More than a month beyond the date when physicians were supposed to have met new requirements for security of health information, compliance appears to be lagging. If you are among those dragging your feet, are you aware of the risks you are taking by delaying compliance?

April 20, 2005 was the deadline for all healthcare entities covered by HIPAA (except for small health plans) to have complied with the security portion of the law. The privacy rule has been in effect since 2003. The security rule safeguards against the unauthorized use or disclosure of patients' protected health information (PHI) that is electronically transmitted or maintained.

If you are not yet compliant, don't panic. You are not alone. A recent survey by a healthcare information group and a consulting organization showed only three-fourths of providers expected to be compliant by the deadline. It is important, however, to start your efforts now and have a plan to get the job done in the shortest possible time. The penalties for noncompliance can be severe, and evidence indicates that tough security measures are needed. A full 40 percent of provider respondents to the survey noted they had experienced at least one data security breach since June 2004.

Understanding what's required

Many providers, including physician practices, likely have found the security regulation more difficult to implement than the privacy rule because there has been less guidance and fewer sample documents available from the Centers for Medicare and Medicaid Services (CMS).

Yet compliance with the security regulation goes hand-in-hand with privacy. The privacy rule itself mandates a certain level of physical security for all PHI, and the security rule adds to that burden by requiring any provider who transmits or stores patients' PHI electronically (and these days, the majority of providers do) to safeguard that electronic PHI (e-PHI) from unauthorized access, use, or disclosure.

The security rule requires providers and other covered entities to "ensure" the integrity, confidentiality, and availability of e-PHI, protect e-PHI from any "reasonably anticipated" threats or hazards, and mandates that their officers and employees will comply with the security regulation. "Integrity" in this context means that the e-PHI has not been altered or destroyed in an unauthorized manner; "availability" means that people who are authorized to access the e-PHI can do so when appropriate.

At this point, we don't really know what "ensure" and "reasonably anticipated" mean. Until courts have an opportunity to define these terms, healthcare providers will have to make their best efforts to achieve compliance with these standards.

In general, the security rule specifies a broad array of administrative, physical, and technical standards, but these are divided into "required" and "addressable." Don't be misled by the apparent voluntary nature of the word "addressable."

Addressability means that your practice has some discretion in how to solve any problems that exist in a particular area. Addressability does not mean that you can ignore the standard altogether, or that you can base your decision on how to achieve compliance solely on the cost of the solution.

If the only available solution is expensive, but "reasonable and appropriate" in your individual circumstances, you will still have to spend the money. In cases of addressability, treat your analytical process like a fifth-grade math assignment — show your work. The regulators will want to see why you made the choices you did and what alternatives you considered and discarded on your way to your selected compliance solution. If you don't, you're likely to place yourself at risk for second-guessing (and potential sanctions).

At a minimum, you must do the following:

Appoint a security official. This may be the same person who is your privacy official. This individual is the point person for all policy development, training, and security compliance activities. Most physician practices assign this responsibility to the office manager or, if a large practice, to the person in charge of information technology. The security rule does not mandate any particular level of training or expertise.

Assess the key security risks to your practice. These risks likely will include potential loss of cash flow; loss or corruption of e-PHI due to a hacker, virus, or disaster; temporary loss or unavailability of records due to a system or power outage; and unauthorized access to or disclosure of e-PHI that results in a patient complaint to your practice and, potentially, to CMS. Identify the relative likelihood of these risks based on your practice's individual history and situation. This process, called a "risk assessment," simply requires you to determine whether it is more likely that your information systems will be compromised by, for example, flooding than by a hacker or an angry ex-employee.

Implement safeguards to minimize the occurrence of the most likely events. This effort must be customized to your practice's own circumstances — borrowing someone else's "checklist" of problems will not be sufficient. Most practices are going to have to think about natural disasters, power outages, hackers, disgruntled employees, and the like. However, if you have remote access to a hospital's information database (such as a PACS system, for example), or if you have a piece of diagnostic equipment that the vendor can access by modem, you're going to have to consider security risks created by these systems, also.