HIPAA Final Security Regulations Released
May 28, 2003
Secretary Thompson of the U.S. Department of Health and Human Services recently released the final regulations for the security of electronic protected health information (EPHI) under the Health Insurance Portability and Accountability Act of 1993 (HIPAA). These security regulations are to be implemented by April 21, 2005.
The security regulations are technology neutral and provide for a certain degree of flexibility, permitting the covered entity focuses on what needs to be done, rather than on how to do it. In short, the security regulations are not a checklist. Many of the security regulations represent good security practices already in place at most covered entities (health plans, health care clearinghouses and health care providers). However, the security regulations require that such security practices be supported by an "accurate and thorough" risk analysis and be documented in significant detail. A covered entity’s entire workforce must now be trained in security awareness.
The security regulations are comprised of standards, all of which must be met and apply whether the EPHI is at rest (storage) or being transmitted. The security regulations generally provide that covered entities that transmit individually identified health information electronically or maintain such information in electronic media must maintain reasonable and appropriate administrative, physical and technical safeguards. This is to ensure the integrity and confidentiality of the EPHI and must protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the EPHI.
Final v. Proposed Rule
The final security regulations differ from the proposed rule in several significant respects. Most importantly, the final rule expressly excludes protected health information in purely paper records or oral statements, thus narrowing the scope of the security regulations considerably to encompass only "protected health information in electronic form," stored or in transmission. Electronic storage media includes memory devices in computers (hard drives) and removable/transportable digital memory media (tape, disk or digital memory card). Transmission includes the internet, extranet, leased lines, dial-up lines, private networks and physical movement of removable media. Paper faxes and voice transmissions via telephone are not "via electronic media" because the information did not previously exist in electronic form. Also, the security regulations do not include a standard for electronic signatures; such a standard is expected to be promulgated in the future.
In addition, although the cost of implementing any particular security regulation does not excuse its implementation, that cost may not be considered by covered entities in determining compliance with the particular security regulation. Also, the system configuration requirements and the requirement for a formal mechanism for processing records were deleted from the security regulations.
Lastly, the security regulations were restructured somewhat from the proposed rule to permit for common definitions with the privacy regulations and the transaction and code set regulations. Other housekeeping changes include a change of nomenclature; for instance, what was a "requirement" is now a "standard."
Structure
The security regulations are organized into five broad categories: administrative safeguards, physical safeguards, technical safeguards, organizational requirements and policies, procedures and documentation requirements. Each category is further broken down into standards; most standards also include associated implementation specifications that serve as instructions for implementing the corresponding standard. Some implementation standards are required while others are addressable. Those standards that do not have an implementation specification associated with them serve as required implementation specifications themselves.
Implementation Specifications: Required and Addressable
Required implementation specifications are mandatory. Addressable implementation specifications permit organizations to either implement the addressable implementation specification as described or to comply with the associated standard through alternative compliance strategies. But, regardless, the associated standard must be met. In determining whether to implement an addressable implementation specification as it is described, the covered entity must assess whether the addressable implementation specification is "reasonable and appropriate" in the covered entity’s environment. If it is, then the implementation specification should be implemented. If not, the covered entity needs to document why not and identify and implement an equivalent alternative measure. Whether something is "reasonable and appropriate" is to be analyzed with reference to the "likely contribution" to protecting EPHI. Whether the alternative measure is effective is likely to be determined after the fact.
Administrative Safeguards
There are nine administrative safeguard standards, described below.
Security Management Process
This standard requires the covered entity to implement policies and procedures to prevent, detect, contain and correct security violations. There are four required implementation specifications: risk analysis, requiring the covered entity to conduct an accurate and thorough assessment of potential risks to EPHI, considering "all relevant losses" caused by unauthorized use/disclosure of EPHI if the security measure is absent; risk management, requiring the covered entity to detect and respond to security incidents (defined to include attempted access to EPHI and systems) and implement sufficient security measures to reduce risks; a sanction policy must be implemented by the covered entity, but it has the flexibility to determine the type and severity of sanctions based upon its security policy; Information System Activity Review, requiring the covered entity to keep an "internal audit" of logon access and similar items.
Assigned Security Responsibility
This standard requires covered entities to assign security responsibilities to one official (it can be the same individual who is handling privacy issues). These responsibilities include management and supervision of use of security measures and related personnel. There are no implementation specifications associated with this standard.
All members of the workforce (including remote workers), not just those with access to EPHI, must be trained in security. There are three addressable implementation specifications associated with this standard: authorization and/or supervision, providing that workforce members are to be supervised or have clearance when working in locations where EPHI is located; workforce clearance procedures, including background checks that are not required but may be determined by the covered entity to be appropriate; and termination procedures, including actions such as revoking passwords, that will protect the security of EPHI.
Information Access Management
The covered entity must establish and maintain documented policies and procedures defining access to health information. There is one required implementation specification and two addressable implementation specifications. The required one mandates that the covered entity must isolate clearinghouse functions; policies must be put in place to protect EPHI of the clearinghouse from unauthorized access by other parts of the organization. The two addressable implementation specifications are the covered entity may provide policies for access authorization, such as access to workstations, and access establishment and modification policies to modifying access authorization.
Security Awareness Training
The covered entity must provide reasonable and appropriate training to its workforce. The standard has four addressable implementation specifications: security reminders; protections from malicious software (viruses, etc.); log-in monitoring; and (password management (procedures for creating, changing and safeguarding passwords). The amount and type of training provided by the covered entity, and whether to include consultants/independent contractors in such training efforts, depends on the covered entity’s environment and security risks, as may be determined in the risk analysis and risk management stage described in the security management process standard. Business associates and other non-workforce members with potential access to EPHI must be advised of the covered entity’s security policy, but need not be trained (but note that a business associate agreement may be required).
Security Incident Procedure
The covered entity must handle any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations. The one required implementation specification mandates that the covered entity identify, respond to and mitigate harmful effects of each such security incident and document each security incident and its outcome.
Contingency Plan
The covered entity must protect the availability, integrity and security of data during unexpected events or crises. There are three required implementation specifications, requiring that the covered entity have in place a data backup plan, a disaster recover plan and policies and procedures for emergency mode operation. Two addressable implementation specifications suggest that the covered entity have in place implementation policies and procedures to test and revise contingency plans and assess the relative criticality of specific applications and data in support of other contingency plan components.
Evaluation
The covered entity must periodically evaluate technical and non-technical security measures in response to a changing environment, technology or operations. "Periodic" is not defined for the purposes of this standard, but external certification is not required. The National Institute of Standards and Technology is creating a list of certified security software and off-the-shelf products that may be helpful in meeting this standard. There are no implementation specifications associated with this standard.
Business Associate Contracts and Other Arrangements
A business associate may create, receive, maintain or transmit EPHI for the covered entity if the covered entity obtains, in a written agreement, "satisfactory assurances" from the business associate that it will safeguard the EPHI in an appropriate manner. There is one required implementation specification, mandating that the covered entity obtain a written contract or other arrangement as described in the organization requirements regarding the satisfactory assurances. This standard does not apply to transmissions to a provider for treatment, to a plan sponsor by a group health plan, HMO or insurer or to certain government plans.
Physical Safeguards
There are four physical safeguard standards, described below:
Facility Access Controls
The covered entity must have policies in place that limit the physical access to systems and the facilities where such systems are located. There are four addressable implementation specifications associated with this standard, suggesting that the covered entity first implement policies and procedures regarding contingency operations or facility access during an emergency for the purpose of lost data restoration. The covered entity must also implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering and theft; implement policies and procedures to control and validate an individual’s access to facilities; and document repairs and modifications to the physical security components of the facilities.
Workstation Use
The covered entity must implement policies and procedures regarding proper functions to be performed using the workstation, the manner of such performance and the physical surroundings. Workstations include laptops, wireless devices and other portable devices that can access EPHI. There are no implementation specifications associated with this standard.
Workstation Security
The covered entity must implement physical safeguards that prevent unauthorized access to workstations. There are no implementation specifications associated with this standard.
Device and Media Controls
The covered entity must implement policies and procedures that govern the receipt and removal of hardware and media that contain EPHI. There are two required and two addressable implementation specifications for this standard. The required ones mandate that the covered entity dispose of hardware and electronic media to ensure PHI is removed/destroyed and remove EPHI from electronic media before making it available for reuse. The addressable implementation specifications suggest that the covered entity should maintain a record of the location of the hardware and electronic media and create back-ups of EPHI before moving hardware to another location.
Technical Safeguards
There are five technical safeguard standards, as described below:
Access Control
The covered entity must implement policies and procedures to prevent unauthorized access to EPHI. This standard has two required and two addressable implementation specifications. The required ones mandate that the covered entity provide unique user identification and emergency access procedures. The addressable implementation specifications suggest that the covered entity provide automatic logoff and encryption and decryption.
Audit Controls
The covered entity must implement mechanisms that record and examine activity in information systems containing EPHI. There are no implementation specifications associated with this standard.
Integrity
The covered entity must implement policies and procedures that ensure the integrity of the EPHI. There is one addressable implementation specification, suggesting that the covered entity should implement electronic systems to corroborate that the EPHI has not been improperly altered or destroyed.
Person or Entity Authentication
The covered entity must implement policies and procedures to verify the identity of the person or entity seeking access to the EPHI. There are no implementation specifications associated with this standard.
Transmission Security
The covered entity must implement technical security measures to guard against unauthorized access while EPHI is being transmitted over an electronic communications network. The are two addressable implementation specifications, suggesting that security measures be implemented that ensure that EPHI is not improperly modified and encryption be used (note, however, that encryption is not required).
Organizational Requirements
There are two organizational requirement standards, discussed below:
Business Associate Contracts or Other Arrangements
There are two required implementation specifications relating to this standard. The first requires that business associate contracts must provide that the business associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI that it creates or handles for the covered entity; ensure that its agents and subcontractors to whom it provides EPHI also agree to implement these safeguards; report to the covered entity any security incident of which it becomes aware; and authorize termination of the agreement if the covered entity determines that the business associate has materially breached the agreement. The second required implementation specification governs other arrangements, particularly when the covered entity and the business associate are both governmental entities and provides that the parties can enter into a memorandum of understanding to address these requirements.
Requirements for Group Health Plans
Except in cases where EPHI is disclosed to a plan sponsor pursuant to Sec. 164.504(f)(1)(ii) or (iii), or as authorized under Sec. 164.508, the covered entity must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard the EPHI. There is one required implementation specification that mandates that the plan documents be amended to require the plan sponsor to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI it creates or handles for the plan; ensure that the adequate separation required by the privacy rule is supported by appropriate security measures; ensure that any agents and subcontractors to whom it provides EPHI agree to implement reasonable and appropriate security measures to protect the EPHI; and report to the group health plan any security incident of which it becomes aware.
Policies, Procedures and Documentation
There are three policies, procedures and documentation standards, discussed below:
Policies and Procedures
The covered entity must implement reasonable and appropriate policies and procedures to comply with the security regulations, taking into account four factors: size, complexity and capabilities of the covered entity; technical infrastructure, hardware and software security capabilities; cost of security measures; and probability and criticality of potential risks to the EPHI. Complying with this standard does not permit or excuse a covered entity from any violation of any other standard or implementation specification. A covered entity may change its policies and procedures at any time, provided that such changes are documented and implemented pursuant to the security regulation. There are no implementation specifications associated with this standard.
Documentation
The covered entity must maintain a written record of the policies and procedures implemented to comply with the security regulations, and of any action, activity or assessment required by the security regulations. There are three required implementation specifications: a time limit, requiring the covered entity to retain records for six years from the date of creation or the date it was last in effect, whichever is later; an availability requirement, mandating that the covered entity make such documentation available to those individuals responsible for implementing the corresponding procedures; and updates requirement, mandating that the covered entity document periodic reviews and updates.
