The Health Insurance Portability and Accountability Act (HIPAA) Security Rule established a minimum standard for security of electronic Protected Health Information (ePHI). The Security Rule requires that basic safeguards be implemented to protect ePHI from unauthorized access, alteration, deletion or transmission.Most Covered Entities were required to comply with the Security Rule by April 20, 2005, although small health plans had an additional year to comply. The Security Rule was updated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), effective in 2010.
- The HIPAA Privacy Rule governs who may access Protected Health Information (PHI) and how PHI may be used and disclosed. The HIPAA Privacy Rule governs PHI that is oral, electronic or written.
- The HIPAA Security Rule includes administrative, physical and technical security standards that are intended to ensure that only those individuals who should have access to ePHI actually have access to this information. The HIPAA Security Rule only governs ePHI and requires that security measures be in place to protect ePHI.
This Legislative Brief provides an overview of the HIPAA Security Rule’s standards and implementation specifications.
What entities are regulated by the HIPAA Security Rule?
The HIPAA Security Rule directly regulates the following Covered Entities:
- Health plans;
- Health care clearinghouses;
- Health care providers that conduct certain transactions electronically; and
- Endorsed sponsors of the Medicare prescription drug discount card.
The Security Rule indirectly regulates plan sponsors. Third parties that receive ePHI and qualify as Business Associates must comply with many provisions of the Security Rule. Covered Entities and Business Associates must also enter into agreements requiring them to comply with the restrictions contained within the Security Rule.
What information is governed by the HIPAA Security Rule?
The HIPAA Security Rule governs ePHI. PHI is:
- Oral, written or electronic;
- Individually identifiable health information;
- Created or received by a Covered Entity; and
- Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.
Electronic PHI is PHI that is in an electronic format. For example, this includes PHI that is stored on a CD, sent via email or stored on a computer.PHI that is transmitted via paper-to-paper fax, person-to-person telephone calls, video teleconferencing or voicemail message is not considered to be in an electronic form and, therefore, is not governed by the HIPAA Security Rule. However, telephone voice response systems are governed by the HIPAA Security Rule because they are used as input and output devices for computers.
What is required by the HIPAA Security Rule?
The HIPAA Security Rule requires that Covered Entities do the following:
- Ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of this information;
- Protect against reasonably anticipated uses or disclosures of this information that are not permitted or required under the HIPAA Privacy Rule; and
- Ensure its workforce complies with the procedures implemented to comply with the HIPAA Security Rule.
The security standards are divided into the following three categories:
- Administrative safeguards;
- Physical safeguards; and
- Technical safeguards.
A complete list of the administrative, physical and technical safeguards is included below.
Are Covered Entities required to implement all of the safeguards set forth in the HIPAA Security Rule?
The Security Rule allows Covered Entities some flexibility in determining how to implement the standards and implementation specifications, including choosing which technology it will employ to achieve the required security standards. In deciding how to implement security measures, a Covered Entity is permitted to take into account:
- Its size, complexity and capabilities;
- Its technical infrastructure, hardware and software security capabilities;
- The costs of security measures; and
- The probability and criticality of potential risks to health information.
However, the Department of Health and Human Services (HHS) has stated that cost alone is not a justification for failing to implement a procedure.In an effort to provide Covered Entities with additional flexibility with respect to complying with the Security Rule, the regulations set forth two categories of implementation specifications: “required” and “addressable.”
What are “required” implementation specifications?
When an implementation specification within the Security Rule is “required,” the Covered Entity must meet the implementation specifications. The following are examples of “required” implementation specifications:
- Enter into business associate contracts with third parties that use, disclose or receive ePHI on behalf of a Covered Entity;
- Conduct a risk analysis; and
- Control access to ePHI through the of use unique user identification.
What are “addressable” implementation specifications?
“Addressable” implementation specifications are not optional. Rather, a Covered Entity is provided more flexibility in determining how it will comply with an “addressable” implementation specification. If an implementation specification is “addressable,” a Covered Entity is required to do one of the following:
- If an “addressable” implementation specification is reasonable and appropriate, then the Covered Entity must implement it.
- If an “addressable” implementation specification is not appropriate and/or reasonable, then the Covered Entity must implement an alternate measure that accomplishes the same result, if reasonable and appropriate.
- If an “addressable” implementation specification is not applicable to the situation and that standard can be met without implementation of an alternate measure in place of the “addressable” implementation specification, the Covered Entity can choose not to implement the “addressable” implementation specification.
In all cases, a Covered Entity should document the reasons for each of its decisions and the procedures implemented to comply with the Security Rule.
Are Covered Entities required to implement policies and procedures?
Yes. Covered Entities are required to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule’s standards and implementation specifications. These policies and procedures must be documented in written form, which may be electronic.A Covered Entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI.Documentation supporting its security policies must be retained for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later.
What are business associates required to do?
Organizations that use or disclose ePHI when performing services for a Covered Entity (business associates) must also comply with the provisions of the Security Rule. They are also required to sign a business associate agreement that includes an obligation to comply with the HIPAA Security Rule. As with the HIPAA Privacy Rule, a business associate should also modify its organization’s policies to comply with the HIPAA Security Rule. Each business associate’s compliance procedures will be unique, since its implementation of the security standards will depend upon how it uses and discloses ePHI.
Where should I start?
Whether you are a Covered Entity or a business associate, the first step to compliance with the HIPAA Security Rule should begin with an assessment of how your organization uses and discloses ePHI. For example, “Where is ePHI stored?”, “When is it transmitted?”, and “Who has access?”Your next step should be to involve your IT department. While many may see HIPAA Security as a “health plan” issue, it will take the cooperation of your IT department to successfully implement a HIPAA Security compliance program. In addition, some organizations will likely need to seek outside assistance from an attorney or IT consultant in order to establish policies and procedures as required by the HIPAA Security Rule.Covered Entities should periodically review their HIPAA Security compliance program and make any necessary updates to reflect, for example, the use of new technology or changes in how ePHI is used and disclosed.
Where can I get more information?
More information on federal health information privacy, including compliance with the HIPAA Security Rule, is available from HHS at: www.hhs.gov/ocr/privacy/hipaa/understanding/index.html.
HIPAA Security Rule Safeguards
R= Required A=Addressable
|Security Management Process||164.308(a)(1)||Risk Analysis (R)|
|Risk Management (R)|
|Sanction Policy (R)|
|Information System Activity Review (R)|
|Assigned Security Responsibility||164.308(a)(2)||(R)|
|Workforce Security||164.308(a)(3)||Authorization and/or Supervision (A)|
|Workforce Clearance Procedure (A)|
|Termination Procedures (A)|
|Information Access Management||164.308(a)(4)||Isolating Health Care Clearinghouse Functions (R)|
|Access Authorization (A)|
|Access Establishment and Modification (A)|
|Security Awareness Management||164.308(a)(5)||Security Reminders (A)|
|Protection from Malicious Software (A)|
|Log-in Monitoring (A)|
|Password Management (A)|
|Security Incident Procedures||164.308(a)(6)||Response and Reporting (R)|
|Contingency Plan||164.308(a)(7)||Data Backup Plan (R)|
|Disaster Recovery Plan (R)|
|Emergency Mode Operation Plan (R)|
|Testing and Revision Procedures (A)|
|Applications and Data Criticality Analysis (A)|
|Business Associate Contracts & Other Arrangements||164.308(b)(1)||Written Contract or Other Arrangement (R)|
|Facilities Access Controls||164.310(a)(1)||Contingency Operations (A)|
|Facility Security Plan (A)|
|Access Control and Validation Procedures (A)|
|Maintenance Records (A)|
|Device and Media Controls||164.310(d)(1)||Disposal (R)|
|Media Reuse (R)|
|Data Backup and Storage (A)|
|Access Control||164.312(a)(1)||Unique User Identification (R)|
|Emergency Access Procedure (R)|
|Automatic Logoff (A)|
|Encryption and Decryption (A)|
|Integrity||164.312(c)(1)||Mechanism to Authenticate Electronic PHI (A)|
|Person or Entity Authentication||164.312(d)||(R)|
|Transmission Security||164.312(e)(1)||Integrity Controls (A)|
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.