The OP Review November 2005 - Ohio Psychological Association
The OP Review November 2005 - Ohio Psychological Association
The OP Review November 2005 - Ohio Psychological Association
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
HIPAA – Secure at last!<br />
A <strong>Review</strong> of the Practice Organization’s Compliance Workbook<br />
By Charles Cooper, PhD, North Carolina <strong>Psychological</strong> <strong>Association</strong><br />
Professional Affairs Director<br />
B<br />
y the time you read this, the<br />
compliance deadline for the<br />
HIPAA Security Rule will be<br />
behind you, like a channel buoy just past<br />
to starboard. Mixing metaphors with<br />
abandon—you will either be reading this<br />
with that smug sense of having completed<br />
all your homework, or with that attitude<br />
you typically adopt when you come to<br />
class with a light backpack, homework<br />
incomplete. In the interest of<br />
transparency, my typical attitude is<br />
one of blame. I generally blame<br />
someone else. In this case, Congress.<br />
Though blame, by and large,<br />
works for me, in this case it has<br />
only slowed me down. And as the<br />
Sole Security Officer (the S.S.O.) of<br />
my practice, that has not been a<br />
good thing. <strong>The</strong> HIPAA Security<br />
Rule itself is quite complex, more so<br />
in my view than the Privacy Rule.<br />
(Ironically, though, the action steps<br />
required for compliance are actually<br />
rather simple—with proper technical<br />
assistance.) And I had been waiting<br />
for the APA Practice Organization’s<br />
“compliance product” to ease the<br />
process. <strong>The</strong> product was put up on<br />
the Practice Organization’s<br />
Web site on April 12 and was<br />
definitely worth the wait, and<br />
not only for the excuse its release<br />
date provided.<br />
<strong>The</strong> Workbook<br />
<strong>The</strong> Workbook resides exclusively<br />
in online form, which can be reached<br />
through the APA Practice Organization’s<br />
Web site at www.apapractice.org. For APA<br />
members who pay the practice assessment,<br />
the cost is $99; for non-practiceassessment<br />
APA members, $139.; for nonmembers,<br />
$159. <strong>The</strong> time saved in using<br />
the Workbook will be a number of hours<br />
at least, and this alone justifies its price.<br />
As a bonus, the successful completion of<br />
its associated online exam earns four<br />
continuing education credits.<br />
<strong>The</strong> Workbook begins with a crisp<br />
overview of the Security Rule, laying out<br />
concepts essential to understanding the<br />
structure and content of the rule. For those<br />
who have taken the “101” courses or read<br />
the Practice Organization’s Primer, also<br />
available from its Web site, this material<br />
will be a comprehensive review. For those<br />
approaching compliance for the first time,<br />
it will serve as a sufficient conceptual map<br />
for your Security Rule implementation.<br />
After it sets out the concept-base, the<br />
Workbook gives a “Process Overview” that<br />
outlines the step-wise progression for<br />
compliance with each standard and<br />
implementation specification of the rule.<br />
Specifically, the workbook provides a stepby-step<br />
path for:<br />
• Evaluating security risks in your<br />
particular practice (the risk analysis)<br />
• Deciding how to respond to those risks<br />
by checking-off sets of options<br />
• Documenting all decisions and<br />
their rationales<br />
• Creating customized policies and<br />
procedures that flow from the options<br />
you selected<br />
As the authors’ note, completion of the<br />
component sections does take considerable<br />
time. However, the product of this invested<br />
time is a printable document that serves as<br />
the record of your compliance efforts. It<br />
spares you any additional time in<br />
creation of a paper trail to certify<br />
that the HIPAA required activities<br />
were completed.<br />
Contents<br />
<strong>The</strong> Workbook’s operational section<br />
has four principle headings:<br />
• Assigning a Security Officer<br />
• Securing Your Office<br />
• Securing Your Computer<br />
• Securing Your Workforce and<br />
Administrative Policies.<br />
Each of these sections includes<br />
brief descriptions of “standards” and<br />
“implementation specifications”<br />
(IS)—the real guts of the rule. <strong>The</strong><br />
workbook then proceeds to walk<br />
you through a separate risk analysis<br />
for each standard and/or IS. <strong>The</strong><br />
risk analysis is facilitated by the<br />
posing of a set of key questions<br />
that, while not exhaustive, generally<br />
cover the territory of the standard.<br />
Your responses to the questions<br />
identify not only threats, but also<br />
the adequacy of measures you have already<br />
taken. Your answers, recorded in text<br />
boxes, lead directly to the “Compliance<br />
Options” section, which offers standard<br />
check-off alternatives (and space for<br />
customized solutions) for risk abatement.<br />
<strong>The</strong>se check-offs cleverly link to the final<br />
policies and procedures document, saving<br />
hours of word processing.<br />
Following from the “Compliance Options”<br />
is a section titled, “Sample Documentation”<br />
that guides you through documenting<br />
your rationale for compliance decisions.<br />
JUNE <strong>2005</strong> 10