What the New Security Rule Means for Your HIPAA Compliance Plan
What the New Security Rule Means for Your HIPAA Compliance Plan
On February 20, 2003, a mere 53 days before the Privacy Rule deadline, the Department of Health and Human Services issued a final Security Rule implementing portions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Security Rule has significant implications for covered entities as they work toward privacy compliance. The HIPAA Privacy Rule requires a covered entity to develop appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). If PHI stored in electronic form is not secure, the covered entity will not be compliant with the Privacy Rule, even though the Security Rule itself is not yet enforceable. In the preamble to the Security Rule, the Department of Health and Human Services ("HHS") observed that "the protection of the privacy of information depends in large part on the existence of security measures to protect that information." Although the Security Rule technically is not enforceable until April of 2005, entities covered under the "administration simplification" provisions of HIPAA would be wise to pay close attention to what it requires.
What the Security Rule Says
Unlike the Privacy Rule, the new Security Rule applies only to electronic protected health information (ePHI), which is individually identifiable health information transmitted or maintained in electronic media. It covers ePHI that is being stored, as well as ePHI that is being transmitted. Communication of information that is not in electronic form prior to transmission, such as paper-to-paper faxes, person-to-person telephone calls, video conferencing and voice mail messages, is not covered under the rule.
The Security Rule contains four primary requirements for all covered entities. Covered entities must:
- "Ensure" the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted;
- Protect against "reasonably anticipated" security or integrity threats or hazards;
- Protect against reasonably anticipated uses or disclosures of ePHI that are not allowed or required under the Privacy Rule; and
- "Ensure" workforce compliance.
HHS, in the preamble to the Security Rule, stated that Congress' intent in its use of the word "ensure" in the HIPAA statute "was to set an exceptionally high goal for the security of electronic protected health information." HHS recognizes, however, that "there is no such thing as a totally secure system that carries no risks to security," and that Congress also did not intend to require covered entities to implement protections "no matter how expensive." When the Security Rule states that a covered entity must ensure the safety of ePHI, HHS intends that the covered entity should take steps to protect the information "to the best of its ability." This will require balancing the risks, as well as the costs of the protective measures, and it will also depend on the entity's size, complexity, and capabilities. HHS has also stated, however, that, while cost is one factor to consider, cost does not free covered entities from the responsibility of implementing adequate security measures.
For the most part, the Security Rule does not dictate the use of a particular type of technology. One of HHS's goals was to "frame the standards in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies." A covered entity may use any security measures that allow it to "reasonably and appropriately" implement the required standards. When deciding what security measures to use, covered entities should consider their capabilities in light of their size, complexity, technical infrastructure, costs, and the probability and criticality of potential risks to ePHI.
In addition to the four primary requirements listed above, covered entities must implement three types of safeguards: administrative, physical, and technical. There are particular implementation specifications in the Security Rule that are either "required" or "addressable." Required implementation specifications are mandatory. HHS introduced the concept of "addressable" implementation specifications to allow covered entities to have flexibility in designing their compliance program. If a specification is "addressable," the covered entity should implement it unless implementation would not be "reasonable and appropriate" and the covered entity can document the reasons behind that conclusion. The covered entity must implement an "equivalent alternative measure" if doing so would be reasonable and appropriate. The Security Rule includes an appendix that lists in chart form the required and addressable implementation specifications.
I. Administrative safeguards
The Security Rule requires numerous administrative safeguards. These safeguards set out steps the covered entity must take to protect the ePHI it holds.
A. Security Management Process
Covered entities must conduct a risk analysis, which involves an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Covered entities must also conduct risk management by implementing security measures to reduce risks and vulnerabilities to a reasonable and appropriate level. The security management process must also involve a policy for sanctioning workforce members who fail to comply with the entity's policies and procedures. Covered entities will also be required to establish a system to review audit logs, access reports, and security incident tracking reports.
B. Assigned Security Responsibility
Under the Privacy Rule, covered entities must appoint a Privacy Official to oversee compliance with its standards and specifications. Similarly, the Security Rule requires covered entities to designate an individual as a "Security Official" who will develop and implement policies and procedures to protect ePHI.
C. Workforce Security
All members of the workforce must have "appropriate" access to ePHI. This means that unauthorized individuals do not have access to the information. Three "addressable" specifications apply to workforce security. First, covered entities should establish procedures for authorizing or supervising workforce members in locations where they might access ePHI. They must also implement procedures to determine whether assigned access to a particular workforce member is appropriate. Additionally, covered entities must have procedures in place to terminate access to ePHI when the workforce member leaves employment or no longer requires access.
D. Information Access Management
Covered entities must develop policies to authorize access to ePHI. To do this, there is one required implementation specification and two that are addressable. If the covered entity is a health care clearinghouse that is part of a larger organization, the clearinghouse must develop policies and procedures to prevent ePHI from being accessed by the larger organization. The addressable specifications involve developing policies and procedures for granting workstation or other access to particular ePHI and for establishing, documenting, reviewing, and modifying a user's right of access.
E. Security Awareness and Training
The Security Rule contains three addressable specifications for implementing security awareness and training. These specifications include periodic security updates; procedures for guarding against, detecting and reporting malicious software, and procedures for managing passwords.
F. Security Incident Procedures
Covered entities are required to develop a system to identify and respond to "security incidents." When an incident occurs, covered entities must mitigate, to the extent practicable, known harmful effects stemming from the incidents. The covered entity must document these incidents and their outcomes.
G. Contingency Plans
In the event of fire, system failure, vandalism, natural disaster, and similar events that could damage systems containing ePHI, covered entities must establish and implement policies and procedures to respond. There are three required implementation specifications for the contingency plan standard. Covered entities must have a data backup plan, a disaster recovery plan, and procedures to allow the covered entity to continue operating in the event of an emergency. Covered entities must also address testing and revision procedures for contingency plans. A second addressable requirement involves assessing the relative criticality of data and specific applications as they relate to other contingency plan components.
H. Evaluation
The Security Rule requires periodic technical and nontechnical evaluations to determine how environmental or operational changes affect the security of ePHI. These evaluations should be used to determine whether the covered entity's security policies and procedures comply with the Security Rule.
II. Physical safeguards
The Security Rule includes four standards relating to the physical protection of ePHI: facility access controls, workstation use, workstation security, and device and media controls. HHS has stated that a covered entity must consider facility security even when other organizations are located in the same building. Covered entities must limit physical access to its electronic systems and facilities in which they are housed to those who have authorized access. This must be done through four addressable implementation specifications dealing with topics such as disaster recovery; protection against unauthorized access and theft; validating a person's access based on their role and function; and documenting repairs and modifications to security-related aspects of the physical plant, such as doors and locks. Workstation use and security involves implementing policies and procedures specifying which workstations can access ePHI and how the workstations will be safeguarded from unauthorized users.
Physical safeguards also include policies and procedures governing devices and media and how they move within and outside the facility. Covered entities are required to have policies and procedures addressing the final disposition of ePHI, including the media on which it is stored. If media will be re-used, such as computer disks, there must be procedures in place to ensure removal of ePHI before the media are re-used. Addressable requirements dealing with device and media controls involve data backup and storage and methods of tracking the movements of hardware and electronic media.
III. Technical safeguards
The Security Rule contains five standards relating to technical safeguards. The first standard, access control, requires covered entities to set up mechanism to restrict technical access to electronic systems. This will require unique names or numbers for identifying and tracking user identity. It will also require procedures for obtaining necessary ePHI during an emergency. Covered entities must consider addressable requirements relating to automatic logoff procedures. Interestingly, encryption is not required under the Security Rule, but it is an addressable implementation specification. HHS stated in the preamble, however, that when the data is subject to significant risk, the transmission should be encrypted. HHS made the use of encryption an addressable, instead of a required, implementation specification because it recognizes that a simple encryption solution is not yet available for e-mail communications with patients.
Another technical safeguard standard concerns audit controls, which involve hardware, software, or procedural mechanisms to record and examine activity relating to systems containing ePHI. The integrity standard requires covered entities to implement policies to make sure that ePHI is not improperly altered or destroyed. Other technical safeguards include person or entity authentication and transmission security to guard against unauthorized access to ePHI while it is being transmitted electronically. Again, encryption is not required, but it is something that must be addressed.
IV. Organizational requirements
A. Business Associate Agreements
The Privacy Rule requires covered entities to obtain written assurance that their business associates, including third parties who use and disclose protected health information on behalf of the covered entity, will protect the information. If a business associate will be dealing with ePHI, the Security Rule requires covered entities to have written agreements in place specifically addressing the protection of the electronic information. Business associate agreements are not required for transmissions of ePHI by a covered entity to a health care provider concerning treatment. Similarly, they do not apply to the transmission of ePHI by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, as long as the disclosure is otherwise allowed under HIPAA.
The Security Rule tweaks the Privacy Rule's requirements for business associates that create, receive, maintain, or transmit ePHI on behalf of a covered entity. Although a standard Privacy Rule agreement may contain some of the provisions required by the Security Rule, the Security Rule requires the contract to address ePHI specifically. The contract must state that the business associate will:
1. Implement administrative, physical, and technical safeguards that "reasonably and appropriately" protect the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity;
2. Ensure that agents and subcontractors to whom the business associate provides ePHI agree to implement "reasonable and appropriate safeguards" to protect the data;
3. Report to the covered entity any "security incident" (which includes attempted or successful unauthorized access, use, disclosure, or tampering with system operations) of which it becomes aware; and
4. Authorize contract termination by the covered entity if the business associate violates a material term of the contract.
B. Requirements for group health plans
The Security Rule contains special provisions addressing disclosures of ePHI from a group health plan to a plan sponsor. Unless the plan is disclosing only summary information, enrollment and disenrollment data, or information pursuant to an individual's authorization, the plan cannot disclose ePHI to the sponsor unless, by the compliance deadline, the plan documents are amended to specifically address the protection of ePHI. The documents must incorporate provisions requiring the plan sponsor to:
1. Implement administrative, physical and technical safeguards to "reasonably and appropriately" protect ePHI that the sponsor creates, receives, maintains, or transmits on behalf of the group health plan;
2. Use reasonable and appropriate security measures to ensure adequate separation between plan administrative functions and other general business functions of the plan sponsor;
3. Ensure that agents and subcontractors who receive ePHI from the plan sponsor agree to implement reasonable and appropriate security measures to protect the information; and
4. Report security incidents to the group health plan.
V. Policies and procedures
Like the Privacy Rule, the Security Rule requires written policies and procedures. The rule states that these policies must be "reasonable and appropriate," and should take into account factors such as the covered entity's size, complexity and capabilities; available technical infrastructure; cost; and the probability and criticality of potential risks to ePHI. The policies must be documented in writing and can be in electronic or hard copy form. Documentation required by the Security Rule must also be in writing. Policies and documentation must be maintained for six years from the date of creation or when the document was last in effect, whichever is later. Policies and documentation must be made available to those responsible for implementing the entity's procedures, and they must be reviewed and updated periodically.
VI. Compliance deadlines
Currently, the rule text indicates that health care providers, clearinghouses, and health plans (other than small health plans), must comply "no later than April 20, 2005." Small health plans must comply no later than April 20, 2006. Curiously, the preamble to the Security Rule as published in the Federal Register states that the regulations are effective on April 21, 2003 and most covered entities must comply by April 21, 2005. This apparent one day discrepancy should not have a substantial impact on compliance efforts, however.
What Covered Entities Should Do Now
Although the Security Rule is not enforceable until 2005, covered entities should begin now to address its requirements. For example, covered entities that are still in the process of negotiating the business associate agreements required under the Privacy Rule should consider adding in language dealing with ePHI as required by the rule so the agreements will not have to be re-negotiated by the 2005 deadline.
If a security breach results in an improper use or disclosure of protected health information held by a covered entity, the entity may be subject to substantial penalties under the Privacy Rule. Therefore, it would be prudent to go ahead and begin assessing any potential security problems and how the entity will implement the Security Rule's requirements. The covered entity can begin by reviewing the text of the Security Rule itself, which is available in the February 20, 2003 version of the Federal Register (volume 68, number 34). As part of this process, the covered entity should document what it is already doing and what it needs to do in the future to comply with each requirement.
HHS has stated that "security and privacy are inextricably linked." Therefore, covered entities should begin to make technical and physical safeguards of ePHI an integral component of their HIPAA compliance plans.
[1] This article is scheduled for publication in an upcoming edition of the Telehealth Practice Report and is reprinted here with permission.