Are You Ready for HIPAA’s Security Rule?
An Overview
The Security Rule aims to ensure the confidentiality, integrity, and security of patient information maintained on computers or computer related media and any patient information transmitted via an internal or external computer network. It requires covered entities do more than limit unauthorized access to patient information. It also requires covered entities to implement or at least address the reasonableness of implementing, policies and procedures that ensure the availability and integrity of electronic protected health information.
To comply, a covered entity must not only implement security measures to limit unauthorized access, but also prevent unauthorized alterations of electronic protected health information. A covered entity must also be able to access electronic protected health information in the event of an emergency or natural disaster.
Additionally, the security rule requires the entity to protect electronic protected health information against any reasonably anticipated threat or hazard to its security or integrity; protect against any reasonably anticipated use or disclosure of such information that would violate the privacy regulations; and ensure that members of the covered entity’s work force comply with the regulation.
These requirements only apply to electronic protected health information maintained by the covered entity. Electronic protected health information is protected health information that is maintained or transmitted in an electronic medium. Electronic medium means any computer based form of storage or transmission such as hard drives, floppy disks, CD-ROMs, and computer networks. Additionally, electronic transmission includes physically moving storage medium. Mailing a floppy disk is considered an electronic transmission.
The Security Rule’s Structure
The rule is divided sections, three of these sections, Administrative Safeguards, Physical Safeguards, and Technical Safeguards, cover the security requirements, while the remaining sections explain organizational requirements such as dealing with business associates and documentation. Each section is further divided into multiple standards. Many of the standards include subdivisions called implementation specifications.
Required versus Addressable Standards
HHS has designated each standard or, if a standard has implementation specifications, each specification, as either required or addressable. If a standard or implementation specification is required it must be implemented by April 21, 2005.
If a standard is addressable, the covered entity must assess whether the standard is reasonable in its environment. If the entity determines the standard is reasonable, it must implement the standard by the compliance deadline. If the entity determines the standard is not reasonable or appropriate for its work environment, the entity must document why the standard is not reasonable and appropriate and implement an equivalent alternative measure if reasonable and appropriate by the compliance deadline. Covered entities should be aware that designating a standard as “addressable” does not mean the standard is optional; it means that the entity must assess the reasonableness of implementing the standard and document its decision.
To assist covered entities with addressable standards, the security rule lists factors to take into account when deciding whether the standard is reasonable and appropriate. These factors are: the size, complexity, and capabilities of the covered entity; the covered entity’s technical infrastructure, hardware, and software security capabilities; the costs of the particular security measure; the probability and criticality of potential risks to electronic protected health information. A covered entity must take these factors into account and, if the entity determines implementing the specification is not reasonable and appropriate, the entity should include in its documentation an explanation of how each of those factors applied to its operations.
Administrative Safeguards
HIPAA defines administrative safeguards as “administrative actions and policies, and procedures, to manage the selection, development, implementation, and maintenance of security measures” that either secure electronic protected health information or manage the conduct of employees. The Administrative Safeguards section of the rule is composed of nine standards that include twenty-one implementation specifications. These standards and specifications govern the planning and implementation of security policy. This section requires a covered entity to perform a risk analysis, implement policies and procedures to reduce risks and vulnerabilities, implement a sanctions policy for employees who violate the entity’s security policies, and regularly review information system activity.
The administrative safeguards section is the longest of the safeguards sections of the rule. This is important to keep in mind, because it reinforces the fact that HIPAA Security compliance is more than simply a technology issue. Like most regulatory compliance efforts, HIPAA compliance is primarily an administrative issue. Many providers mistakenly assume Security Rule compliance was a technology issue and allowed their information technology staff to handle their compliance efforts alone. In light of the many administrative requirements, such as sanctions policies and training, their compliance efforts may be insufficient.
Although HHS has stated that no single standard or specification is more important than any other, the risk analysis required as part of the security management process standard is fundamental to security compliance. The risk assessment requires an entity to “conduct an accurate and thorough assessment of the risks and vulnerabilities” not only to the confidentiality, but also to the availability and integrity of all electronic protected health information.
The risk analysis will allow an entity to determine where problems exist in its information security. Remember, risk to electronic protected health information is one of the factors that must be considered by a covered entity when assessing implementing addressable standards. For this reason, covered entities may want to perform their risk assessment first.
Another important requirement of the administrative safeguards section is the designation of the security official who will be responsible for complying with the security rule. This designation should be in written or electronic form and maintained by the covered entity for six years from the date of creation or the date it was last in effect, whichever is later.
In the comments to the regulation, HHS stated that specific security responsibilities may be given to other individuals, but the overall responsibility for the security of an entity’s electronic protected health information must rest with one individual. In other words, an entity may have a security committee or delegate security tasks in some other fashion, as long as the entity has a single individual who is the final authority on the entity’s security compliance.
In some entities, the privacy officer may also be the security officer. HHS has not stated that the security officer must be separate from the privacy officer. Furthermore, the security officer does not need to possess any special information security certifications or training. If you are an agency that does not have anybody in house with information technology or security experience, that doesn’t mean you need to hire somebody or send somebody to receive extensive training.
Additionally, this section contains standards for ensuring that members of an entity’s workforce have appropriate access to electronic protected health information; for authorizing access to electronic protected health information in a manner consistent with the entity’s privacy policies; for making employees aware of security issues and training employees regarding the entity’s security policies; for responding to and reporting of security incidents; for dealing with contingencies such as natural disasters; and for the periodic evaluation of the entity’s security policies to ensure that they continue to meet the requirements of the security rule.
Physical Safeguards
Physical safeguards are physical measures designed to protect an entity’s information systems and facilities from unauthorized entry, natural disasters, and environmental hazards. The standards under this section cover how an entity provides access to properly authorized persons while excluding or restricting unauthorized persons; ensures the proper uses of workstations; and receives, re-uses, and disposes of electronic media and hardware.
There are a number of addressable specifications under this section of the rule. However, most entities will find them reasonable and appropriate. For example, covered entities must address implementing policies and procedures to safeguard facilities from intrusion, tampering, and theft. Although there may not be a formal written policy, every entity that locks its doors at night has addressed this standard and decided to implement it.
Technical Safeguards
Finally, the section on Technical Safeguards governs the policy and procedure requirements for the use of technology to safeguard electronic protected health information. The standards under this section include implementing: policies and procedures to technically limit access to information systems to those who have been granted access; a hardware, software, or procedural mechanism for recording and examining activity in information systems that contain electronic protected health information; procedures to safeguard against unauthorized alteration or destruction of electronic protected health information; means to ensure that persons seeking access to electronic protected health information are, in fact, who they claim to be; and technical security means to ensure the security of electronic protected health information that is transmitted over a communications network.
The most controversial requirement in the technical safeguards provisions concerns the use of encryption. HHS stated in its comments to the regulation that it was aware of the difficulties requiring encryption would impose on small providers who, for example, used electronic means to communicate with their patients. As a result, encryption is an addressable implementation specification under both the access control standard and the transmission security standard. Therefore, a covered entity may decide encryption is not appropriate because its environment poses a low risk or it is simply not reasonable because of high costs.
There are, however, a number of required implementation specifications under this section. One specification requires that each user have a unique identification on any computer system that contains electronic protected health information. Covered entity’s may no longer allow multiple employees to share a single username.
Covered entities must also implement policies and procedures to verify that the person using the unique logon is in fact the person to whom the username was assigned. There are a number of ways this may be done, ranging from passwords to biometric devices such as fingerprint scanners.
This raises another point about the security rule. None of the standards or specifications under the rule requires a covered entity to use a certain technology when implementing their security rule compliance. HHS has left covered entities free, based on their own risk analysis, to choose what technologies to implement to comply with the rule.
Business Associates
In addition to implementing its own security policies and procedures, a covered entity must obtain written reasonable assurances from business associates regarding the security of any electronic protected health information shared with the business associates. Like the privacy rule, the covered entity must obtain these assurances through a contract. The business associate contract required for security compliance is similar to the privacy rule business associate contract, but contains provisions regarding the safekeeping of electronic protected health information by the business associate. The business associate provisions of the security rule replaced the concept of a chain of trust agreement from the original rule.
Getting Ready
Some commentators refer to the reasonable safeguards section of the Privacy Rule as a “mini-security rule” and opine that covered entities must comply with the security rule as soon as possible. Although some of a covered entity’s reasonable safeguards may fall into categories of the security rule, for example locking up at night, Security Rule compliance and Privacy Rule compliance are separate efforts and are enforced by separate entities.
Although they are separate from a regulatory standpoint, the Security Rule and the Privacy rule overlap in a number of areas. These areas of overlap should be used both to ensure consistency in your HIPAA policies and procedures, and for those who are still trying to finish complying with the Security Rule to save time. For example, as part of implementing the privacy rule, a covered entity should have determined what amount of information each employee needs access to in order to perform her job. This information can be used for security rule compliance when determining and establishing each employee’s access authorization.
© 2005 Gilliland & Markette LLP
