Free Shipping to 48 States - Call us Toll Free 1-866-867-0306
What are the HIPAA rules?
HIPAA Compliance Regulation
There are many rules in the HIPAA regulations that must be understood and complied with by nearly every healthcare provider in the US. Each HIPAA regulation contains certain amendments that are either required or addressable to the relevant entity that falls under each particular category. It is important to note that every HIPAA regulation contains strong requirements regarding disaster recovery and continuity planning that must be addressed with the appropriate due diligence and measure to ensure protection from fire and other natural hazards.
The punishments and fines for noncompliance of any individual HIPAA regulation are very clear cut - the information we have assembled is intended to be used solely as a guide to help ensure that your organization has taken the correct measures for HIPAA regulation requirements.
For more information on HIPAA regulation contact our experts today at 1-866-867-0306.
REGULATIONS RELEASED- AT LAST HEALTH CARE ADVISORY
On February 20, 2003, the Department of Health and Human Services (HHS) published the Final Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Final Security Rule or Rule).1 It was in August of 1998 that HHS first published proposed regulations to implement information security requirements under the Administrative Simplification provisions of HIPAA (Proposed Security Rule). This Final Security Rule covers the administrative, technical and physical security measures that covered entities are required to take with regard to electronic storage and transmission of Protected Health Information (PHI). Because many of the security standards work in concert with the already finalized HIPAA Privacy Rule (Privacy Rule) that takes effect for most covered entities on April 14, 2003, health care providers have anxiously awaited the final version of these Rules.2
The Final Security Rule provides general principles and an implementation process, rather than detailed mandates or prescribed technologies. The Final Security Rule also allows covered entities to evaluate and determine how to apply many of the security standards based on the facts of each covered entity's situation. The intent of the Rule is best summarized in the preamble where HHS stated, "we have focused more on what needs to be done and less on how it should be accomplished."3 Most covered entities have until April 21, 2005, to comply with the Final SecurityRule.4
This advisory provides an overview of the Final Security Rule, details the types of transactions covered, specifies who must comply, and describes the administrative, physical and technical safeguards suggested to meet the security requirements. It also details a nine-point action plan for entities that must comply with the Final Security Rule by April 21, 2005, provides the security standard matrix from the Rule, and discusses how the issuance of this Rule will affect compliance with the HIPAA Privacy Rule, which goes into effect in just over a month-on April 14, 2003.
OVERVIEW OF THE FINAL SECURITY RULE
The Final Security Rule establishes guidelines for the minimum requirements to ensure confidentiality, security and integrity of electronically stored and transmitted health information. The Privacy Rule requires covered entities to implement "appropriate administrative, technical and physical safeguards" for PHI in all forms, including electronic and non-electronic. Covered entities have been waiting for the Final Security Rule to provide guidance on the meaning of the Privacy Rule's "appropriate safeguards," which are required under the Privacy Rule to be in place on April 14, 2003.5 The Final Security Rule does not provide specific instruction on how covered entities should safeguard PHI in oral, written or non-electronic form. However, it does provide a process of evaluation that covered entities could use to determine what would constitute "appropriate safeguards" under the Privacy Rule.
As noted, the overriding theme of the Final Security Rule is flexibility. The drafters stated that they wrote "the final rule to frame the standards in terms that are as generic as possible, and which, generally speaking, may be met through various approaches or technology."6 The preamble states that each facility must analyze its own situation and work within the constraints of its situation and resources.
WHAT INFORMATION IS SUBJECT TO THE FINAL SECURITY RULE?
The Final Security Rule requires covered entities to safeguard and protect protected health information (PHI) maintained or transmitted in electronic form.7 Additionally, as part of the Final Security Rule, HHS updated the definition of PHI to clarify that PHI includes information that is transmitted by electronic media, maintained in electronic media or maintained in any other form or medium. The term "electronic media" is defined as: (1) electronic storage media including computer hard drives and any removable/transportable digital memory medium such as magnetic tape or disk, or digital memory card; (2) transmission media used to exchange information already in electronic storage media, for example extranet, leased lines, dial-up lines, private networks; and (3) the physical movement of removable/transportable electronic storage media.8 Further, the Final Security Rule clarifies that certain transmissions such as paper-to-paper faxes, person-to-person telephone calls, video teleconferencing and/or messages left on voice-mail are not "electronic media" and, accordingly, are not subject to the safeguards required under the Final Security Rule.9 Because HHS moved the definitions of electronic media and PHI to the general definition section in the HIPAA regulations, these definitions apply to all of the HIPAA Administrative Simplification regulations - i.e., security, transactions and code sets, and privacy regulations.
WHO MUST COMPLY WITH THE FINAL RULE?
The Final Security Rule provisions apply to three categories of entities. These three categories are the same as those under the Privacy Rule. Therefore, if an entity is a covered entity under the Privacy Rule, it is a covered entity under the Final Security Rule. The three categories of covered entities under the Final Security Rule are:
ARE BUSNESS ASSOCIATESSUBJECT TO THE FINAL RULE?
The Final Security Rule also mandates that covered entities must pass on information security requirements to their business associates.11 The good news is that the proposed requirement that there be so-called "trading partner agreements" with business partners who have access to electronic access to health information was not retained in the Final Security Rule. Instead, the Rule attempts to synchronize with the Privacy Rule by requiring that all business associate agreements provide that the business associate will: (1) implement administrative, physical and technical safeguards to protect electronic PHI it creates, receives, maintains or transmits on behalf of the covered entity; (2) ensure that any agent or subcontractor to whom it provides the covered entity's electronic PHI agrees to implement safeguards to protect the PHI; (3) report to the covered entity any security incidents of which it becomes aware; and (4) authorize termination of the agreement by the covered entity, if the covered entity determines that the business associate has violated material terms of the agreement.12 As with the Privacy Rule, a covered entity generally will not be responsible for security breaches by its business associates unless it has knowledge of a breach and fails to take corrective action. These provisions reflect many of the business associate requirements under the Privacy Rule and likely will not necessitate major changes to existing business associate agreements. Nonetheless, as the April 2005 compliance date for the Final Security Rule approaches, covered entities should review their business associate agreements to ensure that they contain all of the required elements.
HOW IS THE FINAL SECURITY RULE STRUCTURED?
The Final Security Rule requirements are called "standards." Each "standard" offers a generalized security requirement13 and is followed by an "implementation specification." The "implementation specifications" identify what the covered entity must do to meet a standard14 and each one is either a "required specification" (R) or an "addressable specification" (A). The Final Security Rule contains both required and addressable implementation specifications and a security standards matrix (attached as an Appendix to this advisory) that designates the specifications with either an "R" or an "A." A "required specification" must be implemented as stated in the regulation. For example, back-up data plans and disaster recovery plans are required specifications to the contingency plan "standard."15 For an "addressable specification" the covered entity is given more options. It must decide whether it will do one of the following: (1) address the specification directly; (2) implement an alternative that covers the same general concept identified in the standard; (3) do a combination of both; or (4) do nothing. The decision made by the covered entity must be based upon a security risk assessment and if the covered entity chooses to use an alternative solution, or decides to do nothing, the basis for that decision must be documented in writing.16 Included in the documentation should be the covered entity's decision, the rationale behind the decision and an explanation of how the standard is being met. Cost can be used as a factor in these decisions, but the preamble to the Rule notes that adequate security measures still must be implemented, stating "[T]here is a clear requirement that adequate security measures be implemented . . . . Cost is not meant to free covered entities from this responsibility."17
WHAT ARE THE PRIMARY COMPLIANCE OBLIGATIONS OF A COVERED ENTITY?
Final Security Rule specifies that covered entities must meet four general
These requirements must be met by applying the standards found in the Final Security Rule.19 The security rule standards are grouped under three headings: administrative safeguards, physical safeguards and technical safeguards. The preamble explains that: "The administrative, physical, and technical safeguards a Covered Entity employs must be reasonable and appropriate to accomplish the tasks outlined in paragraphs (1) through (4) above."20 The covered entity will know what measures are reasonable and appropriate by engaging in a risk analysis and then implementing measures to handle the risks identified. Essentially, the covered entity must engage in a risk analysis to determine how to comply with the Security Standards. Compliance with the standards will be determined based on the effectiveness and feasibility of the measures in ensuring the confidentiality, integrity and availability of PHI.
The administrative safeguards are actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity's workforce in relation to the protection of the information.21 Specifically, the administrative safeguards must address the following areas:
1. Security Management Process: Implement policies and procedures to prevent, detect, contain and correct security violations. There are four enumerated implementation specifications, all of which are required. These include: (a) a risk analysis to detect the potential risks and vulnerabilities; (b) risk management to implement security measures to reduce risks and vulnerabilities; (c) a sanction policy to apply appropriate sanctions against workforce members who fail to comply with the policies; and (d) information system activity review to review records of information system activity, such as audit logs, access reports and security incident tracking reports.22
2. Assigning Security Responsibility: Identify a security official to develop and implement policies and procedures.23
3. Workforce Security: Develop policies and procedures to ensure appropriate workforce access to electronic PHI and to prevent unauthorized access by those who should not have access to the information.24
4. Information Access Management: Implement policies and procedures for authorizing access to electronic PHI. This includes isolating health care clearinghouse functions if they are part of a larger organization.25
5. Security Awareness and Training: Implement a security awareness and training program for all members of the workforce (including management). The amount of training is to be determined by the facility.26
6. Security Incident Procedures: Implement policies and procedures to address security incidents. This includes identifying and responding to suspected and known security incidents.27
7. Contingency Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems containing electronic PHI. This requires developing and implementing a backup data plan, a disaster recovery plan and an emergency mode operation plan.28
8. Evaluation: Perform a periodic technical and nontechnical evaluation, based initially on the standards, to see the extent to which the entity's security policies and procedures meet the requirements of this section. The covered entity may make a business decision to obtain external certification, but is not required to do so to comply with the standard.29
The purpose of these standards is to protect a covered entity's computer systems and related buildings and equipment from fire and other natural hazards, as well as unauthorized intrusion.
Each covered entity is required to address the following physical safeguard standards that concern the physical protection of data systems and data from intrusion and from environmental or natural hazards.30
The physical safeguard standards are as follows:
1. Facility Access Controls: Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. These controls would include the following implementation features: disaster recovery, emergency mode operation, need-to-know procedures for personnel access and sign-in requirements for visitors.31
2. Workstation Use: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI. For example, logging off before leaving a workstation unattended.32
3. Workstation Security: Implement physical safeguards for all workstations that access electronic PHI, to restrict access to authorized users. A risk assessment will need to be performed to gauge the appropriate solutions to workstation security issues.33
4. Device and Media Controls: Implement polices and procedures that govern the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility and the movement of these items within the facility. 34
purpose of these standards is to protect a covered entity's computer systems
and related buildings and equipment from fire and other natural hazards,
as well as unauthorized intrusion.
The technical safeguard standards address the technology and the policies and procedures for its use that protect electronic PHI and control access to it.35 The following are included in the technical safeguards:
1. Access Control: Implement technical policies and procedures for electronic information systems (computers) that maintain electronic PHI to allow access only to those persons or software programs that have been granted access as specified by the security safeguards. This standard requires the assignment of a unique name and/or number for identifying and tracking user identity, and establishing procedures for obtaining necessary electronic PHI during an emergency. Some facilities may wish to use encryption as a method of denying access to information in a file.36
2. Audit Controls: Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. These are to be put in place to record and examine system activity. Entities have flexibility in implementing the standard in a manner appropriate to their own needs.37
3. Integrity: Implement policies and procedures to protect electronic PHI from improper alteration or destruction. Error-correcting memory and magnetic disc storage are examples of the built-in data authentication mechanism that are commonplace in hardware and operating systems today.38
4. Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. For example, digital signatures and soft tokens may be used to implement this standard.39
5. Transmission Security: Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network. Integrity controls and encryption are recommended to achieve this standard.40 It is interesting to note, however, that encryption is an addressable specification and, therefore, is not specifically required to be implemented.
Documentation and Policy and Procedure Requirements
The Final Security Rule requires covered entities to implement and maintain written policies and procedures to comply with the Final Security Rule. The same is true for any actions, activities or assessments required to be documented, such as the risk assessment analysis. Covered entities must maintain this documentation for six years from the later of the date of its creation or the date when it last was in effect.41
HYBRID AND AFFILIATED ENTITY REQUIREMENTS
The Final Security Rule moves the provisions relating to affiliated covered entities and hybrid entities from the Privacy Rule to the general Administrative Simplification provisions and makes them applicable to both the Final Security Rule and the Privacy Rule. What this means is that the responsibilities of affiliated covered entities and hybrid entities for the maintenance of electronic PHI under the Security Rules can be implemented in the same manner as their responsibilities with respect to use and disclosure of PHI under the Privacy Rule.42
Sanctions for Noncompliance
Under the HIPAA statute, violations of the Final Security Rule can result in penalties of up to $100 per person per violation, up to a maximum of $25,000 for violations of a single standard during a calendar year.43 HIPAA statutory provisions also provide for criminal penalties for the knowing misuse of health identifiers or obtaining or misusing PHI of: (a) up to $50,000 and one year in prison for knowing violations; (b) up to $100,000 and up to five years in prison if the offense is committed under false pretenses; and (c) up to $250,000 and 10 years in prison if the offense is committed with "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm."44
No Safe Harbors
Not surprisingly, the Final Security Rule does not offer any safe harbor provisions. Therefore, it appears that the security measures adopted and utilized by covered entities will be judged after the fact, which will make the documentation and risk analysis process all the more important.
Although not addressing the issue to any great degree, the preamble to the Final Security Rule notes that de-identified information is not covered by the Rule because it is no longer electronic PHI. However, any electronic PHI that is not de-identified must be used and secured in compliance with the Final Security Rule.45
AN ACTION PLAN FOR COVERED ENTITIES
Although April 21, 2005 is more than two years away, there are steps that should be taken now to ensure that your covered entity will be ready to comply with the Final Security Rule when compliance is required. Also, the general requirement under the Privacy Rule to implement "appropriate safeguards" for PHI takes effect on April 14, 2003. As a start, covered entities should begin to undertake the following nine-step action plan.
1. Continue all measures necessary to be in compliance with the HIPAA Privacy Rule by the April 14, 2003 deadline.
The Final Security Rule does not extend the Privacy Rule compliance deadline of April 14, 2003. In terms of information security, the Privacy Rule requires that appropriate safeguards for PHI be in place by that date. At a minimum, these safeguards should include locking rooms and file cabinets where PHI is located, providing password protection for electronic files, and implementing policies on computer workstation use and the transmission of PHI by electronic means such as e-mail.
2. Assemble an "information security team" and learn the security rules.
Covered entities should assemble an internal "information security team" and create a compliance agenda. The team should include members of a variety of hospital departments including the technology, information systems management, human resources, benefits, accounting, compliance and legal groups. The team should select an information security officer.
3. Identify all electronic PHI maintained or transmitted by the covered entity.
The Final Security Rule applies to all electronic PHI, but not to written or oral forms of PHI. Therefore, covered entities should undertake a PHI mapping process to assess their use and transmission of electronic PHI in order to determine the information and data media that will fall under the requirements.
4. Establish information access controls.
Covered entities should begin to draft written policies and procedures for electronic PHI access and controls. Among the procedures to be considered are implementation of unique log-in names, password protection of electronic files and means of tracking security incidents. In addition, covered entities should draft sanctions procedures for employees who violate the entity's security policies, as well as personnel termination procedures to eliminate access to electronic PHI by former employees. For example, a checklist could be developed for employee termination that includes items such as changing locks, removing the employee's passwords or other access to such information, removing user accounts and turning in keys or cards that allow access.
5. Develop mechanisms to protect electronic PHI from improper use or destruction.
Covered entities should begin implementing security mechanisms to verify that electronic PHI has not been altered or destroyed while being transmitted to or from the covered entity and implementing technical security measures to guard against unauthorized access to electronic PHI transmitted by the covered entity over an electronic communications network such as the Internet.
6. Conduct risk analysis and implement risk management measures.
The HIPAA security team should conduct a risk assessment identifying the potential risks of improper disclosure and vulnerability of electronic PHI maintained or transmitted in the covered entity's database. This risk assessment should identify potential risks to the confidentiality of electronic PHI stored and transmitted by the covered entity or its business associates such as unauthorized access by former employees, hackers and the potentially devastating effects of computer viruses and worms. Covered entities must document their findings. After the security team conducts the assessment, it should develop and put in place a risk management program designed with sufficient measures to reduce the security risks and vulnerabilities identified in the risk assessment. It also should begin developing a contingency plan for responding to emergencies. This plan should list processes to create file backups, include a criticality analysis of what information is necessary to administer the covered entity, include a disaster recovery plan, and an emergency mode of operations plan, as well as testing and revision procedures.
7. Begin security awareness and training.
Similar to the Privacy Rule, the Final Security Rule requires each covered entity to train its workforce. Specifically, all employees with access to PHI, including management or supervisory employees need to be trained on security provisions and the protection of electronic PHI. The training should involve awareness training, periodic security reminders, user education concerning virus protection or malicious software such as viruses and worms, emphasis on the importance of monitoring login success and failure and user education regarding passwords. The preamble to the Final Security Rule states that this training could be provided as part of the new employee orientation with supplemental training as necessary, such as when new technologies are introduced or when changes are made to the security policy.
8. Refer to NIST for risk assessment.
On several occasions, HHS makes reference to guides published by the National Institute of Standards and Technology (NIST), as an aid in risk assessment and in the security management process. The NIST "800 Series" publications are important as practical guides that expand upon explanations by HHS of steps to follow and criteria to use, in assessing risk and managing security implementation. 46 The guides also will be important references in enforcement of the security rules and in other litigation over security issues; therefore, a covered entity should consider consulting these guides as it works to address and implement the Final Security Rule.
9. Ensure that business associate agreements include the Final Security Rule provisions.
The Final Security Rule necessitates that business associate agreements include language protecting electronic PHI. As the security compliance date approaches, each covered entity should evaluate its business associate agreements to ensure that the language is broad enough to comply with both the Privacy and Final Security Rule provisions.
The Final Security Rule has been published and most covered entities have until April 21, 2005 to comply with the Rule. Just as important, however, covered entities should use the Final Security Rule as a guide to help implement compliance with the security provisions found in the HIPAA Privacy Rule with which they must be in compliance by April 14, 2003. The risk assessment and self-analysis provisions of the Final Security Rule can be used by covered entities in implementing the general security provisions contained in the Privacy Rule. Although the compliance date for the Final Security Rule may appear to be far off, covered entities should start working toward compliance now by setting up a security team and engaging in a thorough risk analysis to evaluate each of the security standards as applied to their entity. This analysis and the resulting decisions should be documented and appropriate protections should be implemented. April 21, 2005 will be here before we know it.
A to Subpart C of Part 164
Administrative Safeguards (see § 164.308)
Security Management Process 164.308(a)(1)
Security Responsibility 164.308(a)(2)
Access Management 164.308(a)(4)
Awareness and Training 164.308(a)(5)
Incident Procedures 164.308(a)(6)
Associate Contracts and Other Arrangements 164.308(b)(1)
Physical Safeguards (see § 164.310)
Access Control 164.310(a)(1)
and Media Controls 164.310(d)(1)
Technical Safeguards (see § 164.312)
or Entity Authentication 164.312(c)(1)
Security 164.312(d) 164.312(e)(1)
This Health Care Advisory is published by Alston & Bird to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered advertising under the applicable court rules. This advisory may be reprinted without the express permission of Alston & Bird so long as it is reprinted in its entirety including the Alston & Bird name and logo. If you have any questions or would like additional information, and/or if you would like to receive this information via e-mail, please contact your Alston & Bird attorney or the following:
ALSTON + BIRD LLP
If you would like to receive future Health Care Advisories electronically, please forward your contact information including e-mail address to firstname.lastname@example.org Be sure to put subscribe in the subject line.
1 68 Fed. Reg. 8333 (Feb. 20, 2003).
Free Shipping to 48 States - Call us Toll Free 1-866-867-0306
Disclaimer | Shipping
& Freight Information | Site Map
Fire Safe |Fireproof Safe | Fireproof Media Safe | Schwab Fire FIles | Medical Office Filing Cabinets | Fireproof Data Safe| Fireproof Waterproof Filing
Vault Doors | Custom Built Safes | Schwab Safes| Fireproof File Cabinets | Office Furniture Indiana| Fire Proof File Cabinet