|
HIPAA Security Rule: Deadline:
April 20, 2005
This document is not meant to be
the full information on the HIPAA Security Rule. You may need to seek more
references than this site.
Additional documentation:
NPCA:
If you are a member of NPCA, they have an excellent book that can help
your pharmacy on the HIPAA security rule.
www.ncpanet.org
How does this new rule affect your pharmacy?
One of the main ideas of the security rule focuses on pharmacy operations,
which now must insure the security of electronic transmissions and data.
The security rule specifically mandates that the pharmacy control the
“availability, confidentiality and integrity of protected health information” in
its possession.
GENERAL RULE PROVISIONS: Section 164.306(a), the statement of the general
rule, requires pharmacies (as covered entities) to:
- Insure the confidentiality, integrity, and availability of all
electronic protected heath information (ePHI) the pharmacy creates,
receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the
security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required by the Privacy Rule; and
- Ensure compliance by its workforce.
It may take time to implement the security rule so start now.
As your pharmacy system provider, PK Software can assist in the technical
safeguards’ subset of the Final Security Rule.
The administrative and physical safeguards should be addressed by you or your
designated security officer. The privacy officer and the security officer
may be one and the same – which is in most cases the pharmacist owner/manager.
The security officer needs to start by identifying the pharmacy’s computer
hardware; electronic media, software and network connections that electronically
store or transmit protected health information. The security officer must
analyze each portion for threats and vulnerabilities, and have a backup
emergency plan prepared and ready for implementation on April 20, 2005.
Is my pharmacy software HIPAA compliant?
The Compounder version 3 is HIPAA complaint. However, the security
rule requires that the security is business based meaning that all points of the
hardware, network, etc. be HIPAA compliant. You should follow this
document to make sure that all entry points to your network are protected.
I.e. software, hardware, firewalls, routers, etc.
Risk Analysis:
Special Publication 800-30, Risk Management Guide for It Systems
The National institute of Standards and Technology, or NIST, Special
Publication 800-30, Risk Management Guide for It Systems is a guide that has
more details on the security issue.
Link to SP800-30.
This guide has a nine step process to lead health care
professionals through the process of conducting a risk analysis in order to
identify all threats and vulnerabilities to the pharmacy, including natural,
man-made and environmental.
Using the NIST Special Publication 800-30 you will:
Identify and gather information on your computer systems.
- Analyze for any and all potential threats to the pharmacy.
- Determine the vulnerabilities that could arise from these threats.
- Determine whether the control measures currently in place are adequate
or if additional ones might be needed.
- Determine the likelihood of the vulnerability occurring and what actions
should take place if it does.
Implement policies and procedures or technology to reduce the risks from any
vulnerability.
All you need to do is compile all of this data in one document, which then
becomes the risk management plan. The best way to begin preparing for the
security rule is to start early.
Inventories of hardware and software can be
done at any time.
In developing the risk analysis, how do you determine what the threats are and
which vulnerabilities really could be issues for your pharmacy?
A
threat would be any potential action that can be environmental, human or
natural, triggered accidentally or intentionally, which exploits a vulnerability
to harm the physical or electronic operation of the pharmacy. In simple terms,
earthquakes, fires, floods, robberies, thefts, malicious code (viruses, worms,
Trojan Horses and other uninvited computer code that could destroy or alter
system resources including ePHI) and any other disasters fit the definition.
Once you determine who and what can harm your pharmacy, you can prepare a threat
statement upon which you will be able to build the information required to
complete the risk analysis. The goal is to identify any potential problems
or risks and either eliminate them or mitigate them to an acceptable level.
Contingency Plan:
After the risk analysis is completed, the next document that must
be prepared is the contingency plan.
The contingency plan is like an insurance plan for your information. The basic requirement is to ensure the pharmacy’s
protected health information and operational information is secure and available
after a disaster strikes.
The process starts with the pharmacy’s computer backup system. Many
pharmacies keep their backup data near the
pharmacy computer. If there were a theft or file, they would loose the
computer and the data. The data backup requires that you
establish a procedure to complete a successful backup daily
and to secure that backup in a safe location. We have always
recommended that you have at least one backup media for each day of the week you
are open and two more always kept off site.
PK Software offers a Remote (FTP) Backup Service that will compress and
encrypt your data and then transfer it to our storage servers. Please call
for details on this service.
The disaster recovery portion of the contingency plan
requires the pharmacy to:
1. Identify all business contacts related to the
electronic and physical control and access to the pharmacy. This
plan should be written as if the pharmacy owner or manager is not present after
The disaster. It should be viewed as the pharmacy owner’s written instructions
to the employees on how to conduct and/or recover business operations if the
unthinkable occurs.
2. The security rule requires the pharmacy to practice
this plan annually. The exercise should involve all key pharmacy employees in
order to seek their ideas and input. After conducting an exercise, determine
whether the plans are viable. As with all plans, they are only as good as
the information in them. Training is the final and most important step of
the security rule. All employees and business associates, when applicable, must
be trained to the level of exposure they have to the protected health
information. The training validates and completes the effectiveness of
employees’ ability to comply with the pharmacy’s operational policies and
procedures.
The April 21, 2005 deadline is quickly approaching, and the
pharmacy team will need to start working on meeting this deadline very soon. At
a minimum, being in compliance will require:
- the designation of a security officer;
- additional security policies and procedures to be established;
- the establishment and completion of a risk analysis and the development of a
contingency plan; and
- the training of all employees to ensure that everyone involved with protected
health information understands what to do, when to do it and where to go when a
question is asked.
We recommend that you install:
- Firewalls (in the routers)
- Firewalls on all computers
- Antivirus on all computers
- Activate the Windows Automatic Update feature in Windows
(Many of the security suites offer a risk analysis testing method)
- You hire a professional installer to install these programs and conduct
risk analysis of your computer networks. PK Software can do this for a
fee.
- Install a RAID 1, RAID 5 or RAID 10 in your server computer and use the
GBAK-SCHEDULER (see manual for details) to automate backups.
Safeguards Checklist To Be Addressed By
The Pharmacy:
Technical information
(a) Standard: Access Control:
a. Unique User identification: Users must activate the
User Security system in The Compounder and the administrator must grant rights to each user. This allows
access only to those persons that have been granted access rights
through unique user identification.
b. Emergency access procedure: This may done though our
office.
c. Automatic Logoff : Users may turn on this feature in Options.
Set the number of inactivity minutes.
d. Encryption and decryption: This part of the standard is
(not implemented) because the process of encrypting of the database is not
reasonable or appropriate for the following reasons:
i. It will severely impact the performance of the program
ii. The data is stored in many different relational tables. It
is virtually impossible to extract any meaningful PHI from these tables
without the availability of the database schema. Our database
schema is treated as highly confidential.
iii. Add data transfers are done with data encryptions mechanisms.
(b) Standard: Audit Controls:
One or more of the following processes are required: hardware, software, and/or
procedural mechanisms that record and examine activity in information systems
that contain or use electronic PHI. The Compounder offers data
tracking and auditing in the software. For full and complete control over
data auditing you can purchase an optional module that can log every change to
the in database. This log is kept in another location.
(c) Standard: Integrity: A mechanism to authenticate electronic
PHI is inappropriate or unreasonable (not implemented) for the following
reasons:
i. All the electronic PHI data is user modifiable.
ii. The system logs all the changes made to electronic PHI including date and
timestamp and the person who made the change.
(d) Standard: Person or entity authentication: The
Compounder's user security feature supports authentication via encrypted user
name andpassword.
(e) Standard: Transmission Security: The Compounder's security
feature provides for integrity control using checksum when transmitting
electronic claims that assures that the message was not altered during
transmission using a broad-band connection. Dial-up is considered secure under
the final rule.
| 
