Practitioners around the country are taking steps to comply with the new Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

With a compliance date of April 20, 2005, the Security Rule addresses the protection of confidential health information that is either maintained or transmitted by electronic means.

"There are more technology aspects to this rule than the Privacy Rule," says Russ Newman, PhD, JD, APA’s executive director for professional practice. “The Privacy Rule addressed to whom and under what circumstances a psychologist can disclose patient information. The Security Rule is about protecting against security breaches when health
information is either maintained or transmitted electronically.”

“Anyone who has determined that they need to be in compliance with the Privacy Rule will also need to be in compliance with this rule," Newman added.

The Basics
The Security Rule requires practitioners to assess the risks to the confidentiality, integrity and accessibility of their electronic patient information and determine how to best minimize those risks.

"Practitioners need to evaluate how they operate their practice, identify any security gaps and take action to correct those gaps," says David Nickelson, PsyD, JD, assistant executive director for technology policy and projects in APA’s Practice Directorate.

The Security Rule encompasses three broad categories of standards under which psychologists must address and document safeguards:

Administrative standards focus on security issues in day-to-day administrative operations (e.g., authorizing staff access to, and use of, confidential patient information, developing an emergency operations plan and selecting a person to be responsible for all security activities).

Physical standards cover access to a psychologist’s office or other workspace so unauthorized individuals cannot physically remove electronic patient information (e.g., placing locks on doors or installing a security system).

Technical standards address access to systems that contain electronic patient information (e.g., requiring a password to access particular computers or software programs.)

Each of the three areas contains several standards along with implementation specifications that describe how to meet those standards.

Fortunately for small practices, the Security Rule is flexible, allowing for a variety of compliance activities depending on the size of the practice, the cost of implementing certain safeguards and the practice’s technological sophistication. In other words, as with the Privacy Rule, smaller practices will not be expected to implement the Security Rule on the same scale as larger ones.

HELP FOR PRACTICING PSYCHOLOGISTS
Deciphering the Security Rule and all of its requirements and options can be extremely daunting. The vast majority of the tools available to help are geared toward very large medical practices or organizations.

To assist psychologists with solo and small group practices, the APA Practice Organization has developed The HIPAA Security Rule Online Compliance Workbook, a comprehensive, easy-to-use online compliance resource to help psychologists comply with the HIPAA Security Rule.

The online workbook includes:
– Step-by-step risk analysis for all aspects of a practice
– Compliance options for each Security Rule requirement
– Customizable documentation, including Policies and Procedures

Psychologists can also choose to receive four hours of continuing education credits for completing and passing an optional online exam.

The cost for the online workbook is very competitive compared with other compliance resources on the market. APA members who pay the Practice Assessment can purchase the workbook for the discount price of $99. For other APA members the price is $139.

Practitioners who do not belong to APA will be charged the full retail price of $159.

© Copyright 2005 APA Practice Organization