuing direction in developing an HIPAA implementation program suited to the unique needs of a membership health organization. This article addresses the gap in HIPAA-related literature as it relates to implementing the HIPAA security regulations in membership health organizations. Typically, a membership organization is one in which each member entity or organization operates as a sovereign entity, with its own CEO, board of directors, organizational direction, and so on. At the enterprise level there is another, distinct organization, with its own CEO, board of directors, organizational direction, and so on. Administrative functions are decentralized, except for those areas where all entities agree to operate at the enterprise level. This organizational structure creates a natural imbalance of goals and a unique set of challenges in managing this imbalance. Goals For all healthcare organizations, the primary goal of implementing HIPAA security is to develop a comprehensive security program that addresses all the HIPAA administrative, procedural, and technical requirements and still maintains workability for all parties in day-to-day operations. In a membership organization, such as PROMINA Health System, there exists the additional goal of allowing each member entity to maintain its individual identity based on its organizational business culture while providing for enterprise-wide integration and information sharing. Meeting these goals in any healthcare organization takes a comprehensive set of management skills, including marketing, planning, coordination, mediation, innovation, and attention to detail. These skills are critical when building an HIPAA implementation team, when assessing the needs of each member entity and the enterprise as a whole, and when developing an implementation plan. In this article we center our attention on some of the management skills required during the early stages of implementing HIPAA security in the areas of education, assessment, and planning in a membership organization.

3 him14406.qxp 11/9/00 10:35 AM Page 55 Implementing HIPAA Security in a Membership Organization 55 Challenges A membership organization, such as PROMINA Health System, presents challenges generally not encountered by other types of healthcare organizations when implementing HIPAA security. Each member entity has its own organizational structure, culture, and business methodologies based on serving the needs of the surrounding community and facilitating the services provided by its practitioners and staff. When multiple entities in an administratively decentralized organization seek to implement HIPAA compliance, challenges inevitably arise out of conflicting needs based on these individualized cultures and methodologies. These challenges compound the universal challenges common to implementing security in all healthcare organizations regardless of size or business model. The primary challenges are finding the common ground, assessing the differences, determining the possibilities for the integration of strategies, and developing a solution that is more or less equally viable for all participants. While maintaining each entity s individual identity and meeting its specific needs based on its existing technologies and methods of doing business, it is also necessary to establish compatibility across the organization in order to share information and perform needed functions on an enterprise-wide basis. Although the process is basically the same as with single-entity or centrally administrated organizations, implementing HIPAA security in a membership organization requires additional layers of activities, and an even greater attention to detail during each step of the implementation process. When the challenges are met effectively, a common baseline is formulated for implementing HIPAA security on both the business and the technical side. This common baseline allows for business needs and operational concerns to be met on an enterprise-wide basis in a decentralized administrative environment, while still providing for the members, or local integrated delivery systems (LIDS), to meet business needs and conduct operations in a manner suited to their specific environment. Methodology Methodology is a key factor in meeting the goals and addressing the challenges of HIPAA security compliance. When developing as security program it is important to look for those elements common to most, if not all, LIDS. These common elements form the basic building blocks for each phase of the program, as well as create a basis for allowing differences to effectively coexist. This approach needs to begin at the earliest phases with education, appointing participants, and assessment activities and culminate in creating the tools for implementation and establishing an ongoing compliance audit program. As with single-entity organizations, early phases are critical. Education, appointing participants, and assessment are the building blocks for a successful security program.

4 him14406.qxp 11/9/00 10:35 AM Page Hillabrant, Gaignard Education. Education needs to be accomplished at multiple levels throughout the member organizations, or LIDS, and the enterprise-level organization. The critical factors in education and awareness are uniformity of concept and information, and the provision of an appropriate level of detail and information relevant to the specific audience. From the beginning, when implementing HIPAA security, it is important to remember the ties that must be established between the compliance programs for the HIPPA security regulations and the HIPAA privacy regulations. A close interactive relationship must be established between the two programs to successfully implement the programs and to be effectively compliant. The HIPAA privacy regulations define what we must protect with the security program we develop to achieve compliance with HIPAA regulations. It is critical to clearly understand the information that must be protected so we can identify where that information resides and how it travels through the healthcare entity. The education process for a decentralized membership organization starts at the same level as with a single-entity or administratively centralized organization. This starting point is the executive level. It is the role of the executive group to establish the high-level organizational approach that will be taken to implement HIPAA security. Because executive support is critical to the success of the program, a clear definition of what is meant by executive support, how it will be represented, and how it will be achieved must be established. 1,2,3 For example, in a multi-entity organization, education at the executive level must include the CEO from each member entity together with the enterprise CEO. Because there is limited time for education, and to garner support at this level, HIPAA education should be approached from a business impact standpoint, illuminating both the adverse impact of noncompliance and the benefits of compliance. Although pointing out the negative effects of noncompliance is easiest, it may not be effective by itself. Fines for noncompliance, civil suits, and so on may gain attention, but demonstrating how security can enhance business operations and provide a return on investment of man hours and technology costs required for implementation can result in a more long term commitment and positive attitude. This approach places HIPAA security in the role of not only something we must do, but something we want to do, and reduces the level of stress associated with commitment. For example, HIPAA security provides an opportunity to implement compatible policies, procedures, and technologies that will simplify, expedite, and enhance the exchange of information between member entities, while providing patients with an enhanced level of confidence in our health systems respect for their privacy. When seen as a vehicle for improving both process and image, HIPAA security is a more palatable commitment. What type of commitment do you want to elicit from the LIDS CEOs? You should expect them to make HIPAA a priority effort throughout the organization; to establish an inter-lids HIPAA governing body to oversee the HIPAA

5 him14406.qxp 11/9/00 10:35 AM Page 57 Implementing HIPAA Security in a Membership Organization 57 effort; to provide representatives from each LIDS to this governing body or group; to endow the group and its members with the authority to speak and act for each member LIDS and the organization in respect to implementing HIPAA compliance; to set the goal of implementing compatible technologies, or, preferably, the same technologies among the member entities; and to implement compatible or comparable policies and procedures. The executive group should back their commitment to these elements by publicly promoting this effort in their communications within and between their respective organizations, by providing the representatives with the appropriate authority, and expecting accountability from the representatives to the HIPAA governing body. 1,2 Once appointments are made to the HIPAA governing body or group, and the group has convened, educating that group on the impact of HIPAA on the individual LIDS is critical. Most likely, your HIPAA governing group will be composed of executives, such as CIOs, CCOs, and business-area directors. This group serves as the steering committee for HIPAA compliance and must fully understand that each area of HIPAA compliance (privacy, security, and electronic administrative transactions) requires an active task force or group. This steering committee must have the authority to create the task groups and provide participants from each member LIDS or entity who have the appropriate business or technical knowledge for the group being formed. The members of these groups need to be given the authority to act on behalf of their organization within the charter of these groups. For example, the role of the inter-lids HIPAA security task group would include developing an enterprisewide approach to authentication, inclusive of a base policy acceptable to all members; compatible customization of policies or additions to the base policy to meet specific entity needs; and either selecting enterprise-wide technology for authentication, including product type and methodology for implementation, or facilitating an agreement that all entities will use digital certificates, and defining the requirements to be met so the technology will be compatible across the organization. Although many of the participants in the HIPAA security task group may be knowledgeable about security technology, it is likely that this group will still require some technology education. Technology education is important not only to improve the understanding of those in the group who are not already technology literate, but to provide a common baseline or reference point for all group members on how each LIDS will define these technologies. Establishing this reference point early is critical for the successful completion of the assessment phase. In conjunction with educating the specific groups responsible for implementing HIPAA security, it is important to begin general education for HIPAA security throughout each and every member organization. Although you may not have all your policies and procedures in place at this phase, or have implemented selected technologies, early adoption of an education program to establish awareness of the importance of HIPAA and how it will affect the organization provides your employees with a head start on understanding

6 him14406.qxp 11/9/00 10:35 AM Page Hillabrant, Gaignard the impact, and prepares them for probable changes in the way they conduct their daily duties and responsibilities. 1,2,4 Assessment. The successful assessment of a membership organization s current environment and status, in respect to HIPAA security, requires careful planning. If common understandings are not defined through early education and incorporated into the planning phase of the assessment, it is doubtful the results of the assessment will be useful for achieving compliance on an enterprise-wide basis or for enabling a successful interaction between the entities. The assessment phase has three steps: (1) baseline assessment, (2) gap analysis, and (3) risk assessment. Throughout all stages of the assessment phase it is important to remember that security does not stand alone in respect to HIPAA. The privacy requirements define the information that must be protected. This relationship must be taken into consideration during the baseline assessment stage, which is primarily an inventory of your current organizational environment with respect to policies, procedures, processes, practices, data, and technology for security. It is necessary to include all systems, applications, and network resources that generate, store, send, or receive confidential data within and between the members of the organization as well as with outside businesses and organizations. 1,2 Baseline Assessment. In order to achieve assessment results that can be compared and evaluated effectively, it is necessary to create common tools for conducting each phase of the assessment. For the baseline assessment, a standard set of information should be gathered. You should supply each member organization with standard forms for information gathering; a list of departments to be inventoried and assessed; and clear, step-by-step instructions for conducting the process. Standard forms increase the chances of all LIDS collecting the same or equivalent information. The form information should be separated into at least two major areas documentation and technology. Under documentation, the following categories should be listed: policies, procedures, processes, practices, undocumented practices, training, and forms. Under technology, the following categories need to be included: systems, applications, devices, network services, communications, and physical security systems. Every department inventory should be documented on a separate form. Instructions for completing the assessment and documenting the results should include definitions and parameters for the inventory. For example, standard definitions should be established for policy, procedure, process, and practice. In addition, parameters should encompass what items will be considered for inclusion in each category, based on definitions of generating, receiving, transmitting, or storing confidential data. Instructions should also include typical sources, individuals or departments, to consider when gathering the information, along with emphasis on a standard manner for recording information. For example, when recording an application for inventory, a minimum

7 him14406.qxp 11/9/00 10:35 AM Page 59 Implementing HIPAA Security in a Membership Organization 59 set of information would include who owns the application and its data, who uses the application, the primary purpose of the application, the application vendor, and the party responsible for the system (information systems or vendor). Gap Analysis. At the LIDS level, the second step in the assessment phase is the gap analysis. The gap analysis takes the information gathered during the baseline assessment and compares it against the HIPAA security requirements to determine what requirements are not presently being met for each of the elements from the baseline assessment. This process evaluates the readiness and vulnerabilities of the organization. 1,2,3 As with the baseline assessment, one of the most important considerations is using common tools and methodologies. Because of the flexibility built into the HIPAA security rule, a standardized list of the HIPAA security requirements must be defined as part of the gap analysis. This will require clear definitions for all of the requirements and implementation features in the HIPAA security matrix. Because the HIPAA security rule allows for flexibility with respect to which features are implemented to meet the requirements, all features should be listed and defined on the form used to record the results of the gap analysis. It is mandatory to include the documentation component necessary for each requirement or feature as part of the gap analysis. 2 A standard metric must also be defined to evaluate the actual gaps and vulnerabilities. For example, numerical values assigned to differing states of readiness: 2 A building access control system is in place. Access cards are collected by human resources when an employee leaves, but there is no documented process for canceling the user s access. Readiness equivalent: partial control and process Readiness value: 1 A laboratory application is in place that maintains patient lab results. The application is an older version that does not provide audit trails of who accesses patient results. Readiness equivalent: no control or process Readiness value: 0 You should work closely with the inter-lids task groups to define the levels of readiness equivalency and the associated numerical values that will be acceptable to all member LIDS. The gaps and vulnerabilities at the LIDS level should be recorded separately for each department and category inventoried in the baseline assessment. Due to the flexible and scalable nature of the HIPAA security rule, and despite the assignment of quantitative values, it is necessary to assess the differences between the LIDS in how the requirements are or are not met. In order to meet this need, each requirement or feature should be

8 him14406.qxp 11/9/00 10:35 AM Page Hillabrant, Gaignard commented on. This is particularly useful in explaining those entries where compliance is partial, or where a specific method or technology is used to meet the requirement based on the optional features presented in the HIPAA rules. For example, does the system define access as role-based, unique user ID, or context-based? It is important to remember that each of the categories under technology has both a technical and an administrative documentation component that must be met for HIPAA requirements, and should be assessed during the gap analysis (for example, training materials for a particular application or device; and testing, maintenance, and upgrade schedules for systems, applications, devices, and services). Risk Assessment. At the LIDS level, the third step in the assessment phase is the risk assessment. The risk assessment evaluates the gaps and vulnerabilities found in the gap analysis to determine the actual risk or probability of predetermined occurrences, and the impact such occurrences would have on the organization. 1,2 As with the first two phases of the assessment, common tools and methodologies must be used by the member LIDS. Common definitions of the risks, as well as the method for evaluating the impact of the risks, must be agreed upon. Also, common definitions for types of impact must be developed. Although the actual level of risk and level of impact for each risk may vary across the LIDS, the risks should be assessed using the same structure used in the first two steps of the assessment phase. This allows for easier project planning and implementation, because it breaks down the areas to be addressed into responsibility areas, and allows for differing requirements, depending, for example, on the use of the application and on the requirements of the business process for that particular requirement within each LIDS. 1,2 A matrix can be developed to record the risk assessment, with columns for risk descriptions, probability of occurrence, impact definitions, impact value, and overall assessment value. Either a numerical or lowmedium-high value can be assigned to the probability of occurrence and impact value. If using a numerical value, the overall assessment value can be calculated using the formula: Probability of Risk Occurrence Impact Value 2 Enterprise-Wide Assessment. After the assessment phase has been completed at the LIDS level the typical membership organization must use the individual assessments conducted at the LIDS level to conduct an enterprisewide assessment. In order to conduct an enterprise-wide assessment, it must be determined which of the baseline inventory entries cross boundaries and are used either organization-wide or between specific member LIDS. The ownership and users of inventoried resources identified in the individual LIDS baseline assessments should provide the information needed for this

9 him14406.qxp 11/9/00 10:35 AM Page 61 Implementing HIPAA Security in a Membership Organization 61 process. For example, more than one LIDS or all LIDS may use data from a master patient index or a physician credentialing application. The elements identified in this process provide a separate baseline assessment where HIPAA security must be addressed on an organization-wide basis. Once it is known what confidential data is shared between the LIDS, the administrative component of HIPAA; such as, policies and procedures, and specific components of security technology, become an enterprise-wide process compatibility issue as well as a compliance issue. Risk factors may increase or risks may be added as the environment in which the information is exchanged expands. Outside of the boundaries of those elements identified as enterprise-wide issues are additional issues to be addressed; such as, the enterprise-level organization s degree of responsibility and activity in the LIDS-level compliance efforts. When data from any of the baseline inventory entries crosses the boundaries between LIDS there are multiple issues to be considered and addressed. These issues include privacy and confidentiality policies and related business processes that must be reviewed, in addition to a standard base policy and process that must be developed. Because the enterprise-level organization does not generally own the data, it should act as a facilitator for bringing the member LIDS to agreement on a common privacy and confidentiality policy. The enterprise-level organization should agree to abide by those policies and processes with regard to those services they provide to their member LIDS that in any way come in contact with or affect protected information. Agreement on these issues is critical to identifying the security issues to be addressed on an enterprise-wide basis, because the information shared on that basis is the information that must be secured. The approach used for security issues in the baseline assessment is a variation on the approach used for privacy issues. Security is a two-fold concern containing a significant technology component and a policy and procedure component. With security policies and procedures, as with privacy policies and procedures, the primary role of the enterprise-level organization is one of facilitation to bring the member organizations into agreement on a baseline policy. Some procedures may still vary within the individual member organizations in order to meet the specific operational needs of different organizational cultures. The process to develop a baseline policy should be approached using the results of both the LIDS-level and enterprise-level gap analyses and risk assessments. If none of the members have formal policies and procedures for information access control, development of baseline policies and procedures for use by all members and the enterprise-level organization must be investigated. A typical baseline policy might include requirements for minimum user information, approvals required to establish accounts, requirements for temporary accounts, period for terminating accounts with no activity, and terminating accounts upon employee dismissal. Variations in the actual

10 him14406.qxp 11/9/00 10:35 AM Page Hillabrant, Gaignard procedures for how these activities are accomplished might be dependent on the individual member organization s business operations. Addressing security technology issues on an enterprise-wide basis in a membership organization is a more difficult process. Again, the results of the individual member assessments and the enterprise-wide assessment must be combined to effectively address compatibility issues and HIPAA requirements. Lack of security technology compatibility in meeting HIPAA requirements will result in end-user frustration and difficulty administrating technical security services and mechanisms. Most likely, it will be difficult to get all members to agree on using specific vendors for security technology and, in some cases, difficult to get them to agree on even using the same security technology for such processes as user authentication. In some cases one member may want to use biometrics for additional authentication for access to electronic medical records, while another member may want to use tokens. Some members may want to use digital certificates for authentication, but there may be differing opinions on whether they want them application-based or network-based. How are these issues resolved to enable data sharing across the enterprise? If these issues are resolved for sharing data across the enterprise, how will the resolution affect the security solutions for those systems, applications, or any other entry in the individual member s baseline assessment where data is not shared? Will the solution increase user frustration and the complexity of security administration by requiring multiple solutions within that organization? To aid in addressing these questions, it is important to establish a baseline qualitative measure for whatever security technologies are considered or deployed, either on an enterprise-wide basis or on a LIDS-level basis. Using widely accepted security industry standards as requirements for selecting technologies is a beneficial approach. Establishing this baseline for selecting the technologies increases the chances of achieving compatibility and interoperability if different vendor products are selected. Additionally, a baseline should be set for other basic compatibility and interoperability issues, such as product platform compatibility and network platform compatibility. A tandem resolution process will be necessary for LIDS responsibilities found within each membership organization while the enterprise issues are being addressed. This process must address the issue of level or degree of responsibility for the enterprise-level organization in helping the LIDS meet compliance requirements at their local level. The answer to this issue is dependent on the business arrangement between the members and the enterpriselevel organization in relation to level of service. In general, for this type of business environment a consulting type arrangement works effectively. The enterprise-level organization provides consulting services to its members for both planning and implementation of HIPAA security requirements at both the LIDS-level and the organization-wide level. Advantages of this type of arrangement include a reduction in overall resources required by the

11 him14406.qxp 11/9/00 10:35 AM Page 63 Implementing HIPAA Security in a Membership Organization 63 member organizations to manage planning and implementation of security requirements, continuity in process, compatibility in process allowing for better monitoring of progress, and comparable and equable results that provide the enterprise-level organization with a means to account for due diligence and meet legal responsibilities. Conclusion The process of implementing HIPAA security in any healthcare organization will most likely require significant business reengineering. In a membership organization, the amount of business reengineering required increases exponentially. If the business issues are not addressed in the early stages of education, assessment, and planning, then the technology issues for HIPAA cannot be addressed successfully. If neither of the business issues nor the technology issues are effectively communicated, assessed, and planned for in the early stages, the HIPAA security implementation will be significantly more trying and expensive for the membership organization. PROMINA Health System is a local, nonprofit group of physicians, hospitals, and health services created by healthcare providers who serve the communities of metropolitan Atlanta. The network was formed to ensure each community s access to a full continuum of high-quality, cost-effective healthcare. By affiliating, healthcare providers share the benefits of a large system without losing community ownership. PROMINA is committed to the philosophy that helping people maintain good health is as essential to a community s well-being as the treatment of illness. References 1. Baker, and others. The 2000 Guide to Health Data Security. New York: Faulkner and Gray, Inc., Draft HIPAA Security Summit Guidelines, Shared Medical Systems. 3. Zender, Anne. Next Steps? First Steps? Getting a Grip on HIPAA Security Standards. Journal of AHIMA, 28 32, April Manning, S. Taking the Lead in Compliance Education. Journal of AHIMA, 20 22, April About the Author Lynne P. Hillabrant is the HIPAA program director for PROMINA Health System of Atlanta, Georgia. Karen E. Gaignard is the project manager for data integration and security at PROMINA Health System of Atlanta, Georgia, the largest community-based, nonprofit healthcare system in Georgia.

12 him14406.qxp 11/9/00 10:35 AM Page 64