April 2003 - HIPAA PRIVACY AND SECURITY STANDARDS

The HIPAA Privacy Standards and the recently issued final Security Standards both require covered entities to implement appropriate administrative, technical, and physical safeguards to reasonably safeguard protected health information (“PHI”) from any intentional or unintentional use or disclosure. The Privacy Standards apply to all PHI, whether electronic or not. The Security Standards apply only to electronic PHI.

Although the compliance date for the HIPAA Security Standards is not until 2005, safeguarding electronic information is required under the Privacy Standards, for which compliance must be met by April 14, 2003. Because these two rules are interrelated, in order to fully comply with the Privacy Standards, organizations will need to understand and implement a number of the requirements outlined in the Security Standards.

Risk Analysis and Management

The Security Standards require covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic PHI. Once these risks and vulnerabilities have been assessed, the covered entity must implement security measures that are sufficient to reduce those risks and vulnerabilities. In preparation for compliance with the Privacy Standards, organizations should have already conducted a gap analysis, including mapping its electronic PHI data flow to determine how and where electronic PHI moves throughout their organization to determine if PHI is being exchanged with outside entities such as business partners. The risk analysis required under the Security Standards can build off of this initial gap analysis.


Security Incident Procedures

Under the Security Standards, a covered entity must have policies and procedures to address “security incidents” (security breaches or events), including documenting security incidents and their outcomes. Under the Privacy Standards, covered entities must have in place policies and procedures to implement appropriate safeguards to safeguard PHI, including electronic PHI from any intentional or unintentional use or disclosure that is in violation of the Privacy Standards.
The policies and procedures required under the Security Standards, again, can build off of the policies and procedures for electronic PHI required under the Privacy Standards, but should be more specific and include a contingency plan: including establishing policies and procedures for responding to emergencies, including data backup, disaster recovery and emergency mode operations plans.

Minimum Necessary/Information Access Management

Under the information access management standard of the Security Standards, a covered entity must implement policies, procedures and controls to limit physical and user access to its electronic information systems. A covered entity must assign its users unique identification codes and establish an emergency access procedure. These access policies and procedures will further entities’ efforts to comply with the Privacy Standards’ minimum necessary requirements.

Business Associates

Covered entities must obtain satisfactory assurances, in the form of a written contract, that its business associates will reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity. This may require modification to business associate agreements that covered entities have to comply with the Privacy Standards. The Security Standards require business associates to:
  • Implement administrative, physical and technical safeguards that reasonably and appropriately protect electronic PHI;
  • Ensure that any agent, including a subcontractor to whom it provides this information agrees to implement reasonable and appropriate safeguards to protect electronic PHI;
  • Report to the covered entity any security incident of which it becomes aware; and
  • Authorize the covered entity to terminate the contract if the covered entity determines that the business associate has violated a material term of the contract. If termination is not feasible, the covered entity must report to the Secretary of HHS.

Accountability

The Privacy and Security Standards each require a specific person or group in a covered entity be assigned to ensure that PHI is appropriately safeguarded. Under the Privacy Standards this individual is the Privacy Officer. The Security Standards require a Security Official. The same individual may serve in both roles.

Training

Both rules require covered entities to provide training to make certain all employees understand both the importance of protecting PHI and the means by which they must do so.

Hybrid Entities

Hybrid entities are treated the same under both the Security and Privacy Standards. The requirements of both Standards apply only to the health care component of the entity. The health care component must ensure that it does not disclose PHI, including electronic PHI to another component if the disclosure would be prohibited under the Privacy Standards if it was disclosed to a distinct legal entity.

Group Health Plans

The Security Standards provisions for health plans parallel the provisions in the Privacy Standards. A plan sponsor that receives more than summary electronic PHI from the group health plan must amend the plan documents to ensure that it will reasonably and appropriately safeguard the electronic PHI it creates, receives, maintains or transmits. It must also ensure that subcontractors implement reasonable and appropriate security measures; ensure that the adequate separation between the group health plan and the plan sponsor required by the Privacy Standards are supported by reasonable and appropriate security measures; and report to the group health plan when it becomes aware of any security incident.

The safeguards that are required for electronic PHI under the Privacy Standards can be determined by reviewing the principles and the requirements of the Security Standards. To assist organizations in their continuing compliance efforts with both the Privacy and Security Standards, the following chart lists each standard that is required to be implemented under the Security Standards. The chart includes the implementation specifications for each standard and whether the particular implementation specification is required or addressable under the Security Standards.

Security Safeguards
1. Security Management Process §164.308(a)(1)
     Prevent, detect, contain, and correct security violations
Risk Analysis: conduct an accurate and thorough assessment of the potential risks and vulnerabilities Required
Risk Management: implement security measures sufficient to reduce risks and vulnerabilities Required
Sanction Policy: apply appropriate sanctions against workforce members who fail to comply Required
Information System Activity Review: regularly review records of information system activity
(e.g., audit logs, access reports, security incident tracking reports)		 Required

2. Assigned Security Responsibility §164.308(a)(2)
Assigned Security Responsibility: Identify a security official who is responsible for the development and implementation of policies and procedures (may be same individual as privacy officer) Required

3. Workforce Security §164.308(a)(3)
      Ensure all workforce members have appropriate access to electronic PHI; prevent workforce members
      who do not have authorization from obtaining access
Authorization and/or Supervision: implement procedures for the authorization and/or supervision of workforce members who work with electronic PHI Addressable
Workforce Clearance Procedure: determine the appropriateness of access of a workforce member to electronic PHI Addressable
Termination Procedures: implement procedures to terminate access to electronic PHI when employment or clearance ends Addressable

4. Information Access Management §164.308(a)(4)
      Policies and procedures for authorizing access to electronic PHI that are consistent with the Privacy Standards
Isolating Health Care Clearinghouse Function: If a health care clearinghouse is part of the larger organization, implement procedures to protect the electronic PHI of clearinghouse from unauthorized by the larger part of the organization Required
Access Authorization: granting access to electronic PHI (e.g., access to a workstation, transaction, program, process or other mechanism) Addressable
Access Establishment and Modification: establish, document, review and modify a user’s right of access Addressable

5. Security Awareness and Training §164.308(a)(5)
      Implement security awareness and training for all workforce members, including management
Security Reminders: Periodic security update Addressable
Protection from Malicious Software: procedures to guard against, detect, and report malicious software Addressable
Log-in Monitoring: procedures to monitor log-in attempts and report discrepancies Addressable
Password Management: procedures to create, change, and safeguard passwords Addressable

6. Security Incident Procedures §164.308(a)(6)
      Address security incidents
Response and Reporting: identify and respond to suspected or known security incidents; mitigate harmful effects; document security incidents and outcomes Required

7. Contingency Plan §164.308(a)(7)
      Procedures for responding to an emergency or other occurrence that damages systems
Data Backup Plan: create and maintain retrievable exact copies of electronic PHI Required
Disaster Recovery Plan: restore any loss of data Required
Emergency Mode Operation Plan: enable continuation of critical business processes for protection of the security of electronic PHI while operating in emergency mode Required
Testing and Revision Procedure: periodic testing and revision of contingency plan Addressable
Applications and Data Criticality Analysis: assess relative criticality of specific applications and data in support of other contingency plan components Addressable

8. Evaluation §164.308(a)(8)
Evaluation: periodic technical and non-technical evaluation to establish the extent to which the entity’s security policies and procedures meet these standards Required

9. Business Associate Contracts and Other Arrangements §164.308(b)(1)
      To permit a business associate to create, receive, maintain, or transmit electronic PHI on covered entity’s behalf
Written Contract or Other Arrangements: Document satisfactory assurances through a written contract Required

Physical Safeguards
10. Facility Access Controls §164.310(a)(1)
      Limit physical access to electronic PHI systems and the facility
Contingency Operations: allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency Addressable
Facility Security Plan: safeguard the facility and equipment therein from unauthorized physical access, tampering and theft Addressable
Access Control and Validation Procedures: control and validate a person’s access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision Addressable
Maintenance Records: document repairs and modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors and locks) Addressable

11. Workstation Use §164.310(b)
Workstation Use: specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or classes of workstations that can access electronic PHI Required

12. Workstation Security §164.310(c)
Workstation Security: physical safeguards for all workstations that access electronic PHI to restrict access to authorized users Required

13. Device and Media Controls §164.310(d)(1)
      Policies and procedures that govern the receipt and removal of hardware and electronic media that
      contain electronic PHI into and out of a facility and movement within the facility
Disposal: address the final disposition of electronic PHI and/or hardware or electronic media on which it is stored Required
Media Re-use: removal of electronic PHI from electronic media before the media are made available for re-use Required
Accountability: record of the movements of hardware and electronic media and any person responsible thereof Addressable
Data Backup and Storage: create a retrievable, exact copy of electronic PHI before movement of equipment Addressable

Technical Safeguards
14. Access Control §164.312(a)(1)
      Policies and procedures for electronic information systems that maintain electronic PHI to allow access
      only to those persons or software programs that have been granted access rights
Unique User Identification: assign a unique name and/or number for identifying and tracking user identity Required
Emergency Access Procedure: obtaining necessary electronic PHI during an emergency Required
Automatic Logoff: electronic procedures that terminate an electronic session after a predetermined time of inactivity Addressable
Encryption and Decryption: mechanism to encrypt and decrypt electronic PHI Addressable

15. Audit Controls §164.312(b)
Audit Controls: implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI Required

16. Integrity §164.312(c)(1)
      Policies and procedures to protect electronic PHI from improper alteration or destruction
Mechanism to Authenticate Electronic PHI: implement electronic mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner Addressable

17. Person or Entity Authentication §164.312(d)
Person or Entity Authentication: implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed Required

18. Transmission Security §164.312(d)
      Technical security measures to guard against unauthorized access to electronic PHI that is being
      transmitted over an electronic communications network
Integrity Controls: implement security measures to ensure that electronically transmitted electronic PHI is not improperly modified without detection until disposed of Addressable
Encryption: implement a mechanism to encrypt electronic PHI whenever deemed appropriate Addressable

Organizational Requirements
19. Business Associate contracts or other arrangements §164.314(a)
Business Associate contracts: include assertions that business associate will:

• Implement safeguards
• Ensure agents (including subcontractors) implement safeguards
• Report any security incident of which it becomes aware to the covered entity
• Authorize termination by covered entity if covered entity determines business associate has
  violated a material term 		Required for all business associates

20. Requirements for group health plans §164.314(a)
Amend plan documents: require the plan sponsor to:

• Implement safeguards
• Ensure adequate separation is supported by reasonable and appropriate security measures
• Ensure any agent (including subcontractor) implements safeguards
• Report to group health plan any security incident of which it becomes aware 		Required for all group health plans

Policies and Procedures and Documentation Requirements
21. Policies and Procedures §164.316(a)
Policies and Procedures: Reasonable and appropriate policies and procedures comply with security standards and implementation specifications Required

22. Documentation §164.316(b)
      Maintain in written form (may be electronic) and maintain a written (may be electronic) record of any action,
      activity or assessment documentation
Time limit: retain documents for six (6) years from the date of its creation or the date when it last was in effect, whichever is later Required
Availability: make documentation available to persons responsible for implementing the procedures to which the documentation pertains Required
Updates: review documentation periodically and update when needed in response to environmental or operational changes affecting the security of electronic PHI Required