HIPAA Round Two:
Preparing for the Security Rule

What Does the Security Rule Cover?

According to the federal register, the security rule defines the administrative, physical, and technical safeguards necessary to protect the confidentiality, integrity, and availability of electronic health information. The rule requires those affected to implement basic safeguards to shield electronic protected health information from unauthorized access, alteration, deletion, or transmission. The security rule does not apply to protected health information in nonelectronic form. In addition, the final rule does not cover the proposed standards for electronic signatures that were originally included in the proposed security rule from 1998.

What is Electronic Protected Health Information?

Electronic protected health information is individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Who is Affected? What is a “Covered Entity?”

The standards apply to health plans, health care clearinghouses, and health care providers that create, receive, maintain, or transmit any protected health information in electronic form.

To comply with the security rule, those health care providers affected must have it implemented by April 20, 2005.

The Department of Health and Human Services strived to make the rule scalable for all, from solo practitioners to large providers, groups, and hospitals. As the amount and type of resources employed to store and transmit electronic information vary greatly from place to place, the Department of Health and Human Services introduced a new concept called “addressable implementation specifications,” in addition to identifying some aspects of the security rule as required. This was designed to give flexibility in implementing the standards.

If a standard is identified as “addressable,” the covered entity must decide if the specification is reasonable and appropriate to be applied in its particular setting. Factors to consider when deciding include risks to the covered entity, cost to implement, and current security measures in place. Options for addressable standards are:

• If the covered entity decides that the addressable standard is reasonable and appropriate for its situation, it must implement that standard.
• If the standard is determined to be inappropriate and/or unreasonable, the covered entity may implement an alternative measure that accomplishes the same end, as long as it documents the decision not to implement the specified standard and the rationale to choose an alternate safeguard.
• If the standard is neither reasonable nor appropriate for the covered entity (not applicable to the covered entity’s situation), it may choose to not implement the standard and not implement an alternative as long as it documents the decision and the rationale behind deciding the standard was not applicable.

In addition to categorizing standards as addressable or required, the Department of Health and Human Services listed three general categories of safeguards: administrative, physical, and technical.

Administrative Safeguards

Implementing the administrative safeguards consists primarily of creating policies and procedures to prevent, detect, contain, and correct security violations. Depending on the size of your organization, a multidisciplinary team may need to be formed to draft the policies.

The first required step is to perform a risk analysis to determine the potential risks for unauthorized uses, disclosures, or integrity losses of electronic protected health information. The risk analysis should include:

• An inventory of all sources of electronic protected health information
• A listing of who has access to the information, when they have access, and where they have access (including access from home)
• An outline of the flow of electronic protected information transmission
• A listing of storage locations and capacities of protected electronic health information
• A listing of current security measures in place (ie, when and how information is protected)
• Analysis of areas where there could be potential confidentiality breaches

Once the risk analysis is complete, your organization can use this information when reviewing all of the “addressable” standards of the rule and documenting the decisions of whether the addressable standards will be implemented.

The security rule then requires covered entities to use the risk analysis information to perform risk management. This may include implementing encryption of some transmission of information, creating better data backup systems, limiting access to protected information, implementing audits, writing contingency plans, or upgrading current systems. Again, the emphasis of this rule is on implementing reasonable measures.

The federal government did realize that rapid advances in technology would mean changes in what is considered reasonable on a year-to-year basis. Therefore, the rule requires covered entities to perform periodic technical and nontechnical evaluations to review how their organizations are meeting the standards of the security rule. Another required standard of the rule is that covered entities implement an information system activity review — a process of regularly reviewing information activities through audit logs, access reports, incident reports, and the like.

Most of the ongoing review of the standards will be delegated to the Security Officer, a required assigned responsibility for each covered entity. For some organizations, the Security Officer will be a full-time position; for other organizations, it will be part of one employee’s duties. The Security Officer will have the overall responsibility of implementing the policies and procedures of the rule and completing the necessary documentation.

Other required elements of the administrative safeguards include:

• Creating a sanctions policy against workforce members who fail to comply with policies created for the rule
• Implementing a formal response and reporting procedure for known security incidents that allows for mitigation when appropriate
• Developing contingency plans for responding to emergencies such as fires, vandalism, and system shutdowns that include data backup plans, disaster recovery plans, and emergency mode operations

As with the HIPAA Privacy Rule, the federal government is requiring all covered entities to identify all of their business associates with whom they may share electronic protected health information. Business associate contracts or agreements must be created to ensure that the business associate does not inappropriately use, maintain, or transmit protected electronic health information.

The rule also stipulates several “addressable “ administrative safeguards. One of these is to analyze the workforce, to determine who should or shouldn’t have access to electronic protected health information, document where they have access, and create procedures for both granting access and terminating access to electronic protected health information.

Another addressable standard is creating a security awareness training program through periodic updates, virus protection software, and logins and passwords. Amount and timing of training should be determined by each covered entity. Training should be an ongoing, evolving process in response to environmental and operational changes affecting security of electronic protected health information.

Finally, testing and revising contingency plans and analyzing the criticality of data in contingency plans are currently considered “addressable” standards.

Physical Safeguards

A second category of security safeguards encompasses precautions referred to as physical safeguards. These also are divided into required and addressable elements.

One of the required physical safeguard standards is to analyze workstations and implement policies on what is to be maintained in a workstation, what functions are to be performed there, and who can have access to information in workstations. For workstations that can access protected electronic health information, access should be restricted to authorized users.

Other required physical safeguards are to implement policies for the disposal of electronic protected health information and the hardware/media on which it is stored. If media is to be reused, procedures must be in place for removal of protected information before it is reused. “Addressable” elements of physical safeguards include:

• Establishing a policy to allow facility access during emergencies
• Creating a procedure to prevent the facility from unauthorized physical break-ins and thefts
• Implementing procedures to limit an individual’s physical access to facilities based upon his or her job role
• Formalizing documentation of security related repairs
• Maintaining records of movement of hardware and software in and out of facilities
• Creating retrievable exact copies of electronic data

Technical Safeguards

Finally, the Department of Health and Human Services designated a category of standards referred to as technical safeguards. The first required standard is to implement a system of unique user identifications for identifying and tracking each user. In addition, procedures must be put in place to authenticate the person seeking access to electronic protected health information. Audit controls must be implemented for hardware and software activities. The final required technical standard is to establish procedures to get access to the protected electronic information during emergencies.

The rule also lists the “addressable” technical standards, which include implementing automatic logoffs, encryption and decryption technologies to be used for both access and transmission, and other mechanisms to ensure that the electronic protected health information has not been altered or destroyed in an unauthorized manner while in general use or during transmission.

Each covered entity will have to independently decide if it wants to encrypt e-mail communications with patients. Commentary in the rule states that the federal government considered situations faced by small and rural providers and decided that there is not yet available a simple and operable solution to encrypting e-mail with patients. Covered entities were encouraged to use encryption for any patient communications over the Internet. If the original risk analysis demonstrated a significant risk that unauthorized individuals could access transmissions, then the Department of Health and Human Services will expect encryption to be put in place.

After the procedures and policies have been created, the documentation of these must be maintained for six years from the date of their creation or the date when they were last in effect. In addition, the documentation must be made available to anyone who is responsible for implementing the policies, and the documentation of the policies and procedures must be periodically reviewed and updated in response to system changes and technological advances. Analysis of your state law should also be performed to determine if any pre-emption exists.

The security rule will require almost all entities to perform a risk analysis and fully document their current practices with electronic protected health information. Keep in mind that the expectation is to implement reasonable systems. To comply with the security rule, many covered entities may not have to make many changes to their current practices, but all covered entities will have to go through the process of creating documentation for their current systems, formalizing documentation of policies and procedures that may already be in place, and documenting their decisions on whether to implement the “addressable“ standards.

RELATED RESOURCES

The Text of the Security Rule
If you have a few decades of free time, and the stamina of a draft horse, you might consider reading the complete text of the security rule, accessible here through the Department of Health and Human Services. The Rule is more than 280 pages long, and, like most laws, is written in dense and dry language, so it likely won’t be the most fun reading you’ve ever done. However, the intrepid souls who do seek to master the rule will find that there’s no research like primary research. If you’re interested, the text of other relevant portions of HIPAA can also be found here.

Centers for Medicare and Medicaid Services (CMS)

This agency, the modern form of what used to be the Health Care Financing Admininstration (HCFA), administers Medicare and Medicaid benefits in the United States; the restructuring was part of a general effort to improve service to beneficiaries and providers. Some important information related to HIPAA, not available elsewhere, may be found through the link below.

HIPAAdvisory
This service of Phoenix Health Systems offers a variety of free resources, including HIPAA news, white papers, and feature length articles. A series of popular e-mail-based discussion groups allow professionals nationwide to discuss their experiences with the legislation, in order to share advice and information. Toolsets aimed at helping in privacy training and small provider assessment are also available here.

MD Net Guide on Internet Security
Having completed this article, you are no doubt anxious to begin the process of improving your information security measures, in order to achieve compliance by 2005. A basic primer on many elements of digital defense, including encryption, physical protection of a workstation, password selection, firewalls, and antivirus software, may be found in the online edition of the January 2003 issue of MD Net Guide.

The O&P Edge: Here Comes HIPAA Security
Jay Masci of the O&P Edge is the author of this ongoing series of articles related to HIPAA compliance; the one linked below serves as an introduction to a number of pieces dispensing practical, usable advice on achieving this compliance. Considerable reference material and links to related sites are also provided.

Even More Information
If you can’t find what you need at one of the sites listed above, try this site, which features a list of organizations that have published guidance, best practices, and white papers on HIPAA. Features include a glossary of terms, a HIPAA checklist, answers to frequently asked questions, info on electronic medical associations, and much, much more.