Security Rule

From Clinfowiki
Jump to: navigation, search

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The final rule became effective on April 21, 2003 and HIPPA covered entities were required to comply with the regulations by April 21, 2005 with the exceptions of small health plans. Small health plans compliance date was extended until April 21, 2006. The final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The ultimate goal for this rule was to improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information.


Introduction

One of the main goals of the HIPAA Security Rule is “to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”1(p.1) The rule is designed to be “flexible and scalable,” so as to accommodate the inherent diversity in the healthcare marketplace.1 As such, the size, available resources, and specific risks to ePHI which are relevant to a particular covered entity can be taken into account when implementing policies, procedures, and technologies. The security standards within the Security Rule were designed to be “technology neutral,” in that they do not dictate the use of specific technologies.2


Parties Covered by the Security Rule

The Security Rule applies to:

  • Any health care provider who transmits ePHI in connection with a transaction for which HHS has adopted a standard under HIPAA
  • Health plans
  • Health care clearinghouses
  • Business associates1,2


Information Protected Under the Security Rule

The Security Rule applies to a subset of protected health information (PHI), specifically that which is created, received, maintained, or transmitted in electronic form. This information is termed electronic protected health information (ePHI). The rule does not apply to PHI which is transmitted in non-electronic form (i.e. orally or in writing).1,2


General Principles of the Security Rule

Covered Entities (CEs) are required to maintain “reasonable and appropriate” safeguards (administrative, physical, and technical) to protect ePHI. More specifically, CEs must:

  • Identify and protect against reasonably anticipated threats to the security or integrity of ePHI.
  • Protect against reasonably anticipated, improper uses or disclosures of ePHI.
  • Ensure compliance with these provisions by their workforce.


Security measures must be reviewed and modified periodically in order to continuously protect ePHI within changing environments.1


Implementation Specifications

Each category of safeguards (administrative, physical, and technical) contains a set of standards, which further contain implementation specifications for each standard. Implementation specifications are detailed instructions for implementing a given standard and may be required or addressable. Required specifications necessitate that policies and procedures must be implemented to achieve the standard, whereas addressable specifications necessitate that a covered entity assess whether it is reasonable and appropriate to implement a safeguard in the particular setting. If a CE decides to not implement an addressable specification, there must be documentation of a reason, and it must implement an equivalent alternative if reasonable and appropriate.1,2

Factors affecting whether or not a specification is reasonable and appropriate include a CE’s:

  • Risk analysis
  • Security analysis
  • Financial analysis2


Security Standards - Safeguards

Administrative Safeguards


Administrative Safeguards are “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”3(p.2)


Security Management Process

A CE must implement security measures that reduce risks and vulnerabilities to a level which is reasonable and appropriate.1,3 There are 4 required implementation specifications under this standard:

  • Risk Analysis
  • Sanction Policy
  • Information System Activity Review3


Assigned Security Responsibility

A CE must designate a security official who is responsible for the development and implementation of security policies and procedures.1,3


Workforce Security

A CE must implement policies and procedures to ensure members of the workforce have appropriate access to ePHI and to prevent those who do not have access from obtaining access. There are 3 addressable implementation specifications under this standard:

  • Workforce Clearance Procedure
  • Termination Procedures3


Information Access Management

A CE is required to implement policies and procedures which authorize access to ePHI only when such access is appropriate to the user’s role.1,3 This standard is closely related to the Workforce Security standard above. There are 1 required and 2 addressable implementation specifications under this standard:

  • Isolating Healthcare Clearinghouse Functions
  • Access Authorization
  • Access Establishment and Modification3


Security Awareness and Training

A CE must implement a security awareness and training program for all workforce members (to include management). There are 4 addressable implementation specifications under this standard:

  • Security Reminders
  • Protection from Malicious Software
  • Log-in Monitoring
  • Password Management3


Security Incident Procedures

A CE must implement policies and procedures to address any security incidents that occur.3 A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”3(p.17) There is 1 required implementation specification for this standard: Response and Reporting.3


Contingency Plan

A CE must establish (and implement as needed) policies and procedures for responding to an emergency that damages systems containing ePHI. There are 3 required and 2 addressable implementation specifications under this standard:

  • Data Back-up Plan
  • Disaster Recovery Plan
  • Emergency Mode Operation Plan
  • Testing and Revision Procedures
  • Applications and Data Criticality Analysis3


Evaluation

A CE must periodically perform assessments of how well security policies and procedures meet the requirements of the Security Rule.1,3


Business Associate Contracts and Other Arrangements

A CE “may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances...that the business associate will appropriately safeguard the information."3(p.23-24)




Physical Safeguards

Physical safeguards are “physical measures, policies, and procedures, to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”4(p.2)


Facility Access Controls

A CE must limit physical access to its facilities while also allowing authorized access.1,4 There are 4 addressable implementation specifications under this standard:

  • Contingency Operations
  • Facility Security Plan
  • Access Control and Validation Procedures
  • Maintenance Records4


Workstation Use

A CE must implement policies and procedures which specify the proper functions to be performed by workstations that can access ePHI. This includes the physical attributes of the surroundings.4 In this case, a workstation is defined as “an electronic computing device...or any other device that performs similar functions, and electronic media stored in its immediate environment.”4(p.7) Safeguards must also be applied to workstations located off-site.4


Workstation Security

A CE must implement physical safeguards to restrict unauthorized access.4


Device and Media Controls

A CE must implement policies and procedures to cover the proper handling of electronic media that include ePHI, to include “receipt, removal, backup, storage, reuse, disposal and accountability.”4(p.10) In this case, electronic media means “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium...”4(p.10) There are 2 required and 2 addressable implementation specifications under this standard:

  • Disposal
  • Media Re-Use
  • Accountability
  • Data Backup and Storage4




Technical Safeguards

Technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”5(p.2)


Access Control

A CE must implement technical policies and procedures to allow only authorized users to access ePHI.1,5 Access is defined as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resources.”5(p.3) Access controls should enable access to the “minimum necessary information needed to perform job functions.”5(p.3) There are 2 required and 2 addressable implementation specifications under this standard:

  • Unique User Identification
  • Emergency Access Procedure
  • Automatic Logoff


Audit Controls

A CE must “implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use electronic protected health information.”5(p.7) There is no specification of what data should be gathered or how often data should be collected.5


Integrity

A CE must implement policies or procedures to prevent ePHI from being improperly altered or destroyed.1,5 There is 1 addressable implementation specification under this standard: Mechanism to Authenticate Electronic Protected Health Information.5


Person or Entity Authentication

A CE must implement procedures to verify the identity of users (i.e. confirm that users are who they claim to be). This can be accomplished by requiring:

  • Something known only to that individual (e.g. password, pin)
  • Something the individual possesses (e.g. smart card, token, key)
  • Something unique to the individual, such as a biometric (e.g. fingerprint, voice pattern, facial pattern, iris pattern)5


Transmission Security

A CE must implement technical security measures that protect against unauthorized access to ePHI during transmission over an electronic network.1,5 There are 2 addressable implementation specifications under this standard:

  • Integrity Controls
  • Encryption


Other Security Standards

In addition to specifying safeguards, the Security Rule also includes a number of standards and implementation specifications which address organizational requirements, policies/procedures, and documentation requirements.1,2 Organizational requirements include requirements for the content of business associate contracts and requirements for group health plans. In addition to adopting reasonable and appropriate policies and procedures to comply with the Security Rule, a CE must maintain written records of these policies and procedures and any required actions, activities, or assessments for 6 years from the date of its creation or the date when it was last in effect. This documentation must be reviewed and updated periodically in response to changes in the environment of operations affecting security of ePHI.1,6


Enforcement

The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) is responsible for enforcing the standards set forth by the Security Rule. State laws are generally preempted by any federal requirements.1


References (Original Post-Prior to Table of Contents)

  • Centers for Medicare and Medicaid Services. (2003). Health Insurance Reform: Security Standards. Federal Register , 68 (34), 8333-8381.


References (Update 10/2020)

1. U.S. Department of Health and Human Services. Summary of the HIPAA Security Rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Published July 26, 2013. Accessed October 15, 2020.

2. U.S. Department of Health and Human Services. Security 101 for Covered Entities. HHS.gov. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf. Published November 2004. Updated March 2007. Accessed October 22, 2020.

3. U.S. Department of Health and Human Services. Security Standards: Administrative Safeguards. HHS.gov. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf. Published May 2005. Updated March 2007. Accessed October 22, 2020.

4. U.S. Department of Health and Human Services. Security Standards: Physical Safeguards. HHS.gov. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf. Published February 2005. Updated March 2007. Accessed October 22, 2020.

5. U.S. Department of Health and Human Services. Security Standards: Technical Safeguards. HHS.gov. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf. Published May 2005. Updated March 2007. Accessed October 22, 2020.

6. U.S. Department of Health and Human Services. Organizational, Policies and Procedures and Documentation Requirements. HHS.gov. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf. Published May 2005. Updated March 2007. Accessed October 22, 2020.


Submitted by Erica Glancy MD