Information for Counties and Providers
HIPAA Security Rule
The OMH views the security of protected health information as an integral part of assuring its privacy. Effective implementation of the HIPAA Privacy Rule on April 14, 2003 includes with it an obligation to maintain proper security of the information entrusted to OMH in our health care role. The following introduction from the security policy best captures this responsibility.
1.1 General Statement of Information Security Policy
Information is among the most valuable assets of the New York State Office of Mental Health (OMH) and OMH relies upon information to support its business activities. The preservation and retention of OMH information is critical to the agency's ability to provide mental health services to the citizens of the State and to fulfill its statutory responsibilities. Therefore, the security of OMH information and of the technology that facilitates its use is a responsibility shared by the entire OMH workforce. Each authorized user of or person who has access to OMH information has an obligation to preserve and protect OMH information assets in a consistent and reliable manner. Security controls, such as those set forth in this Policy, provide the necessary physical and procedural safeguards to accomplish such obligations.
Information security management enables information to be shared while ensuring protection of that information and associated systems. OMH executives and managers, together with information technology (IT) personnel, are responsible for ensuring that appropriate controls are in place to maintain the security objectives of confidentiality, integrity, and availability for OMH information assets; however, every person with access to information is responsible for compliance with any and all security measures as a condition of being granted such access.
To protect OMH Information, and in particular Patient Information (or 'Protected Health Information [PHI]), the OMH must comply with a variety of legislation and regulations at both the Federal (e.g. HIPAA, 45 C.F.R Parts 160, 165) and State levels (e.g. Mental Hygiene Law Sections 33.13 & 33.16, and Public Health Law Section (Article 27-F)).
In February 2003, the US Department of Health and Human Services announced the publication of the final Security Rule, with an effective date of April 21, 2003. Covered entities have 24 months or until April 21, 2005 to come into compliance with this rule. It is important to emphasize that, although compliance is not required for some time, it is impossible to maintain the tenets of the Privacy Rule without proper security. OMH has accelerated implementation of its security requirements, to assure compliance with proper privacy practices.
The HIPAA security rule is the basis for OMH in developing its security policy and standards. The HIPAA security standards require health care entities to protect electronic patient information from improper access or alteration, and guard against loss of records. Specifically, the standards require that covered entities - health care providers, health plans and clearing houses that transmit patient information electronically - assess the potential risks and vulnerabilities to patient data in their work place and develop, implement and maintain appropriate security measures to safeguard it. The standards do not specify a specific technology or computer application, nor do they mandate a particular set of electronic security features or measures. In other words, HIPAA is technology-neutral. Instead, each covered entity is required to (1) evaluate its information security risks, and (2) devise and implement appropriate risk management measures. Most importantly, these risk management measures must be documented and kept current.
How will these information security standards impact county and mental health service provider business operations? Specifically, what provider operations are covered by them?
In New York State, the Office of Mental Health (OMH), many county mental health departments and almost all mental health providers are receiving and transmitting patient health information electronically and, as such, are covered by the HIPAA security standards. Even service providers that are not covered by these standards, either because they bill on paper or because they do not produce electronic patient records, are strongly encouraged to adopt them simply because they make good business sense. In other words, the HIPAA security standards most likely will change some aspects of every provider and county business operations.
Even though the NYS public mental health sector has a long and established record of keeping patient data confidential and secure, the new security requirements provide counties and service providers with an excellent opportunity to re-assess and upgrade their existing security mechanisms and procedures. The need to re-assess security protocols and procedures is heightened by the fact that electronic data transmittal, and exchange of patient health information in particular, are relatively new business practices. Therefore, it is advisable that providers and counties immediately start to re-evaluate their information security risks and develop remediation plans as needed.
Key Security provisions in summary:
The security requirements can be broadly grouped into three categories: administrative safeguards, physical safeguards, and technical safeguards. Each of the three categories entails a list of common practices and/or procedures particular to that category, as follows:
- Administrative safeguards - these are documented, formal practices to manage the selection and execution of security measures to protect patient data and the conduct of personnel in relation to the protection of the data, including:
- Assigned Security Responsibility
- Business Associate Contracts and Arrangements
- Contingency Plan
- Evaluation - Technical/Non-technical
- Information Access Management
- Security Incident Procedures
- Security Management Process
- Security Awareness and Training
- Workforce Security
- Physical safeguards to guard the integrity, confidentiality and availability of patient data - these relate to the protection of the physical computer systems and associated buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys and administrative measures used to control access to computer systems and facilities, including policies or guidelines on:
- Device and Media Controls
- Facility Access Controls
- Workstation Security
- Workstation Use
Technical safeguards which include the processes that are put in place to protect and to control and monitor information access including:
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
Once the OMH security documents are finalized, sample forms will be made available to counties and providers through this web page. These sample forms may be used by counties and providers to develop their own security forms.
Another good source of information is the 'Additional Resources/Related HIPAA Sites' link. This link features sites that were selected because they offer valuable information on provider security requirements, information risk management as well as many practical tips and guidelines.
For information security-related questions please check the Security FAQ page or submit your own questions on-line at 'Ask CMS'.
Comments or questions about the information on this page can be directed to the Office of the Counsel.