HIPAA Security - HHS


HIPAASecurityTopics1.Security 101 forCovered Entities2.Security Standards- AdministrativeSafeguards3.Security Standards- PhysicalSafeguards4.Security Standards- TechnicalSafeguards5.Security Standards- Organizational,Policies &Procedures, andDocumentationRequirements6.Basics of RiskAnalysis & RiskManagement7.Implementation forthe Small ProviderSecuritySERIES1 Security 101 for Covered EntitiesWhat is the Security Series?The security series of papers will provide guidance from the Centers forMedicare & Medicaid Services (CMS) on the rule titled “Security Standards forthe Protection of Electronic Protected Health Information”, found at 45 CFRPart 160 and Part 164, Subparts A and C. Thisrule, commonly known as the Security Rule,Compliance Deadlineswas adopted to implement provisions of theNo later than April 20, 2005Health Insurance Portability andfor all covered entitiesAccountability Act of 1996 (HIPAA). Theexcept small health plansseries will contain seven papers, each focusedon a specific topic related to the Security Rule. which have until no laterthan April 20, 2006.The papers, which cover the topics listed tothe left, are designed to give HIPAA covered entities insight into the SecurityRule, and assistance with implementation of the security standards. While thereis no one approach that will guarantee successful implementation of all thesecurity standards, this series aims to explain specific requirements, the thoughtprocess behind those requirements, and possible ways to address the provisions.This first paper in the series provides an overview of the Security Rule and itsintersection with the HIPAA Privacy Rule, the provisions of which are at 45CFR Part 160 and Part 164, Subparts A and E.Administrative SimplificationCongress passed the Administrative Simplification provisions of HIPAA,among other things, to protect the privacy and security of certain healthinformation, and promote efficiency in the health care industry through the useof standardized electronic transactions.The health care industry is workingto meet these challenging goalsthrough successful implementationof the AdministrativeSimplification provisions ofHIPAA. The Department ofHealth and Human Services (HHS)has published rules implementing anumber of provisions, including:Volume 2 /Paper 1Security RegulationThe final Security Rule can beviewed and downloaded from theCMS Website at:http://www.cms.hhs.gov/SecurityStandard/ under the “Regulation” page.111/2004:rev. 3/2007

1 Security 101 for Covered ectronicTransactions andCode Sets *Privacy Rule – The deadline for compliance with privacyrequirements that govern the use and disclosure of protected healthinformation (PHI) was April 14, 2003, except for small health planswhich had an April 14, 2004 deadline. (Protected health information,or “PHI”, is defined at 45 CFR § 160.103, which can be found on theOCR website at http://hhs.gov/ocr/hipaa.)Electronic Transactions and Code Sets Rule – All covered entitiesshould have been in compliance with the electronic transactions andcode sets standard formats as of October 16, 2003.National IdentifiersSecurity* NOTE: The originaldeadline for compliancewith the transactions andcode sets standards wasOctober 16, 2002 for allcovered entities exceptsmall health plans, whichhad until October 16, 2003to comply.The AdministrativeSimplification ComplianceAct provided a one-yearextension to coveredentities that were not smallhealth plans, if they timelysubmitted complianceplans to HHS.National identifier requirements for employers, providers, andhealth plans - The Employer Identification Number (EIN), issued bythe Internal Revenue Service (IRS), was selected as the identifier foremployers. Covered entities must use this identifier effective July 30,2004 (except for small health plans, which have until August 1, 2005).The National Provider Identifier (NPI) was adopted as the standardunique health identifier for health care providers. The Final Rulebecomes effective May 23, 2005. Providers may apply for NPIs on orafter that date. The NPI compliance date for all covered entities,except small health plans, is May 23, 2007; the compliance date forsmall health plans is May 23, 2008. The health plan identifier rule isexpected in the coming years.Security Rule - All covered entities must be in compliance with theSecurity Rule no later than April 20, 2005, except small health planswhich must comply no later than April 20, 2006. The provisions of theSecurity Rule apply to electronic protected health information (EPHI).Who must comply?NOTE: The definition ofcovered entities providedhere summarizes theactual definitions found inthe regulations. For thedefinitions of the threetypes of covered entities,see 45 C.F.R. § 160.103which can be found at:www.hhs.gov/ocr/hipaaAll HIPAA covered entities must comply with the Security Rule. In general,the standards, requirements, and implementation specifications of HIPAAapply to the following covered entities:Covered Health Care Providers - Any provider of medical or otherhealth care services or supplies who transmits any health informationin electronic form in connection with a transaction for which HHS hasadopted a standard.Health Plans - Any individual or group plan that provides or pays thecost of health care (e.g., a health insurance issuer and the Medicareand Medicaid programs).Volume 2 /Paper 1211/2004:rev. 3/2007

1 Security 101 for Covered EntitiesHIPAA SECURITYSTANDARDSSecurity Standards:General Rules---ADMINISTRATIVESAFEGUARDSSecurity ManagementProcessAssigned SecurityResponsibilityWorkforce SecurityInformation AccessManagementSecurity Awarenessand TrainingSecurity IncidentProceduresContingency PlanEvaluationBusiness AssociateContracts and OtherArrangementsPHYSICALSAFEGUARDSFacility AccessControlsWorkstation UseWorkstation SecurityDevice and MediaControlsTECHNICALSAFEGUARDSAccess ControlAudit ControlsIntegrityPerson or EntityAuthenticationTransmission SecurityORGANIZATIONALREQUIREMENTS- Business AssociateContracts & OtherArrangements- Requirements forGroup Health PlansPOLICIES &PROCEDURES &DOCUMENTATIONREQUIREMENTSHealth Care Clearinghouses - A public or private entity thatprocesses another entity’s health care transactions from astandard format to a non-standard format, or vice-versa.Medicare Prescription Drug Card Sponsors –Anongovernmental entity that offers an endorsed discount drugprogram under the Medicare Modernization Act. This fourthcategory of “covered entity” will remain in effect until the drugcard program ends in 2006.For more information on who is a covered entity under HIPAA, visit the Officefor Civil Rights (OCR) website at www.hhs.gov/ocr/hipaa or the CMS websiteat www.cms.hhs.gov under “Regulations and Guidance”. An online tool todetermine whether an organization is a covered entity is available on the CMSwebsite, along with a number of frequently asked questions (FAQs).HIPAA SECURITYWhy Security?Confidentiality Prior to HIPAA, no generally accepted set ofEPHI is accessible only bysecurity standards or general requirements forauthorized people andprotecting health information existed in theprocesseshealth care industry. At the same time, newtechnologies were evolving, and the healthIntegrity care industry began to move away from paperEPHI is not altered orprocesses and rely more heavily on the use ofdestroyed in ancomputers to pay claims, answer eligibilityunauthorized mannerquestions, provide health information andAvailability conduct a host of other administrative andEPHI can be accessed asclinically based functions. For example, inneeded by an authorizedorder to provide more efficient access topersoncritical health information, covered entitiesare using web-based applications and other “portals” that give physicians,nurses, medical staff as well as administrative employees more access toelectronic health information. Providers are also using clinical applicationssuch as computerized physician order entry (CPOE) systems, electronic healthrecords (EHR), and radiology, pharmacy,NOTE: Security is not aand laboratory systems. Health plans areone-time project, but ratherproviding access to claims and carean on-going, dynamicmanagement, as well as member selfprocess that will create newservice applications. While this means thatchallenges as coveredthe medical workforce can be more mobileentities’ organizations andand efficient (i.e., physicians can checktechnologies change.patient records and test results fromVolume 2 /Paper 1311/2004:rev. 3/2007

1 Security 101 for Covered Entitieswherever they are), the rise in the adoption rate of these technologies creates an increase in potentialsecurity risks.As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greateruse of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomeseven more critical. The security standards in HIPAA were developed for two primary purposes. First, andforemost, the implementation of appropriate security safeguards protects certain electronic health careinformation that may be at risk. Second, protecting an individual’s health information, while permittingthe appropriate access and use of that information, ultimately promotes the use of electronic healthinformation in the industry – an important goal of HIPAA.The Privacy Rule and Security Rule ComparedThe Privacy Rule sets the standards for, among other things, who mayhave access to PHI, while the Security Rule sets the standards for ensuringthat only those who should have access to EPHI will actually have access.NOTE: The SecurityWith the passing of both the privacy and the electronic transactions andRule applies only toEPHI, while thecode set standards compliance deadlines, many covered entities arePrivacy Rule appliesfocusing on the security requirements. In developing the Security Rule,to PHI which may beHHS chose to closely reflect the requirements of the final Privacy Rule.in electronic, oral, andThe Privacy Rule requires covered entities to have in place appropriatepaper form.administrative, physical, and technical safeguards and to implement thosesafeguards reasonably. As a result, covered entities that have implementedthe Privacy Rule requirements in their organizations may find that theyhave already taken some of the measures necessary to comply with the Security Rule. The primarydistinctions between the two rules follow:Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to allforms of patients’ protected health information, whether electronic, written, or oral. Incontrast, the Security Rule covers only protected health information that is in electronicform. This includes EPHI that is created, received, maintained or transmitted. For example,EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetictape, or other related means. The Security Rule does not cover PHI that is transmitted orstored on paper or provided orally.“Safeguard” requirement in Privacy Rule: The Privacy Rule contains provisions at 45CFR § 164.530(c) that currently require coveredentities to adopt certain safeguards for PHI. While NOTE: OCR within HHSoversees and enforces thecompliance with the Security Rule is not requiredPrivacy Rule, while CMSuntil 2005 for most entities (2006 for small healthoversees and enforces all otherplans), the actions covered entities took toAdministrative Simplificationimplement the Privacy Rule may already addressrequirements, including thesome Security requirements. Specifically, 45Security Rule.CFR § 164.530 (c) of the Privacy Rule states:Volume 2 /Paper 1411/2004:rev. 3/2007

1 Security 101 for Covered Entities(c)(1) Standard: safeguards. A covered entity must have in place appropriateadministrative, technical, and physical safeguards to protect the privacy ofprotected health information.(2) Implementation specification: safeguards.(i) A covered entity must reasonably safeguard protected healthinformation from any intentional or unintentional use or disclosure that isin violation of the standards, implementation specifications or otherrequirements of this subpart.(ii) A covered entity must reasonably safeguard protected healthinformation to limit incidental uses or disclosures made pursuant to anotherwise permitted or required use or disclosure.The Security Rule provides for far more comprehensive security requirements than 45CFR § 164.530 (c) of the Privacy Rule and includes a level of detail not provided in thatsection. As covered entities begin security compliance planning initiatives, they shouldconsider conducting an assessment of the initiatives implemented for privacy compliance.NOTE: State laws that are contrary to the Privacy Ruleand Security Rule are preempted by the Federalrequirements, unless a specific exception applies. Formore information, see 45 C.F.R. Part 160, Subpart B.Implementation SpecificationsAn “implementation specification” is an additional detailed instruction for implementing a particularstandard. Each set of safeguards is comprised of a number of standards, which, in turn, are generallycomprised of a number of implementation specifications that are either required or addressable. If animplementation specification is required, the covered entity must implement policies and/or proceduresthat meet what the implementation specification requires. If an implementation specification isaddressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard inthe entity’s environment. This involves analyzing the specification inNOTE:reference to the likelihood of protecting the entity’s EPHI fromImplementation specificationsreasonably anticipated threats and hazards. If the covered entityin the Security Rule are eitherchooses not to implement an addressable specification based on its“Required” or “Addressable”.assessment, it must document the reason and, if reasonable andSee 45 C.F.R. § 164.306(d).appropriate, implement an equivalent alternative measure. SeeC.F.R. § 164.306(d)(ii)(B)(2) for more information.For each of the addressable implementation specifications, a covered entity must do one of the following:Volume 2 /Paper 1511/2004:rev. 3/2007

1 Security 101 for Covered EntitiesImplement the specification if reasonable andappropriate; orNOTE: Addressabledoes not mean optional.If implementing the specification is not reasonable and appropriate – Document the rationale supporting the decision and Implement an equivalent measure that is reasonable and appropriateand that would accomplish the same purpose or Not implement the addressable implementation specification or anequivalent alternative measure, if the standard could still be met andimplementing the specification or an alternative would not bereasonable or appropriate.If a given addressable implementation specification is determined to be reasonable and appropriate, thecovered entity must consider options for implementing it. The decision regarding which security measuresto implement to address the standards and implementation specifications will depend on a variety offactors, including:The entity's risk analysis – What current circumstances leave the entity opento unauthorized access and disclosure of EPHI?The entity’s security analysis - Whatsecurity measures are already in place orcould reasonably be put into place?NOTE: For moreinformation about RiskAnalysis, see paper 6 inthis series, “Basics of RiskAnalysis and RiskManagement.”The entity’s financial analysis - Howmuch will implementation cost?Overview of the ProcessThe table of required and addressable implementation specifications included in this paper outlines thestandards and implementation specifications in the Security Rule. In order to comply with the SecurityRule, all covered entities should use the same basic approach. The process should, at a minimum, requirecovered entities to:Assess current security, risks, and gaps.Develop an implementation plan.Volume 2 /Paper 1611/2004:rev. 3/2007

1 Security 101 for Covered Entities Read the Security Rule. A covered entity should review all thestandards and implementation specifications. The matrix at the end ofthe Security Rule is an excellent resource when developing animplementation plan, and is included at the end of this paper. Review the addressable implementation specifications. For eachaddressable implementation specification, a covered entity mustdetermine if the implementation specification is reasonable andappropriate in its environment. A covered entity needs to consider anumber of factors in making the decisions for each addressableimplementation specification. Determine security measures. A covered entity may use any securitymeasures that allow it to reasonably and appropriately implement thestandards and implementation specifications. (See 45 CFR §164.306(b), Flexibility of approach)Implement solutions. A covered entity must implement security measuresand solutions that are reasonable and appropriate for the organization.Document decisions. A covered entity must document its analysis, decisionsand the rationale for its decisions.NOTE: The SecurityReassess periodically. A covered entity mustperiodically review and update its security measuresand documentation in response to environmentaland operational changes that affect security of itsEPHI.Flexible and scalable standardsThe security requirements were designed to be technologyneutral and scalable from the very largest of health plans to thevery smallest of provider practices. Covered entities will findthat compliance with the Security Rule will require anevaluation of what security measures are currently in place, anaccurate and thorough risk analysis, and a series of documentedsolutions derived from a number of complex factors unique toeach organization.From 45 CFR § 164.306(b):Factors that must beconsidered The size, complexity andcapabilities of the coveredentity.The covered entity’s technicalinfrastructure, hardware, andsoftware security capabilities.The costs of security measures.The probability and criticality ofpotential risks to EPHI.HHS recognizes that each covered entity is unique and variesin size and resources, and that there is no totally secure system.Volume 2 /Paper 1Rule requires that acovered entity documentthe rationale for many ofits security decisions.711/2004:rev. 3/2007

1 Security 101 for Covered EntitiesTherefore, the security standards were designed to provide guidelines to all types of covered entities,while affording them flexibility regarding how to implement the standards. Covered entities may useappropriate security measures that enable them to reasonably implement a standard. In deciding whichsecurity measures to use, a covered entity should take into account its size, capabilities, the costs of thespecific security measures and the operational impact.For example, covered entities will be expected to balance the risks of inappropriate use or disclosure ofEPHI against the impact of various protective measures. This means that smaller and less sophisticatedpractices may not be able to implement security in the same manner and at the same cost as large,complex entities. However, cost alone is not an acceptable reason to not implement a procedure ormeasure.NOTE: The securityTechnology Neutral Standardsstandards do not dictateor specify the use ofspecific technologies.Over the last few years, the emergence of new technologies has drivenmany health care initiatives. With technology improvements and rapidgrowth in the health care industry, the need for flexible, technologyneutral standards is critical to successful implementation. When the final Security Rule was published, thesecurity standards were designed to be “technology neutral” to accommodate changes. The rule does notprescribe the use of specific technologies, so that the health care community will not

HIPAA Security SERIES Compliance Deadlines No later than April 20, 2005 for all covered entities except small health plans which have until no later than April 20, 2006. Security Regulation The final Security Rule can be viewed and downloaded from the CMS Website at:File Size: 203KB