Agencies get a head start on protecting patient data

Federal health care providers have an advantage over their private counterparts in fulfilling new requirements taking effect this week to secure patient information.“Federal agencies are ahead of the game,” said Stanley Nachimson, “because there are commonalties with other federal requirements, such as the Federal Information Security Management Act of 2002. And the National Institute of Standards and Technology has specifications on security rules that agencies follow.”Nachimson is the senior technical adviser for the Office of HIPAA Standards in the Centers for Medicare and Medicaid Services, which oversees the Health Insurance Portability and Accountability Act implementation.Health care providers, including the Defense and Veterans Affairs departments, must comply with security rules this week as part of HIPAA. The April 20 deadline affects doctors and hospitals all over the country, including those run by federal agencies, those that process Medicare claims and run Medicaid clinics, and state hospitals.HIPAA requires administrative, physical and technical safeguards to protect patient data that increasingly travels online and is stored electronically in transactions and records.Agencies already are ahead of the curve in meeting certain HIPAA requirements—for example—conducting risk analyses of major systems because of FISMA, a requirement for all federal agencies. In fact, so many similarities exist between the two laws that NIST has mapped out a crosswalk.FISMA and HIPAA require that agencies name an information security officer and train employees in security best practices. Both laws also emphasize integrating security into business processes.FISMA’s requirement that agencies certify and accredit major IT systems also will assure compliance with HIPAA, said Rich Phillips, IT specialist for VA’s enterprise privacy program and chairman of the VA HIPAA security rule compliance team.FISMA demands that all major IT systems meet baseline security criteria. That includes systems subject to HIPAA, NIST said in its recently published Special Publication 800-66.“Certification and accreditation is a very hard enforcer of HIPAA,” Phillips said. The two rules appear to be cut from the same cloth, he added.“When we deconstructed the HIPAA rule into requirements and then looked at FISMA, it almost looked like the same person wrote it, or maybe modeled one after the other, because there are so many [requirements] that are practically cut and paste,” Phillips said.Both rules present challenges for VA to implement. VA has hundreds of medical facilities, including hospitals, clinics and nursing homes. Most HIPAA compliance problems occur at the local level, he said. VA is trying to mitigate them, for example, by developing local policy templates, more communications and enhanced security training.Phillips’ HIPAA team coordinates compliance across the department to prevent disconnects in security that could result from VA agencies working individually.“You can map responsibility all the way up to the CIO and all the way down through VA. That way you know where the gaps exist and what needs to be done,” said Hal Corbin, VA’s acting director for enterprise privacy programs.The HIPAA team used a simple Microsoft Excel spreadsheet to list HIPAA specifications and plotted all VA security practices that could be applicable, listing what VA was doing or needed to do to meet the security rule.The Office of Management and Budget annually measures agencies’ progress toward FISMA compliance. But complaints from patients or other providers also will drive compliance with HIPAA security.“It’s entirely possible that you could receive a complaint and be HIPAA compliant,” Corbin said. The complaint does not validate noncompliance; it only drives the investigation, he said.“But federal agencies, if they’re following FISMA, should easily comply with the HIPAA security rule,” Phillips said.