Difference between revisions of "LII:HIPAA Compliance - LII 007 06. Security"

From LIMSWiki
Jump to navigationJump to search
(Cleaned up internal and external links, citations, image formatting, bullet points, added NOTOC)
(11 intermediate revisions by one other user not shown)
Line 1: Line 1:
===About the Security Rule===
__NOTOC__
[[File:Understanding The HIPAA Security Rule.png|left|400 px]]In the Health Insurance and Portability Act of 1996 and its subsequent amendments, collectively known as "HIPAA", the Security Standards for the Protection of Electronic Protected Health Information (the '''Security Rule''') establish a national set of security standards for protecting certain health information (PHI) that is held or transferred in electronic form. The Security Rule "operationalizes" the protections contained in the Privacy Rule (discussed in Lessons 1-5) by addressing the technical and non-technical safeguards that organizations called “covered entities” (CEs) must put in place to secure individuals’ “electronic protected health information” ('''e-PHI'''). A division of the HHS, the Office for Civil Rights (OCR), has responsibility for ''enforcing'' the Privacy and Security Rules, using voluntary compliance measures and civil financial penalties.


It's interesting to note that prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the healthcare industry. Yet new technologies were evolving, and the healthcare industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically-based functions. The need for those standards and security requirements became more apparent.<ref name="HIPAASecurity">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |title=Summary of the HIPAA Security Rule |publisher=U.S. Department of Health and Human Services |accessdate=14 June 2016}}</ref>
In the [[Health Insurance Portability and Accountability Act|Health Insurance Portability and Accountability Act of 1996]] and its subsequent amendments, collectively known as "HIPAA", both the Privacy Rule and Security Rule were established. There is considerable overlap between the two, and many of the provisions relevant to covered entities (CEs) have been covered in Lessons 1-5 of this course. However, it is worth examining the Security Rule separately, especially inasmuch as it specifically addresses electronic [[information]] and related security measures.  


Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR) or electronic medical records (EMR), and radiology, pharmacy, and laboratory information management systems (LIS, LIMS). Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
==About the Security Rule==
[[File:Understanding The HIPAA Security Rule.png|left|400px]]The Security Standards for the Protection of Electronic Protected Health Information (the '''Security Rule''') establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule "operationalizes" the protections contained in the Privacy Rule (discussed in Lessons 1-5) by addressing the technical and non-technical safeguards that CEs must put in place to secure individuals’ "electronic protected health information" ('''e-PHI'''). A division of the [[United States Department of Health and Human Services]] (HHS), the Office for Civil Rights (OCR), has responsibility for ''enforcing'' the Privacy and Security Rules, using voluntary compliance measures and civil financial penalties.


A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities (CEs) to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.  
It's interesting to note that prior to HIPAA, no generally accepted set of security standards or general requirements for protected health information (PHI) existed in the healthcare industry. Yet new technologies were evolving, and the healthcare industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically-based functions. The need for those standards and security requirements became more apparent.<ref name="HIPAASecurity">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |title=Summary of the HIPAA Security Rule |publisher=U.S. Department of Health and Human Services |accessdate=14 June 2016}}</ref>


This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. Several portions of the Security Rule overlap with what we have covered in Lessons 1-5 concerning both privacy and security, in which cases information in this lesson serves to reinforce what you have already encountered. Visit the [http://www.hhs.gov/hipaa/for-professionals/security/index.html HHS Security Rule section] for links to the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs.
Today, providers are using clinical applications such as [[computerized physician order entry]] (CPOE) systems, [[electronic health record]]s (EHR) or [[electronic medical record]]s (EMR), as well as [[Radiology information system|radiology]], [[Pharmacy automation|pharmacy]], and [[laboratory information system]]s (LIS). Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.


===Statutory and Regulatory Background===
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing CEs to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.  
It was the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) that required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.


HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for CEs to use to assure the confidentiality, integrity, and availability of e-PHI.
This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. Several portions of the Security Rule overlap with what we have covered in Lessons 1-5 concerning both privacy and security, in which cases information in this lesson serves to reinforce what you have already encountered. Visit the [http://www.hhs.gov/hipaa/for-professionals/security/index.html HHS Security Rule section] for links to the entire rule and for additional helpful information about how the rule applies. In the event of a conflict between this summary and the rule, the rule governs.


The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.<ref name="45CFR160">{{cite web |url=http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr160_main_02.tpl |title=45 CFR part 160 |publisher=U.S. Government Publishing Office |accessdate=14 June 2016}}</ref><ref name="45CFR164">{{cite web |url=http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl |title=45 CFR part 164 |publisher=U.S. Government Publishing Office |accessdate=14 June 2016}}</ref>
==Statutory and regulatory background==
It was the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) that required the Secretary of the HHS to publish national standards for the security of e-PHI, electronic exchange, and the privacy and security of health information.


===Who is Covered by the Security Rule===
HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for CEs to use to assure the confidentiality, integrity, and availability of e-PHI.<ref name="HIPAASecurity" />


The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). Covered entities (CEs) are discussed in detail in Lessons 1-5.
The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.<ref name="45CFR160">{{cite web |url=http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr160_main_02.tpl |title=45 CFR part 160 |publisher=U.S. Government Publishing Office |accessdate=14 June 2016}}</ref><ref name="45CFR164">{{cite web |url=http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl |title=45 CFR part 164 |publisher=U.S. Government Publishing Office |accessdate=14 June 2016}}</ref>
 
====Business Associates====


The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules, as discussed in Lesson 2 [[LII:HIPAA Compliance - LII 007 02. Who Needs to Comply?]]. HHS is developing regulations to implement and clarify these changes.
==Who is covered by the Security Rule==
The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities," discussed in detail in Lessons 1-5).


===What Information is Protected===
===Business associates===
[[File:Consult faded edge cropped.png|right|400px]]The [[Health Information Technology for Economic and Clinical Health Act|Health Information Technology for Economic and Clinical Health Act of 2009]] (HITECH) expanded the responsibilities of business associates under the Privacy and Security Rules, as discussed in [[LII:HIPAA Compliance - LII 007 02. Who Needs to Comply?|Lesson 2]]. HHS is developing regulations to implement and clarify these changes.


Electronic Protected Health Information. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule and here. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).3 The Security Rule does not apply to PHI transmitted orally or in writing.  
==What information is protected==
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, PHI, as explained in the Privacy Rule and here. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information electronic protected health information (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.<ref name="HIPAASecurity" />


===General Rules===
==General rules==
The Security Rule, at its foundation, requires CEs to maintain reasonable and appropriate '''<u>administrative</u>''', '''<u>technical</u>''', and '''<u>physical</u> safeguards''' for protecting e-PHI. Specifically, CEs must<ref name="HIPAASecurity" />:


The Security Rule, at its foundation, requires CEs to maintain reasonable and appropriate '''<u>administrative</u>''', '''<u>technical</u>''', and '''<u>physical</u> safeguards''' for protecting e-PHI.
# ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
# identify and protect against reasonably anticipated threats to the security or integrity of the information
# protect against reasonably anticipated, impermissible uses or disclosures
# ensure compliance by their workforce.


Specifically, CEs must:
The Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the '''''two additional goals of maintaining the <u>integrity and availability</u> of e-PHI'''''. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availability" means that e-PHI is accessible and usable on demand by an authorized person.<ref name="HIPAASecurity" />
 
# Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
# Identify and protect against reasonably anticipated threats to the security or integrity of the information
# Protect against reasonably anticipated, impermissible uses or disclosures
# Ensure compliance by their workforce.
 
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the '''''two additional goals of maintaining the <u>integrity and availability</u> of e-PHI'''''. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.


HHS recognizes that CEs range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow CEs to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular CE will depend on the nature of its particular business, as well as its size and resources.  
HHS recognizes that CEs range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow CEs to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular CE will depend on the nature of its particular business, as well as its size and resources.  


Therefore, when a CE is deciding which security measures to use, the Rule does not dictate those measures but requires it to consider:
Therefore, when a CE is deciding which security measures to use, the Rule does not dictate those measures but requires it to consider<ref name="HIPAASecurity" />:


* Its size, complexity, and capabilities
* its size, complexity, and capabilities
* Its technical, hardware, and software infrastructure
* its technical, hardware, and software infrastructure
* The costs of security measures
* the costs of security measures
* The likelihood and possible impact of potential risks to e-PHI.
* the likelihood and possible impact of potential risks to e-PHI


CEs must also review and modify their security measures to continue protecting e-PHI in a changing environment.
CEs must also review and modify their security measures to continue protecting e-PHI in a changing environment.


===Risk Analysis and Management===
==Risk analysis and management==
 
[[File:Risk Analysis.jpg|right|400px]]The Administrative Safeguards provisions in the Security Rule require CEs to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular CE, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.  
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.  
 
A risk analysis process includes, but is not limited to, the following activities:
Evaluate the likelihood and impact of potential risks to e-PHI;8
Implement appropriate security measures to address the risks identified in the risk analysis;9
Document the chosen security measures and, where required, the rationale for adopting those measures;10 and
Maintain continuous, reasonable, and appropriate security protections.11
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14


===Administrative Safeguards===
A risk analysis process includes, but is not limited to, the following activities<ref name="HIPAASecurity" />:


====Security Management Process==== As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.  
# evaluating the likelihood and impact of potential risks to e-PHI
# implementing appropriate security measures to address the risks identified in the risk analysis
# documenting the chosen security measures and, where required, the rationale for adopting those measures
# maintaining continuous, reasonable, and appropriate security protections
Risk analysis should be an ongoing process, in which a CE regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.


====Security Personnel==== A CE must designate a security official who is responsible for developing and implementing its security policies and procedures.  
==Administrative safeguards==
The first of the required areas of security has to do with safeguards that are implemented during administration. These take several forms<ref name="HIPAASecurity" />:


====Information Access Management==== Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
;security management process
: As explained in the previous section, a CE has to identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a "reasonable and appropriate level."


====Workforce Training and Management==== A CE must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A CE must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
;security personnel
: A CE must designate a Security Official who is responsible for developing and implementing its security policies and procedures. This is similar to the Privacy Official discussed in [[LII:HIPAA Compliance - LII 007 05. Administration|Lesson 5]].


====Evaluation==== A CE must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
;information access management
: Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a CE to implement policies and procedures for authorizing access to e-PHI '''''only when such access is appropriate based on the user or recipient's role (role-based access)'''''.


===Physical Safeguards===
;workforce training and management
: A CE must provide for appropriate authorization and supervision of workforce members who work with e-PHI. All of those workforce members must be trained regarding its HIPAA-compliant security policies and procedures, and the CE must have and apply appropriate sanctions against workforce members who violate those policies and procedures.


====Facility Access and Control==== A CE must limit physical access to its facilities while ensuring that authorized access is allowed.
;evaluation
: A CE must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.


====Workstation and Device Security==== A CE must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).23
==Physical safeguards==
The second required area of compliance with the Security Rule is the introduction and maintenance of physical safeguards for PHI. These include<ref name="HIPAASecurity" />:


===Technical Safeguards===
;facility access and control
: A CE must limit physical access to its facilities, but also ensure authorized access.


Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24
;workstation and device security
: A CE must implement policies and procedures to specify proper use of and access to <u>workstations and electronic media</u>. A CE also must have in place policies and procedures regarding the ''transfer, removal, disposal, and re-use of electronic media'', to ensure appropriate protection of e-PHI.


Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25
==Technical safeguards==
The third area of security designated by the Security Rule is the technical aspect. Technical safeguards fall under the categories of<ref name="HIPAASecurity" />:


Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.26
;access control
: A CE is required to implement technical policies and procedures that allow only authorized persons to access e-PHI.


Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.27
;audit controls
: A CE must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in any information systems that contain or use e-PHI.


===Required and Addressable Implementation Specifications===
;integrity controls
Covered entities are required to comply with every Security Rule "Standard." However, the Security Rule categorizes certain implementation specifications within those standards as "addressable," while others are "required." The "required" implementation specifications must be implemented. The "addressable" designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.28
: A CE must implement policies and procedures, and electronic measures must be taken to ensure that e-PHI is not improperly altered or destroyed.  


===Organizational Requirements===
;transmission security
Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation.29 Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.  
: A CE must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network. There are standards that are approved and available, including [[HL7]].


Business Associate Contracts. HHS is developing regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
==Required and addressable implementation specifications==
[[File:Checklist Clipboard.jpg|left|120px]]CEs are required to comply with every Security Rule "standard." However, the Security Rule categorizes certain implementation specifications within those standards as "addressable," while others are "required." The required implementation specifications must be implemented. The addressable designation does not mean that an implementation specification is optional, but it permits CEs to determine whether the addressable implementation specification is ''reasonable and appropriate'' for that CE. If it is not, the Security Rule allows the CE to adopt an alternative measure that achieves the purpose of the standard, if that alternative measure is reasonable and appropriate.<ref name="HIPAASecurity" />
{{clear}}
===Organizational requirements===
In some cases, organization-wide action must be taken. Cases include<ref name="HIPAASecurity" />:


===Policies and Procedures and Documentation Requirements===
;CE responsibility to act
: If a CE knows of an activity or practice of a business associate that constitutes a material breach or violation of the business associate’s obligation, the CE must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.


A CE must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.30
;Business associate responsibility to act
: In the case of a business associate agreement (BAA), certain stipulations are required in most cases. HHS is developing regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009. (Business associates and the BAA were first discussed in [[LII:HIPAA Compliance - LII 007 02. Who Needs to Comply?|Lesson 2]]).


Updates. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).
===Policies and procedures, and documentation requirements===
A CE must adopt "reasonable and appropriate" policies and procedures to comply with the provisions of the Security Rule. A CE must maintain, until six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities or assessments. Additionally, a CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of e-PHI.<ref name="HIPAASecurity" />


===State Law===
===State law===
In general, state laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply. "Contrary" means that it would be impossible for a CE to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.<ref name="HIPAASecurity" />


Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply. “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.33
===Enforcement and penalties for noncompliance===
The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The HHS Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.<ref name="HIPAASecurity" />


===Enforcement and Penalties for Noncompliance===
The Enforcement Rule's '''Final Rule''' is HITECH provisions that strengthen HHS' ability to enforce the Privacy and Security Rules of HIPAA. Some enforcement measures and penalties are discussed in [[LII:HIPAA Compliance - LII 007 07. Additional Compliance Guidance|Lesson 7]] and on OCR's [http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/ Enforcement Rule page].


Compliance. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.<ref name="HIPAASecurity" />
===Compliance dates===
All CEs, except "small health plans," must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.<ref name="HIPAASecurity" />


The Enforcement Rule's '''Final Rule''' is [[HITECH]] provisions that strengthen HHS's ability to enforce the Privacy and Security Rules of HIPAA. Some enforcement measures and penalties are discussed in Lesson  and on OCR's Enforcement Rule page.
==References==
<references />


===Compliance Dates===
<!---Place all category tags here-->
All CEs, except “small health plans,” must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.
[[Category:LabCourses material (all)]]
[[Category:LabCourses material on regulations and standards]]

Revision as of 23:13, 16 June 2016


In the Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments, collectively known as "HIPAA", both the Privacy Rule and Security Rule were established. There is considerable overlap between the two, and many of the provisions relevant to covered entities (CEs) have been covered in Lessons 1-5 of this course. However, it is worth examining the Security Rule separately, especially inasmuch as it specifically addresses electronic information and related security measures.

About the Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule "operationalizes" the protections contained in the Privacy Rule (discussed in Lessons 1-5) by addressing the technical and non-technical safeguards that CEs must put in place to secure individuals’ "electronic protected health information" (e-PHI). A division of the United States Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has responsibility for enforcing the Privacy and Security Rules, using voluntary compliance measures and civil financial penalties.

It's interesting to note that prior to HIPAA, no generally accepted set of security standards or general requirements for protected health information (PHI) existed in the healthcare industry. Yet new technologies were evolving, and the healthcare industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically-based functions. The need for those standards and security requirements became more apparent.[1]

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR) or electronic medical records (EMR), as well as radiology, pharmacy, and laboratory information systems (LIS). Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing CEs to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.

This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. Several portions of the Security Rule overlap with what we have covered in Lessons 1-5 concerning both privacy and security, in which cases information in this lesson serves to reinforce what you have already encountered. Visit the HHS Security Rule section for links to the entire rule and for additional helpful information about how the rule applies. In the event of a conflict between this summary and the rule, the rule governs.

Statutory and regulatory background

It was the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) that required the Secretary of the HHS to publish national standards for the security of e-PHI, electronic exchange, and the privacy and security of health information.

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for CEs to use to assure the confidentiality, integrity, and availability of e-PHI.[1]

The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.[2][3]

Who is covered by the Security Rule

The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities," discussed in detail in Lessons 1-5).

Business associates

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) expanded the responsibilities of business associates under the Privacy and Security Rules, as discussed in Lesson 2. HHS is developing regulations to implement and clarify these changes.

What information is protected

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, PHI, as explained in the Privacy Rule and here. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information electronic protected health information (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.[1]

General rules

The Security Rule, at its foundation, requires CEs to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, CEs must[1]:

  1. ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
  2. identify and protect against reasonably anticipated threats to the security or integrity of the information
  3. protect against reasonably anticipated, impermissible uses or disclosures
  4. ensure compliance by their workforce.

The Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. "Availability" means that e-PHI is accessible and usable on demand by an authorized person.[1]

HHS recognizes that CEs range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow CEs to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular CE will depend on the nature of its particular business, as well as its size and resources.

Therefore, when a CE is deciding which security measures to use, the Rule does not dictate those measures but requires it to consider[1]:

  • its size, complexity, and capabilities
  • its technical, hardware, and software infrastructure
  • the costs of security measures
  • the likelihood and possible impact of potential risks to e-PHI

CEs must also review and modify their security measures to continue protecting e-PHI in a changing environment.

Risk analysis and management

The Administrative Safeguards provisions in the Security Rule require CEs to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular CE, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.

A risk analysis process includes, but is not limited to, the following activities[1]:

  1. evaluating the likelihood and impact of potential risks to e-PHI
  2. implementing appropriate security measures to address the risks identified in the risk analysis
  3. documenting the chosen security measures and, where required, the rationale for adopting those measures
  4. maintaining continuous, reasonable, and appropriate security protections

Risk analysis should be an ongoing process, in which a CE regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Administrative safeguards

The first of the required areas of security has to do with safeguards that are implemented during administration. These take several forms[1]:

security management process
As explained in the previous section, a CE has to identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a "reasonable and appropriate level."
security personnel
A CE must designate a Security Official who is responsible for developing and implementing its security policies and procedures. This is similar to the Privacy Official discussed in Lesson 5.
information access management
Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a CE to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
workforce training and management
A CE must provide for appropriate authorization and supervision of workforce members who work with e-PHI. All of those workforce members must be trained regarding its HIPAA-compliant security policies and procedures, and the CE must have and apply appropriate sanctions against workforce members who violate those policies and procedures.
evaluation
A CE must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Physical safeguards

The second required area of compliance with the Security Rule is the introduction and maintenance of physical safeguards for PHI. These include[1]:

facility access and control
A CE must limit physical access to its facilities, but also ensure authorized access.
workstation and device security
A CE must implement policies and procedures to specify proper use of and access to workstations and electronic media. A CE also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of e-PHI.

Technical safeguards

The third area of security designated by the Security Rule is the technical aspect. Technical safeguards fall under the categories of[1]:

access control
A CE is required to implement technical policies and procedures that allow only authorized persons to access e-PHI.
audit controls
A CE must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in any information systems that contain or use e-PHI.
integrity controls
A CE must implement policies and procedures, and electronic measures must be taken to ensure that e-PHI is not improperly altered or destroyed.
transmission security
A CE must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network. There are standards that are approved and available, including HL7.

Required and addressable implementation specifications

CEs are required to comply with every Security Rule "standard." However, the Security Rule categorizes certain implementation specifications within those standards as "addressable," while others are "required." The required implementation specifications must be implemented. The addressable designation does not mean that an implementation specification is optional, but it permits CEs to determine whether the addressable implementation specification is reasonable and appropriate for that CE. If it is not, the Security Rule allows the CE to adopt an alternative measure that achieves the purpose of the standard, if that alternative measure is reasonable and appropriate.[1]

Organizational requirements

In some cases, organization-wide action must be taken. Cases include[1]:

CE responsibility to act
If a CE knows of an activity or practice of a business associate that constitutes a material breach or violation of the business associate’s obligation, the CE must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
Business associate responsibility to act
In the case of a business associate agreement (BAA), certain stipulations are required in most cases. HHS is developing regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009. (Business associates and the BAA were first discussed in Lesson 2).

Policies and procedures, and documentation requirements

A CE must adopt "reasonable and appropriate" policies and procedures to comply with the provisions of the Security Rule. A CE must maintain, until six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities or assessments. Additionally, a CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of e-PHI.[1]

State law

In general, state laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply. "Contrary" means that it would be impossible for a CE to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.[1]

Enforcement and penalties for noncompliance

The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The HHS Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.[1]

The Enforcement Rule's Final Rule is HITECH provisions that strengthen HHS' ability to enforce the Privacy and Security Rules of HIPAA. Some enforcement measures and penalties are discussed in Lesson 7 and on OCR's Enforcement Rule page.

Compliance dates

All CEs, except "small health plans," must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.[1]

References