It has been more than a decade since the Health Insurance Portability and Accountability Act was enacted to establish national standards for health care transactions and ensure the privacy and protection of health care information. Unfortunately, the law has yielded uncertainty for employers regarding compliance. The following is a sampling of employers' pressing queries.

As a benefits manager, what specific HIPAA requirements should my organization adhere to concerning disaster recovery planning?

Recent events such as the 9/11 terrorist attacks, followed by hurricanes Katrina and Rita have forced health care professionals to revisit their disaster recovery plans. Though known informally as business resumption, disaster planning or a number of other phrases and abbreviations, this type of due-diligence activity should be considered paramount in today's ever-changing world. While many organizations understand the need to protect health care information and other related data, unfortunately, just as many have ignored calls for safety and view HIPAA merely as another legislative compliance mantra from Congress. Worse, HIPAA guidelines are written in such a way that interpreting them is difficult and overall enforcement is lax.

Regarding contingency planning, "each entity needs to determine its own risk in the event of an emergency that would result in a loss of operations. A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it," according to final HIPAA rules from the Health and Human Services Department. (Read full text of the final rule at www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf.)

To comply, I advise employers to:

• Conduct a formal analysis of how effectively your organization could continue in the event of a major business interruption.
• Create a written disaster recovery planning policy. These documents can be developed using one of many templates and white papers available online.
• Create awareness within your organization about disaster recovery and its implications if a major business interruption event occurred.

More than anything, because the HIPAA requirements for disaster recovery are vague, it's up to your organization to use your best judgment about what suffices for HIPAA compliance and for overall good business practice.

I'm an administrator and processor for health care plans and claims, and my organization undergoes an annual SAS 70 audit. My clients have demanded that we adhere to HIPAA compliance for certain activities. Can I ask the accounting firm conducting the SAS 70 audit to test and validate certain HIPAA standards and guidelines?

When looking at HHS standards in HIPAA final rule (45 CFR Parts 160, 162 and 164), many areas are commonly tested in a SAS 70 Type II audit. Though differences exist regarding what such areas are called by SAS 70 auditors and the final rule itself, there are similarities in several areas pertaining to IT. (See chart for a sample of standards that align with SAS 70 requirements and SAS 70 audit control objectives.)

Though the HHS security standards and SAS 70 audit control objectives are not a perfect match, SAS 70 audits can help achieve HIPAA information security compliance. Further, SAS 70 audits can cover additional HIPAA requirements if such specific requirements are clearly addressed in the scope of the audit and communicated effectively to auditors.

Charles Denyer is a member of NDB, LLP, a national CPA firm providing regulatory compliance services. His experience includes years of auditing in the health care arena. He can be reached at cdenyer@ndbcpa.com.