December 2004 Bulletin

HIPAA Security Regulations: The next hurdle

Compliance deadline is April 21, 2005—will you be ready?

By Steven E. Fisher, MBA

HIPAA, the Health Insurance Portability and Accountability Act of 1996, consists of five sections or “titles.” Title II, “Administrative Simplification,” requires that the Department of Health and Human Services (HHS) create national standards for “Protected Health Information” or PHI.

The standards are intended to facilitate the electronic transfer of PHI between health care organizations, including providers and payers. The rationale for moving in this direction is simple: paper transmission of PHI is more expensive than electronic data interchange (EDI), and health care costs, including those borne directly by the government and indirectly by taxpayers, have escalated rapidly in recent years.

Ultimately, there will be at least nine sets of regulations on PHI. Covered entities, including most orthopaedists’ offices, must already be in compliance with several sets of Title II standards, including Privacy, Unique Employer Identifiers, and Transactions and Code Sets. For previous articles on these regulations, refer to the Bulletin online and the Academy’s online Practice Management Center.

The next set of HIPAA regulations relates to the Security of E-PHI (PHI in electronic form) and will go into effect on April 21, 2005. This is the first of two articles pertaining to the HIPAA Security Regulations. This article includes general information in the form of questions and answers summarizing nearly 100 pages in the Federal Register on the Security regulations. The February 2005 Bulletin will include practical advice on complying with the Security regulations.

About the rule

Q. Who must comply with the Security regulations?

A. Virtually all physicians are now considered “Covered Entities” (CEs) and must comply with the Security regulations. The Administrative Simplification Compliance Act of 2002 made virtually all doctors, except those practicing in the smallest environments, Covered Entities by prohibiting HHS from paying Medicare claims that were not submitted electronically after October 16, 2003 unless (i) the practice submitting the claims employed fewer than 10 full-time equivalent staff and (ii) the Secretary granted a waiver. Naturally, once you become a CE under HIPAA, you must comply with all of the regulations that apply to you.

Q. When must I be in compliance with the new Security regulations?

A. The compliance date for physicians is April 21, 2005.

Q. What kind of information is covered under the Security regulations?

A. The final Security regulations apply only to PHI (information about the past, present or future health of a person who can be identified via any means) stored or transmitted in electronic form, or E-PHI. This means they are more limited in scope than the Privacy regulations, which apply to PHI in any form. The final regulations clarify that electronic storage media include memory devices in computers (hard drives) and removable/transportable digital memory media (tapes, disks or digital memory cards). Electronic transmission includes transmission via the Internet, leased lines, dial-up lines, private networks and “the physical movement of removable media.” Paper faxes and telephone voice transmissions are not considered “electronic transmissions” because the information did not previously exist in electronic form.

Possible penalties

Q. What are the potential penalties for not complying with the regulations?

A. Both civil and criminal penalties may be applied. Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison, up to $250,000 in fines and 10 years in jail. Further, failure by a CE to meet the Security standards can constitute a violation of the Privacy regulations if lack of security permits an unauthorized use or disclosure of E-PHI.

Note: To avoid the risk of double violations (and hence double sanctions), practices should consider placing the ultimate responsibility for both privacy and security under the same manager. That manager should not, however, work in isolation. At least one practice principal, ideally the managing partner if the practice has more than one physician, should work closely with the manager. Remember, under HIPAA, you, not your administrative staff, are the Covered Entity.

Q. What guiding principles did HHS use in developing the Security regulations?

A. HHS wanted the regulations to be:

Q. Briefly, what do the Security regulations require?

A. The Security regulations require each CE to: (a) ensure the confidentiality, integrity and availability of E-PHI that the CE creates, receives, maintains or transmits; (b) protect against any reasonably-anticipated threats or hazards to the security or integrity of this information; (c) protect against any reasonably anticipated uses or disclosures of the information that are not permitted by the Privacy Rule; and (d) ensure compliance by the CE’s workforce.

Actual requirements

Q. What types of safeguards must covered orthopaedic practices implement?

A. The final Security regulations are organized into three broad categories: administrative, physical and technical safeguards.

Within these categories are 18 “standards,” 12 with implementation “specifications” and six without. Implementation specifications are either “required” or “addressable.” Required specifications are required for a CE to comply with the Security regulations. Addressable specifications permit a CE to assess whether the specification is a “reasonable and appropriate” safeguard within the context of the organization’s own environment (considering size, complexity, level of information systems sophistication, level and extent of potential risk to E-PHI, and other issues). A list of the standards within each type of safeguard accompanies this article.

Q. What kind of documentation must CEs maintain under the Security regulations?

A. CEs must maintain all documentation (such as policies and procedures) required under the Security regulations for six years from the date of their creation, or from the date when they were last in effect, whichever is later.

Documentation must be available to the staff responsible for implementing the policies and procedures. In addition, periodic reviews, revisions and updates of the documentation are required.

Q. What is the best way to begin complying with the regulations?

A. The first step is not only a required one (under the administrative safeguards), it is also one that makes practical sense: undertake a risk analysis. This is key because without it, the safeguards you implement may not have any impact on the real security threats. The February 2005 Bulletin will outline one approach to doing a risk analysis.

Basically, you and your security officer should begin by cataloging the various computer systems and/or databases in your practice where E-PHI is stored or transmitted. Next, determine the threats that might exist, such as loss of data, inability to gain access to data and the possibility of inappropriate disclosure. Third, ascertain the source of the threat (such as hardware, software, environment and operational practices). Fourth (and this is also key), estimate both the likelihood of a security violation and the degree of seriousness of a violation. Based on this, you will be able to identify those applications that require security safeguards applied first. Do not attempt to “fix” all of your applications at the same time. Do develop a plan for moving forward that includes a time-table, responsibilities and cost estimates (particularly for the physical and technical safeguards).

Q. Must I take some action on every security threat for every one of my E-PHI applications?

A. No. In every instance, you have three choices: (1) You can take steps (whatever they may be) to mitigate the security threat; (2) You may elect to transfer that risk to a third party and pay for it (buy insurance), or (3) Where the likelihood of a threat materializing is sufficiently low and the impact is sufficiently minor, you may simply elect to accept that the threat exists but do nothing about it for the time being. Taking any of these three actions is acceptable under the Security regulations as long as you have objectively analyzed the situation and made a conscious decision. Of course, the wisdom of your decision could be questioned if your estimates of “likelihood” and “impact” prove wrong. However, if you undertake a risk analysis, you are far less likely to be second-guessed. The government’s goal is not to make examples of well-meaning CEs but to create an environment in which E-PHI can be transmitted and received safely and quickly, thereby decreasing costs.

Q. What is the most important single factor in successfully complying with the Security regulations?

A. As a physician principal, you must both support the effort and be actively involved in it. Just as with anti-kickback, fraud and abuse, and Stark regulations, failure on the part of any doctor to adhere to the regulations puts the entire practice at risk. By complying with the Security regulations, you will not only be obeying the law, you will also be doing your patients a service by ensuring that their E-PHI is not destroyed, corrupted, rendered unavailable in time of need, or inappropriately disclosed to third parties.

Steven E. Fisher, MBA, is manager, practice management affairs at AAOS. He may be reached at (847) 384-4331 or

Administrative Safeguards


Implementation Specification


Security Management Process

Risk Analysis, Risk Management, Sanction Policy, I/S Activity Review


Assigned Security Responsibility



Workforce Security

Authorization and/or Supervision, Workforce Clearance Procedure, Termination Procedures


Information Access Management

Isolating Healthcare Clearinghouse Function



Access Authorization, Access Establishment and Modification


Security Awareness and Training

Security Reminders, Protection from Malicious Software, Log-in Monitoring, Password Management


Security Incident Procedures

Response and Reporting


Contingency Plan

Data Backup, Disaster Recovery and Emergency Mode Operation Plans



Testing and Revision Procedures





Business Associate Contracts

Written contracts



Physical Safeguards


Facility Access Controls

Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, Maintenance Records


Workstation Use



Workstation Security



Device and Media Controls

Disposal, Media Re-use



Accountability, Data Back-up and Storage



Technical Safeguards


Access Control

Unique User ID, Emergency Access Procedure



Automatic Log-off, Encryption and Decryption


Audit Controls




Mechanism to Authenticate Electronic PHI


Person or Identity Authentication



Transmission Security

Integrity Controls, Encryption


Home Previous Page