Chapter 10: Fundamentals of Law for Health - HIPAA Security Rule Notes
The administrative safeguards of the Security Rule contain an implementation specification that requires:
A single individual to be responsible for overseeing the information security program, generally identified as a security officer or chief security officer This parallels the privacy rule, which requires an individual in an organization to be designated responsible for overseeing privacy policies and procedures
The HITECH Act was designed to promote:
Widespread adoption of ehealth records and ehealth information exchanges (HIEs) to improve patient care and reduce healthcare costs
In the latter half of 2009, authority for oversight and enforcement of the HIPAA Privacy and Security Rules was:
Consolidated under the OCR (HHS)
The Security Rule itself comprises five general rules and a number of standards that encompass:
a. general requirements b. flexibility of approach c. standards related to administrative, physical and technical safeguards; organizational reqs, policies, procedures, and documentation requirements d. Implementation specifications e. maintenance of security measures
The 2010 proposed rule went info effect with publication of the Jan 2013 final rule titled:
'Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other Modifications to the HIPAA Rules" The 2011 rule is still pending
There are five technical safeguard standards
1. Access control 2. Audit controls 3. Integrity 4. Person or entity authentication 5. Transmission security
Section c. Standards, requires CEs or BAs to comply with the standards and BAs to comply with all standards except organizational requirements. The standards are divided into 5 categories:
1. Administrative safeguards 2. Physical safeguards 3. Technical safeguards 4. Organizational requirements 5. Policies, procedures, and documentation
There are three implementation specifications in this standard (workplace security - 3):
1. Authorization and/or supervision - A- must have procedures for ensuring that the workforce working with the ePHI has adequate authorization and/or supervision 2. Workforce clearance procedures - A - there must be a procedure to determine what access is appropriate for the workforce 3. Termination procedures - A - there must be a procedrue for terminating access to ePHI when a workforce member is no longer employed or responsibilities change
Organizational requirements include two standards:
1. Business associate contracts or other arrangements as required. There are 3 implementation specs: a. Business associate contracts R b. Other arrangements R - CE is in compliance if it has another arrangement in place that meets requirements c. Business associate contracts with subcontractors R 2. Group health plans requires the plan sponsor to reasonably and appropriately safeguard the confidentiality, integrity, and availability of ePHI. There is one implementation spec: a. Plan documentation R - plan docs of group health plan must require sponsor to implement admin, physical, and tech safeguards that protect the confidentiality, integrity and availability of ePHI that it creates
There are 9 Administrative Safeguard standards, 9, Business associate contracts and other arrangements:
1. CE may permit a BA to create, receive, maintain, or transmit ePHI on the CE's behalf only if the CE obtains satisfactory assurances in accordance with 164.314 that the BA will appropriately safeguard the info. A CE is not required to obtain such assurances from a BA that is a subcontractor 2. BA may permit a BA that is a subcontractor to create, receive, maintain, or transmit ePHI on BA's behalf only if the BA obtains satisfactory assurances that the subcontractor will appropriately safeguard the info 3. Written contract or other arrangement R - must document satisfactory assurances through a written contract or other arrangement with the business associate that meets the applicable requirements of the contract
The Security Rule applies to the following covered entities (CEs):
1. Covered healthcare providers-any provider of medical or other healthcare services or supplies that transmits any health info in eform in connection w/a transaction for which HHS has adopted a standard 2. Health plans-any individual or group plan that provides or pays the cost of HC (ex: a health insurance issuer or Medicare and Medicaid programs) 3. Healthcare clearinghouses-public or private entities that process another entity's healthcare transactions from a standard format to a nonstandard format or vice versa
Two primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule 1.:
1. Electronic vs. paper vs. oral: The Privacy Rule applies to all forms of PHI, whether electronic, written, or oral In contrast, the narrower Security Rule covers only PHI that is in electronic form. It does not cover paper or verbal PHI
General requirements (section a) of the Security Rule consists of four actions that a CE and a BA must take:
1. Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by the CE and BA 2. Protect the security or integrity of ePHI from any reasonably anticipated threats or hazards 3. Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule 4. Ensure compliance with the Security Rule by its workforce
There are 4 physical safeguard standards
1. Facility access controls 2. Workstation use 3. Workstation security 4. Device and media controls
Section d. Implementation SpecificationsL The CE or BA is in compliance with an addressable specification if it:
1. Implements the addressable specification as written, or 2. Implements an alternative or 3. Documents that the risk for which the addressable implementation specification was provided either does not exist in the org or exists with a negligible probability of occurrence
There are two standards for policies, procedures, and documentation:
1. Policies and procedures - A CE or BA may change its policies and procedures at any time, provided those changes are documented and implemented 2. Documentation - requires the policies implemented comply with security rule in written form a. Time limit R - must retain documentation for 6 years from date of its creation or date when it was last in effect, whichever is later b. Availability R - must make docs available to those responsible for implementing policies/procedures c. Updates R - must review documentation periodically and update as needed
Administrative Safeguard standards / Security management process: There are four implementation specifications in this section (implementation specifications that are required are marked with 'R')
1. Risk analysis R - must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 2. Risk management R - must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards 3. Sanction policy R-must apply appropriate sanctions against workforce members who fail to comply with their security policies and procedures 4. Information system activity review - R - must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
There are 9 Administrative Safeguard standards (614.308), 1:
1. Security management process requires the implementation of policies and procedures to prevent, detect, contain, and correct security violations
Section b. Flexibility of approach allows a CE and a BA to implement the standards and their implementation specifications reasonably and appropriately. The section lists four factors to be taken into account when deciding on the most appropriate security measures:
1. The CEs or BAs size, complexity, and capabilities 2. The security capabilities of the CEs or BAs hardware and software 3. The costs of security measures 4. The probability and criticality of potential risks to ePHI
The security standards in HIPAA were developed for two primary purposes:
1. To implement appropriate security safeguards to protect e-healthcare information that may be at risk 2. To protect an individual's health information while permitting appropriate access and use of that information
To assist CEs, and now BAs, in implementing the Security Rule, the following process is recommended:
1. assess current security risks, and gaps 2. develop an implementation plan 3. implement solutions 4. document decisions 5. reassess periodically
Congress published the first set of security standards for public comment in
1998. At that time, many of the public comments concluded that the rules were too prescriptive and not flexible enough As a result, the final rule includes standards defined in general terms, focusing on what sb done rather than how it should be done
Two primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule 2:
2. "Safeguard" Requirements in Privacy Rule: The Privacy Rule contains provisions that requires CEs to adopt administrative, physical, and technical safeguards for PHI. While Security Rule compliance was required in 2005 at the earliest, actions taken by CEs to implement the Privacy Rule may have addressed some security requirements. However, the Security Rule provides for more comprehensive and detailed security requirements
Section e, Maintenance, requires:
A continuing review of the reasonableness and appropriateness of a CE's or BA's security measures It requires a CE or BA review and modify security measures if necessary and to update documentation of such measures
On feb 16, 2006, the HHS published a final rule for imposing civil monetary penalties on CEs that violate any of the HIPAA administrative simplification requirements. The 2006 HIPAA Enforcement Rule created:
A uniform compliance and enforcement mechanism that addresses all the administrative simplification regulations, including privacy, security, and transactions and code sets
The flexibility and scalability of the standards make it possible for
Any CE, regardless of size, to comply with the Rule
CEs were expected to be in compliance with the final Security rule by:
April 20, 2005, and small health plans by April 2006.
There are 9 Administrative Safeguard standards, 2:
Assigned security responsibility requires the identification of the security official responsible for overseeing development of the orgs security policies and procedures. There are no implementation specifications with this standard - R (required)
The definition of a BA has been revised to include subcontractors of BAs, who must also follow the Security Rule or be held liable for violations
BAs must execute BA agreements with their subcontractors as well In addition, the definition of a BA has been expanded to include entities that manage the exchange of PHI through networks, including patient locator services, e-prescribing gateways, others that provide data transmission services of PHI to a CE and require routine access to such information, or vendors that contract with CEs to offer personal health records to patient as part of the CEs, EHRs
Section d. Implementation Specifications, contains detailed instructions for implementing a particular standard. Specifications are either required or addressable. A required specification must:
Be present for the CE or BA to be in compliance. Other standards are considered "addressable implementation specifications" to provide the CE or BA flexibility.
There are 9 Administrative Safeguard standards, 7, Contingency plan
Contingency plan includes 5 implementation specs: 1. Data backup plan R - must have procedures to create and maintain an exact retrievable copy of ePHI 2. Disaster recovery plan R - must include procedures to restore any lost data 3. Emergency mode operation plan R - must have procedures that provide for the continuation of critical business processes needed to protect ePHI while operating an emergency mode 4. Testing and revision procedures A - should have a procedure to test and modify all contingency plans periodically 5. Applications and data criticality analysis A - should assess the relative criticality of specific applications and data in support of contingency plans
The safeguards outline contains an overlap in the sections, for example:
Contingency plans are covered under both administrative and physical safeguards, and access controls are addressed in several standards and specifications
The HITECH establish four categories of violations that reflect increasing levels of culpability, with corresponding tiers of penalty amounts. The nature and extent of both the violation and harm are used to:
Determine the amount assessed within each range. The OCR may choose to pursue corrective action w/out assessing penalties for unknowing violations, but penalties are mandatory in all other categories. Penalty monies collected will support further enforcement efforts
The Security Rule defines electronic media to mean:
Electronic storage media including memory devices in computer hard drives and any removable or transportable digital memory medium, such as magnetic type storage or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media, such as intranet, extranet, leased lines, dial-up lines, private networks, and physical, removable, transportable electronic storage media
CMS continues to have authority for:
Enforcement of administrative simplification regulations other than privacy and security (preventing HC fraud and abuse, and medical liability reform)
The Security Rule requires CEs and BAs to:
Evaluate their risks and vulnerabilities and implement policies and procedures to address them A CE or BA may decide not to implement an addressable standard
There are 9 Administrative Safeguard standards, 8, Evaluation:
Evaluation requires the periodic performance of technical and nontechnical evaluations in response to environmental or operational changes affecting the security of ePHI
Thus, the Security Rule now applies to a broader range of individuals and orgs in an effort to:
Further protect the privacy and confidentiality of ePHI
To address the growing concern for the use of devices and tools that enable access to or use of ePHI outside the CE's physical purview, HHS issued a:
HIPAA Security Guidance report on remote access The report lists risks of offsite use or access and possible risk management strategies for identified risks It also contains potential security strategies for conducting business activities through (1) portable media/devices (such as USB flash drives) that store ePHI and (2) offsite access or transport of ePHI via laptops, personal digital assistants, home computers, and other personal equipment The report also encourages rigor in policy and procedure development for offsite use or access to ePHI
Changes to the HIPAA Privacy and Security Rules were passed in Feb 2009 as part of the
HITECH Act of the ARRA Act of 2009
The Security Rule applies to:
Individuals or orgs identified as CEs, and, with the recent enactment of the HITECH provisions, business associates (BAs) and the subcontractors of BAs
HITECH moved to correct the weakness in BA standards by
Making BAs subject to compliance with the Security Rule provisions mandating administrative, physical, and technical safeguards, in addition to adherence to the terms of their BA agreements They must also adhere to Privacy Rule reqs discussed in chapter 9 / BAs that violate the provisions are subjected to civil and criminal penalties
The Privacy Rule governs the
Privacy of protected health information (PHI) regardless of the medium in which the information resides, whereas the security rule governs PHI that is transmitted by or maintained in some form of electronic media (that is, electronic protected health information, or ePHI)
HIPAA consists of 5 titles, the Security Rule is one of five administrative simplification provisions in the law
Privacy, security, transaction code sets, unique national provider identifiers, and enforcmement
The scope of the Security Rule is to:
Protect individually identifiable health info that is transmitted by or maintained in any form of electronic media
Title II of the HIPAA law was designed to
Protect not both the privacy and security of healthcare data and information
There are 9 Administrative Safeguard standards, 5: Security awareness training
Requires the implementation of awareness and training programs for all members of its workforce: 1. security reminders (A) - should conduct periodic security updates 2. Protection from malicious software (A) - should have procedures for guarding against, detecting, and reporting malicious software 3. log-in monitoring (A) - should have procedures for monitoring log-in attempts and reporting discrepencies 4. Password mgmt (A) - should have procedures for creating, changing, and safeguarding passwords
Physical safeguard 3. Workstation security
Requires the implementation of physical safeguards for all workstations that are used to access ePHI and restrict access to authorized users R
There are 9 Administrative Safeguard standards, 4: Information access management
Requires the implementation of policies and procedures for authorizing access to ePHI. There are 3 implementation specs w/in this standard: 1. Isolating hc clearinghouse functions (R) 2. Access authorization (A) 3. Access establishment and modification (A)
Physical safeguard 4. Device and media controls
Requires the implementation of policies and procedures for the removal of hardware and electronic media that contain ePHI into and out of a facility, as well as movement within a facility. There are 4 implementation specs with this standard: 1. Disposal R 2. Media reuse R 3. Accountability R 4. Data backup and storage R
Physical safeguard 2. Workstation use
Requires the implementation of policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can be used to access ePHI. R
There are 9 Administrative Safeguard standards, 6, Security incident reporting
Requires the implementation of policies and procedures to address security incidents: 1. Response and reporting (R) - identify and respond to suspect or known security incidents, mitigate, to extent practicable, harmful effects of security incidents that are known to the CE or BA; and document security incidents and their outcomes
There are 9 Administrative Safeguard standards, 3: Workplace security
Requires the implementation of policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent these workforce members who do not have access from obtaining access
Physical safeguard 1. Facility access controls
Requires the implementation of policies and procedures to limit physical access to its electronic information systems and the facilities in which they are house to authorized users. There are 4 implementation specs w/in this standard: 1. Contingency operations A - should have procedurs to allow facility access to support the restoration of lost data under the disaster recovery plan and emergency mode operations plan 2. Facility security plan A - must have policies and procedures to safeguard the facility and equipment from unauthorized access, tampering, and theft 3. Access control and validation procedures A - should have procedures to control and validate access to facilitate based on user's roles or functions 4. Maintenance records A- should have policies and procedures to document repairs and modifications to the physical component of a facility as they relate to security
The final rule established
Security standards to protect ePHI
The Privacy and Security Rules work in tandem to protect health information. The Privacy Rule set standards for how PHI:
Should be controlled by establishing uses and disclosures that are authorized or required and what rights patients have in regard to their health information
HIPAA requires the use of
Standards for e-transactions containing healthcare data and information as a way to improve the efficiency and effectiveness of the healthcare system
Until HIPAA was enacted, there were no generally accepted
Standards for protecting health information There were, however, a number of state and federal initiatives that addressed privacy
To achieve goals in improvement in patient care and reducing hc costs, HITECH identified requirements to:
Strengthen the privacy and security protections under HIPAA to ensure patients and hc providers that their ehealth information is kept private and secure In July 2010 and May 2011, HHS published proposed rules to implement some of the HITECH provisions and modify other HIPAA requirements
Who was responsible for oversight and enforcement of the Security rule until 2009
The Centers for Medicare and Medicaid Services (CMS), while the Office of Civil Rights (OCR) w/in HHS oversaw and enforced the Privacy Rule
With increased reliance on the use of information tech to electronically capture, store, retrieve, transmit, and exchange health information, Congress recognized the need for national security standards, resulting in:
The HIPAA Security Rule
As of July 27, 2009, the responsibility for oversight and enforcement of the Security Rule transitioned to:
The OCR; notable changes to enforcement and penalty provisions for HIPAA have occurred due to the passage of the HITECH Act; these are basically the same for both the Privacy and Security rules
The HIPAA Security Rule requires covered entities (CEs) to ensure
The integrity and confidentiality of information, to protect against any reasonably anticipated threats or risks to the security and integrity of information, and to protect against unauthorized uses or disclosures of information CEs are the individuals and orgs that must comply with HIPAA
Prior to enactment of the HITECH provisions, BAs were not held to:
The same standards as CEs in regard to protection of health information. BAs become BAs by contract only, not by virtue of the types of functions they carried out Further, they were only obligated to follow the requirements set forth in their BA agreement or contract with a CE
Efforts were made to make the rule tech-neutral and flexible so that CEs could
choose the security measures that best meet their technological capabilities and operational needs to comply with the standards
The Security Rule was written to protect:
ePHI and to provide guidance for how electronic health information can be accessed appropriately
The security standards ultimately promote the use of
ehealth information in the industry, which is an important goals of HIPAA
The HIPAA Security Rule's third general rule, Standards is divided into:
five categories, three standards are identified as safeguards (administrative, physical, and technical); the remaining two deal with organizational requirements; and policies, procedures, and documentation
Ultimately the Security Rule seeks to ensure that CEs:
implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion and transmission, while at the same time ensuring data or information is accessible and usable on demand by authorized individuals
The Dept of Health and Human Services (HHS) published the final Security Rule:
in the Federal Register, Health Insurance Reform, Security Standards, Final Rule on Feb 20, 2003
Key components of an information security checklist:
•Access control and management •Audit and accountability •Awareness and training •Business associates and other nonemployees •Computer workstation •Contingency and disaster recovery planning •Incident reporting and response •Media protection and controls •Mobile and portable device security •Personnel security procedures •Physical and environmental protection •Policies, procedures, and plans •Remote access •Risk analysis and management •Transmission security