The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton on August 21, 1996. HIPAA’s main goal was to ensure the portability of health insurance benefits particularly as individuals moved from job to job. However, within this law a subtitle was created entitled the Administrative Simplification Act, with three additional goals:
1. Simplify the administration and processing of health data by implementing industry-wide standards for transmitting certain health and related financial information;
2. Create standards to ensure the privacy and security of health information that is transmitted or stored electronically; and
3. Reduce the costs and administrative overhead of processing health and related financial information.
HIPAA Security is that part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that governs Electronic Protected Health Information or EPHI.
All covered entities must comply with the Security Rule if they store or transmit any Protected Health Information in electronic form.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. In this fast-access, technology-driven society, providers are quickly moving away from paper. So protecting the data and still permitting appropriate access became an important priority.
The Privacy Rule sets the standards for how protected patient health information should be controlled. The Security Rule defines the standards which require covered entities to implement basic safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI). Privacy depends upon security measures: no security, no privacy.
What is a covered entity?
A covered entity is any health care provider and their business associates who store, maintain or transmit any health information in electronic form. All covered entities must comply with the Security Rule.
Required is pretty simple. You are required by the HIPAA Security rule to comply.
Addressable means that you must do one of the following:
Implement the specification if reasonable and appropriate; or
Determine that implementing the specification is not reasonable and appropriate. If that is the case, then you must:
Document the rationale supporting your decision; and
Implement an equivalent measure that is reasonable and appropriate and that would accomplish the same purpose; or
Not implement the addressable specification or an equivalent measure, if the standard could still be met and implementing the specification or alternative would not be reasonable or appropriate.
It will depend on a variety of factors including:
- The risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
- The security analysis – What security measures are already in place or could reasonably be put into place?
- The financial analysis – How much will each implementation cost?
What does “Implementation Specifications” mean? Sometimes referred to in this manual as “specifications”
These are additional detailed instructions for implementing a particular standard. Each set of safeguards is comprised of a number of standards, which, in turn, are generally comprised of a number of specifications that are either required or addressable.
The covered entity is required to conduct an evaluation of what security measures are currently in place, an accurate and thorough risk analysis, and a series of documented solutions you have determined are needed, with the time frame in which you plan to have them completed.
Each covered entity is unique and varies in size and resources. There is no totally secure system. Therefore, the security standards were designed to provide guidelines to all types of covered entities while allowing them flexibility regarding how to implement the standards. Smaller and less sophisticated practices may not be able to implement security in the same manner and at the same cost as larger covered entities. Remember, cost alone is not an acceptable reason to not implement a procedure or measure.
The Rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete. There is flexibility within the Rule for each entity to choose the technologies that best meet its needs to comply with the standard.
- Administrative safeguards: Assignment or delegation of security responsibility to an individual and the training requirements, as well as written policies and procedures to manage the selection, development, implementation and maintenance of the security measures to protect EPHI.
- Physical safeguards: The mechanisms required to protect electronic systems, the equipment and the data from threats, environmental hazards and unauthorized intrusion. This includes restricting access to EPHI and retaining off-site backups.
- Technical safeguards: Primarily the automated processes used to protect data and control access to the data, i.e. passwords, encryption and decryption.
- Risk Analysis (required)
- Risk Management (required)
- Sanction Policy (required)
- Information System Activity Review (required)
This activity forms the foundation upon which an entity’s necessary security activities are built. The results from the initial risk analysis and then the written risk management processes will become the baseline for your ongoing security process.
System vulnerability is a flaw or weakness in a system, due to its design, installation, lack of policies and procedures, or some other cause. Any of these weaknesses, whether intentional or accidental, could potentially result in a breach or inappropriate use or disclosure of electronic PHI. Some vulnerabilities may be caused by ineffective policies regarding user or log on IDs and passwords, holes or weaknesses in some of the software tools, or flaws in the operating system, application or inadequate access controls.
Appropriate sanctions must be in place so that workforce members understand the consequences of failing to comply with your security policies and procedures to deter non-compliance.
The initial and ongoing audits of activity within your system enable covered entities to determine if any EPHI is used or disclosed in an inappropriate manner. It is a tracking of everything that is done on your computer. These should be in the form of audit logs, access reports and/or incident tracking reports.
The purpose of this standard is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. Covered entities should be aware that this is comparable to the Privacy Rule standard that requires all covered entities to designate a Privacy Official. The Security Official and the Privacy Official can be the same person, but are not required to be.
- Authorization and supervision of the workforce (addressable)
- Workforce clearance procedures (addressable)
- Termination procedures (addressable)
First of all, because this is an addressable standard, you must determine if it is reasonable to have different levels of access. Most of the time in smaller clinics this is not necessary. You need only document that it was reviewed and you decided everyone needed complete access. There may be some clinics that access is granted for billing, data entry, patient health care information (treatment records) or accounting purposes that may require different access because the clinic may have departments of a larger staff. You will have to work with your software vender to determine what activity levels are available.
It is not required to have in place, but it is required that you have reviewed (addressed) your current procedures to determine if these procedures should be altered based on your particular clinic size as stated above.
Basically, it is what you do when a staff member is fired or resigns from their position. This is an addressable standard. Your computer system needs new passwords immediately, your doors need new locks if they had a key, or if you have electronic access, change the access code. This is minimal protection for PHI and/or EPHI.
This should be part of the reports or audits you can run from your computer system. Talk with your software vendor. Daily reports should show every activity that was conducted on your computer software that day.
- Security Reminders (addressable)
- Protection from Malicious Software (addressable)
- Log-In Monitoring (addressable)
- Password Management (addressable)
Where this is a reasonable and appropriate safeguard, you must implement periodic security updates. Check your virus protection, etc. This needs to be on a specific schedule and written on some type of a calendar. It could be paper or electronic, and needs to be part of your process.
Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms. Malicious software is frequently brought into your system through email attachments and programs that are downloaded from the Internet. This must be part of the training process in protecting against malicious software.
Security awareness and training should address how users log onto systems and how they are supposed to manage their passwords. If reasonable and appropriate, you must monitor all log-in attempts and report discrepancies. Talk with your software vendor.
It is not required. It is an addressable standard. If it is a reasonable and appropriate safeguard, you should regularly change your password. In FTC, Identity Theft Prevention Rule, it is required to change passwords on a regularly scheduled routine.
Basically it is how you and your staff are to respond to, report, and document suspected or known security incidents, harmful effects and outcomes. This would include such things as stolen computers or passwords, corrupt backups, virus attacks, physical break-ins, etc.
The new HITECH rules are very specific concerning these security incidents.
To establish strategies for recovering access to EPHI should the clinic experience an emergency or other occurrence, such as a power outage, fire, vandalism, natural disaster, etc. that disrupts critical business operations. The goal is to ensure that you can still conduct business and that the EPHI is available when needed.
- Data Backup Plan (required)
- Disaster Recovery Plan (required)
- Emergency Mode Operation Plan (required)
- Testing and Revision Procedures (addressable)
- Application and Data Criticality Analysis (addressable)
You must have a backup procedure to create and maintain retrievable exact copies of EPHI.
You must have a procedure to restore any loss of data.
You must have procedures to enable continuation of protecting the EPHI while you are in emergency mode. (If the power goes out, your EPHI must continue to be protected)
First, it is not required. It is addressable, but if you find that it is a reasonable and appropriate safeguard, you must have procedures for periodical testing and revision of your contingency plans.
Remember, this is not required. It is addressable. If you find that it is a reasonable and appropriate safeguard, you must have procedures to identify how important each application software is to patient care or business needs, and prioritize for data backup. This will help you better select which application software gets restored first and/or if there is any application software that must be available at all times.
The Security Rule defines physical safeguards as “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
You must have policies and procedures to limit physical access to your facility or other place the EPHI is housed. Facility is defined as “physical premises and the interior and exterior of a building.”
- Contingency Operations (addressable)
- Facility Security Plan (addressable)
- Access Control and Validation Procedures (addressable)
- Maintenance Records (addressable)
This means how you are protecting EPHI during, or immediately following, a disaster. If you have a disaster, and data needs to be restored, how is security and appropriate access being protected and maintained? Do you need a guard at the door? Do you need to tell your staff only the doctors are to report? Can all staff report to help with the restoration? You must write a policy and procedure for that situation if it is reasonable and appropriate.
If appropriate and reasonable, you must have procedures to safeguard the facility and keep it secure from unauthorized individuals at all times. Examples include locked doors, surveillance cameras, alarms, etc.
A workstation is defined as “an electronic computing device” (laptop, desktop, etc.). If appropriate and reasonable, you must have written policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of the specific workstation that can access EPHI. One policy may be that no one can “surf the net” while on any computer that has EPHI on it, or no one can be on the computer if not scheduled to work at that time.
If you have a computer at home, or a laptop that you carry back and forth that has EHPI on it, it is considered the same as any workstation in the office and must be protected.
- Disposal (required)
- Media Re-Use (required)
- Accountability (addressable)
- Data Backup and Storage (addressable)
When disposing of any electronic media that contains EPHI you must make sure it is unusable and/or inaccessible. One way to dispose of electronic media is degaussing, whereby a strong magnetic field is applied to fully erase the data. If you do not have access to degaussing equipment, another way to dispose of the electronic media is to physically damage it beyond repair, making the data inaccessible.
It means reusing the electronic media by moving it to another location, selling it or giving it away. If you choose to reuse the media, you must remove all EPHI previously stored on the media to prevent unauthorized access to the information. You are to maintain a written record of all movement of electronic media if reasonable and appropriate.
If reasonable and appropriate, you must create a retrievable, exact copy of the EPHI, when needed, before movement of the equipment.
The Security Rule defines technical safeguards as “the technology and the policies and procedures for its use that protect EPHI and control access to it.”
- Unique User Identification (required)
- Emergency Access Procedure (required)
- Automatic Log Off (addressable)
- Encryption and Decryption (addressable)
Yes, it is required. You MUST assign a unique name and/or number for identifying and tracking user identity. This will enable you to hold users accountable for functions performed on information systems with EPHI when logged into those systems.
Yes, it is required. You MUST establish (and implement as needed) procedures for obtaining necessary EPHI during an emergency. Determine what types of information will be needed during times of emergency. If you determine that you have everything you need to care for a patient (i.e. paper “treatment” cards etc.) that is what you document as your emergency access procedure.
Am I required to have automatic log off that terminates a session after a predetermined time of inactivity?
No, it is addressable. If it is a reasonable and appropriate safeguard, then you must implement procedures that terminate an electronic session after a predetermined time of inactivity. This protects EPHI when the user leaves their workstation unattended.
No, it is addressable. But, the new Breach Notification Interim Final Rule states:
“Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.” http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
What this means is that you must be sure that the integrity of the EPHI is not improperly modified without detection until disposed when transmitted electronically. Check with your IT professionals, software vendors, business associates and trading partners for their capability of insuring your data is not modified, and if it is, it will be detected and you will be notified.
HIPAA provides for civil and criminal penalties for failing to comply with the Security Rule. How the penalties are enforced, and the degree to which they are enforced, is based on the actions that a covered entity took as soon as it became aware of violations involving the Security Rule. This means that we have to make a good faith effort to adhere to requirements in the Security Rule. The consequences for criminal violations of the HIPAA Security Rule may include fines of up to $250,000 and imprisonment.
What is the most important thing I should do to start protecting electronic protected health information?
Assess, Assess, Assess…..