Written By: Kathryn H. Rowan
Christian & Small LLP
Until February 2010, Business Associates were not directly subject to the HIPAA Privacy and Security Rules. However, with the adoption of the HITECH Act, law firms who serve as Business Associates for their healthcare clients and receive or access their clients' protected health information are now statutorily required to comply with the same comprehensive Security Rule requirements as Covered Entities to ensure consistency of security when health information is accessed or exchanged between organizations.
To comply with the Security Rule, Business Associates must perform an extensive risk analysis to determine reasonable and appropriate security measures suitable for their organization and environment. Several issues need to be considered as part of this evaluation, including what security measures are currently in place; how electronic protected health information (e-PHI) moves through the organization; what the natural, human, and environmental threats to information systems containing e-PHI are; whether the security processes are being communicated throughout the organization; and whether management is actively involved in risk management decisions.
I. Background: What is the HIPAA Privacy Rule & Security Rule?
The HIPAA Privacy Rule protects "all individually identifiable health information," referred to as protected health information (PHI), whether electronic, oral, or paper form. Under HIPAA's Privacy Rule, Covered Entities and Business Associates must develop and implement written privacy policies and procedures, adhere to the Rule’s authorized and permitted uses and disclosures of PHI, and properly designate a privacy official, among other things.1
The Security Rule provides more comprehensive security requirements than 45 CFR § 164.530(c) of the Privacy Rule defining safeguards and standards that must be implemented by business associates. However, the Security Rule covers only a narrow portion of information covered by the Privacy Rule: all individually identifiable health information created, received, maintained or transmitted in electronic form, called "electronic protected health information" (e-PHI)2. In other words, the Security Rule does not apply to PHI transmitted orally or in writing.
II. HIPAA Security Rule: The General Rules
Under the Security Rule, covered entities, and now business associates, are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI, to:
1. Insure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce3.
Achieving compliance with the Security Rule will depend on a number of factors, including those identified in §164.306(b)(2):
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to EPHI.
The Rule does not dictate which security measures to use, but sets forth the factors that a covered entity or business associate must consider4. Conceivably, this provides covered entities and business associates the ability to assess their own needs and develop solutions appropriate for their specific environments.
III. Implementation Specifications: Required vs. Addressable
Covered Entities and Business Associates are required to comply with every Security Rule “Standard.” Each set of safeguards (administrative, physical, and technical) is comprised of a number of standards. These standards are, in turn, comprised of a number of implementation specifications that are either “required” or “addressable.” An “implementation specification” provides additional instruction on how to implement and comply with a particular standard.
Those standards with “required” implementation specifications must be implemented. Implementation specifications that are labeled as “addressable” are optional, with some caveats. For those “addressable” specifications, Business Associates must determine whether the specification is reasonable and appropriate for their organization and environment. If the business associate chooses not to implement an “addressable” specification based on its assessment, the reason must be documented, and an equivalent alternative measure that is reasonable and appropriate must be implemented5.
Which security measures to implement to address the standards and implementation specifications is a decision that will depend on a variety of factors, including, but not limited to:
• Risk analysis of their environment for current exposure for unauthorized access and disclosure of EPHI.
• Security analysis of current security measures in place or could reasonably be put into place.
• Financial analysis of the cost to implement reasonable and appropriate security measures.
IV. Security Standards: Administrative, Physical, and Technical Safeguards
The security standards are divided into administrative, physical, and technical safeguards. Administrative safeguards are the administrative functions that should be implemented to meet the security standards6. Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards, and unauthorized intrusion7. Technical safeguards are primarily the automated processes used to protect data and control access to data8.
A. Administrative Safeguards
Administrative safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”9
Standard 1: Security Management Process. “Implement policies and procedures to prevent, detect, contain and correct security violations.” This standard requires identification and analysis of potential risks to e-PHI, and entities must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
There are four implementation specifications in the Security Management Process standard:
1. Risk Analysis (Required) – A comprehensive risk analysis will determine which security measures are reasonable and appropriate for the organization, thereby aiding in the implementation of all of the safeguards contained in the Security Rule.
2. Risk Management (Required) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164. 306(a).”
3. Sanction Policy (Required) – “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” Employees need to understand the organization’s security policies and procedures along with the sanctions for non-compliance.
4. Information System Activity Review (Required) – “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracing reports.” This implementation specification will help an organization determine if any e-PHI is or has been used or disclosed in an inappropriate manner.
Standard 2: Assigned Security Responsibility. Designate an individual from the organization as the security official who is responsible for developing and implementing its security policies and procedures.10
Standard 3: Workforce Security. Workforce members that need access to e-PHI must be identified along with the computer systems and applications that provide access to the e-PH.11
Within Workforce Security, there are three addressable implementation specifications:
1. Authorization and/or Supervision (Addressable) – “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”12
2. Workforce Clearance Procedure (Addressable) – “Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”13
3. Termination Procedures (Addressable) – “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”14
Standard 4: Information Access Management. Implement policies and procedures for determining the persons and/or entities that need access to e-PHI within the organization.15
The Information Access Management standard has three implementation specifications:
1. Isolating Health Care Clearinghouse Functions (Required) – This applies only in a situation where a health care clearinghouse is part of a larger organization.
2. Access Authorization (Addressable) – “Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.”16
3. Access Establishment and Modification (Addressable) – “Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.”17
Standard 5: Security Awareness & Training. Security training for all members of a business associates workforce is required.18 Whenever there are changes in operations or the environment, periodic training must be provided.
The Security Awareness and Training standard has four implementation specifications:
1. Security Reminders (Addressable) – Periodic security updates.
2. Protection from Malicious Software (Addressable) – Procedures for protection against, detecting, and reporting malicious software.
3. Log-in Monitoring (Addressable) – Procedures for monitoring log in attempts and reporting discrepancies.
4. Password Management (Addressable) – Procedures for creating, changing, and safeguarding passwords.
Standard 6: Security Incident Procedures. Covered entities and business associates must identify and develop a reporting procedure for security incidents within their environment. A security incident is defined as, "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
There is one required implementation specification for this standard:
1. Response and Reporting (Required) – “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”19
Standard 7: Contingency Plan. “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (For example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”20 A business associate must establish strategies to access e-PHI in the event of an emergency or other occurrence. The goal is to have access to e-PHI when needed.
The Contingency Plan standard includes five implementation specifications:
1. Data Backup Plan (Required)
2. Disaster Recovery Plan (Required)
3. Emergency Mode Operation Plan (Required)
4. Testing and Revision Procedures (Addressable)
5. Applications and Data Criticality Analysis (Addressable)
Evaluation. A covered entity must implement ongoing evaluation and monitoring of how well its security policies and procedures meet the requirements of the Security Rule.21
B. Physical Safeguards
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
All physical access to e-PHI must be considered for evaluation and implementation for this safeguard. This may include workforce members’ homes or other physical locations outside the office where e-PHI is accessible.
Standard 1: Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.22
The Facility Access Controls standard has four implementation specifications:
1. Contingency Operations (Addressable) – Establish procedures that allow facility access to restore lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
2. Facility Security Plan (Addressable) – Implement policies and procedures to protect the facility and the equipment from unauthorized physical access, tampering, and theft.
3. Access Control and Validation Procedures (Addressable) – Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control. This includes controlling access to software programs for testing and revision.
4. Maintenance Records (Addressable) – Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Standards 2 and 3: Workstation Use and Security. Implement policies and procedures for proper use of and restricted access to workstations and electronic media.23 A workstation is defined in the rule as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”
Inappropriate use can result in exposure to virus attacks, compromise of information systems and breaches of confidentiality. This applies to workforce members that work off site using workstations that can access e-PHI.
Standard 4: Device and Media Controls. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure proper handling and protection of e-PHI.24 The term “electronic media” means “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.”
Implementation specifications include:
1. Disposal (Required) – Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
2. Media Re-use (Required) – Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
3. Accountability (Addressable) – Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
4. Data backup and storage (Addressable) – Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.25
C. Technical Safeguards
The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Standard 1: Access Control. Implement technical policies and procedures that allow only authorized persons to access e-PHI.26
There are four implementation specifications for the Access Control Standard:
1. Unique user identification (Required) – Assign a unique name and/or number for identifying and tracking user identity.
2. Emergency access procedure (Required) – Establish procedures as needed for obtaining necessary electronic protected health information during an emergency.
3. Automatic logoff (Addressable) – Implement electronic procedures tha terminate an electronic session after a predetermined time of inactivity.
4. Encryption and decryption (Addressable) – Implement a mechanism to encrypt and decrypt electronic protected health information.27
Standard 2: Audit Controls. Implement hardware, software, and/or procedural mechanisms, such as audit reports, to monitor access and other activity in information systems that contain or use e-PHI.28
Standard 3: Integrity Controls. Implement policies and procedures to ensure that e-PHI is not compromised either by improper alteration or by destruction, whether intentionally or by accident. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.29
There is one implementation specification for the Integrity Controls Standard:
1. Mechanism to authenticate electronic protected health information (Addressable): Implement electronic mechanisms for confirmation that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Standard 4: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to e-PHI is in fact who he/she claims to be before allowing access.
Standard 5: Transmission Security. Implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.30
There are two implementation specifications for the Transmission Security Standard:
1. Integrity Controls (Addressable) – Implement security measures to ensure that electronically transmitted e-PHI is not improperly modified without detection until disposed of.
2. Encryption (Addressable) – Implement a mechanism to encrypt e-PHI whenever deemed appropriate.31
V. Policies and Procedures and Documentation Requirements
As part of compliance with the provisions of the Security Rule, covered entities, now including business associates, must adopt reasonable and appropriate policies and procedures. Written security policies and procedures and written records of required actions, activities, or assessments must be maintained until six years after the later of the date of their creation or last effective date.32
As part of compliance with the Rule, there must be an established periodic review of environmental or organizational changes that affect the security of e-PHI within the organization. Once the reviews are completed the policies and procedures must be updated in response to the changes in the environment or organization and those changes must be documented as well.33
VI. The Next Step
Business associates will find that compliance with the Security Rule will require an evaluation of what security measures are currently in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of complex factors unique to each organization. This evaluation will require input from not only the IT department, but also firm management as well as employees in order to accurately assess the current environment and what are reasonable and appropriate solutions for compliance with the Rule.
The evaluation process could include:
1. Assess current security, risks, and gaps through a survey of employees and management to determine what king of data is being transmitted and stored.
2. Review the Security Rule standards and implementation specifications.
3. Review the “addressable” implementation specifications to determine if the implementation specification is reasonable and appropriate for its environment
4. Based on the initial assessment of the organization with a comparison to the Security Rule standards and implementation specifications, develop an implementation plan.
5. Determine security measures to reasonably and appropriately implement the standards and implementation specifications.34
6. Implement security measures and solutions that are reasonable and appropriate for the organization based on risk assessment, security assessment and cost assessment.
7. Document, document, document decisions! Document the analysis, decisions and the rationale for the decisions for security policies and procedure.
Kathryn is an associate with Christian & Small LLP in Birmingham, Alabama, where her practice focuses on insurance regulatory, compliance, and coverage matters; ERISA and employee benefits law; and complex litigation. You can reach Kathryn at email@example.com.
145 C.F.R. § 164.530(i).
245 C.F.R. § 160.103.
345 C.F.R. § 164.306(a).
445 C.F.R. § 164.306(b)(2).
545 C.F.R. § 164.306(d)(ii)(8)(2).
645 CFR § 164.308.
745 CFR § 164.310.
845 CFR § 164.312.
945 C.F.R. § 164.308.
1045 C.F.R. § 164.308(a)(2).
1145 C.F.R. § 164.308(a)(3).
1245 C.F.R. § 164.308(a)(3)(ii)(A).
1345 C.F.R. § 164.308(a)(3)(ii)(B).
1445 C.F.R. § 164.308(a)(3)(ii)(C).
1545 C.F.R. § 164.308(a)(4)(i).
1645 C.F.R. § 164.308(a)(4)(ii)(B).
1745 C.F.R. § 164.308(a)(4)(ii)(C).
1845 C.F.R. § 164.308(a)(5)(i).
1945 C.F.R. § 164.308(a)(6)(ii).
2045 C.F.R. § 164.308(a)(7).
2145 C.F.R. § 164.308(a)(8).
2245 C.F.R. § 164.310(a).
2345 C.F.R. §§ 164.310(b) & (c).
2445 C.F.R. § 164.310(d).
2545 C.F.R. §§ 164.310(d)(2)(i)-(iv).
2645 C.F.R. § 164.312(a).
2745 C.F.R. § 164.312(a)(2)(i)-(iv).
2845 C.F.R. § 164.312(b).
2945 C.F.R. § 164.312(c).
3045 C.F.R. § 164.312(e).
3145 C.F.R. § 164.312(e)(2)(i)-(ii).
3245 C.F.R. § 164.316.
3345 C.F.R. § 160.202.
3445 CFR § 164.306(b).
For more information on the Primerus Young Lawyers Section, please visit www.primerus.com/young-lawyers-section.htm.