| |
The HIPAA Security Rule specifically focuses
on the safeguarding of EPHI (Electronic Protected Health Information).
All HIPAA covered entities, which includes some federal agencies,
must comply with the Security Rule. The Security Rule specifically
focuses on protecting the confidentiality, integrity, and
availability of EPHI, as defined in the Security Rule. The
EPHI that a covered entity creates, receives, maintains, or
transmits must be protected against reasonably anticipated
threats, hazards, and impermissible uses and/or disclosures.
In general, the requirements, standards, and implementation
specifications of the Security Rule apply to the following
covered entities:
-
Covered Health Care Providers—
Any provider of medical or other health services,
or supplies, who transmits any health information in electronic
form in connection with a transaction for which HHS has
adopted a standard.
-
Health Plans— Any
individual or group plan that provides or pays the cost
of medical care (e.g., a health insurance issuer and the
Medicare and Medicaid programs).
-
Health Care Clearinghouses—
A public or private entity that processes another
entity’s health care transactions from a standard
format to a non-standard format, or vice-versa.
-
Medicare Prescription Drug
Card Sponsors – A nongovernmental entity
that offers an endorsed discount drug program under the
Medicare Modernization Act. This fourth category of “covered
entity” will remain in effect until the drug card
program ends in 2006.
This section identifies the main goals, explains
some of the structure and organization, and identifies the
purpose of the sections of the Security Rule.
HIPAA Security Laws: Goals and Objectives
As required by the “Security standards: General rules”
section of the HIPAA Security Rule, each covered entity must:
-
Ensure the confidentiality, integrity,
and availability of EPHI that it creates, receives, maintains,
or transmits,
-
Protect against any reasonably anticipated
threats and hazards to the security or integrity of EPHI,
and
-
Protect against reasonably anticipated
uses or disclosures of such information that are not permitted
by the Privacy Rule.
In complying with this section of the Security
Rule, covered entities must be aware of the definitions provided
for confidentiality, integrity, and availability as given
by § 164.304:
-
Confidentiality is
“the property that data or information is not made
available or disclosed to unauthorized persons or processes.”
-
Integrity is “the
property that data or information have not been altered
or destroyed in an unauthorized manner.”
-
Availability is “the
property that data or information is accessible and useable
upon demand by an authorized person.”
Security Rule Organization
To understand the requirements of the HIPAA
Security Rule, it is helpful to be familiar with the basic
security terminology it uses to describe the security standards.
The Security Rule is separated into six main sections that
each include several standards and implementation specifications
a covered entity must address. Each of the six sections is
listed below.
-
Security standards: General
Rules - includes the general requirements all
covered entities must meet; establishes flexibility of
approach; identifies standards and implementation specifications
(both required and addressable); outlines decisions a
covered entity must make regarding addressable implementation
specifications; and requires maintenance of security measures
to continue reasonable and appropriate protection of electronic
protected health information.
-
Administrative Safeguards -
are defined in the Security Rule as the “administrative
actions and policies, and procedures, to manage the selection,
development, implementation, and maintenance of security
measures to protect electronic protected health information
and to manage the conduct of the covered entity's workforce
in relation to the protection of that information.”
-
Physical Safeguards - are
defined as the “physical measures, policies, and
procedures to protect a covered entity's electronic information
systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion.”
-
Technical Safeguards - are
defined as the “the technology and the policy and
procedures for its use that protect electronic protected
health information and control access to it.”
-
Organizational Requirements
- includes standards for business associate contracts
and other arrangements, including memoranda of understanding
between a covered entity and a business associate when
both entities are government organizations; and requirements
for group health plans.
-
Policies and Procedures and
Documentation Requirements - requires implementation
of reasonable and appropriate policies and procedures
to comply with the standards, implementation specifications
and other requirements of the Security Rule; maintenance
of written (which may be electronic) documentation and/or
records that includes policies, procedures, actions, activities,
or assessments required by the Security Rule; and retention,
availability and update requirements related to the documentation.
Within the Security Rule sections are standards
and implementation specifications. Each HIPAA Security Rule
standard is required. A covered entity is required to comply
with all standards of the Security Rule with respect to all
EPHI.
Many of the standards contain implementation
specifications. An implementation specification is a more
detailed description of the method or approach covered entities
can use to meet a particular standard.9 Implementation specifications
are either required or addressable. However, regardless of
whether a standard includes implementation specifications,
covered entities must comply with each standard.
-
A required implementation
specification is similar to a standard, in that a covered
entity must comply with it.
-
For addressable implementation
specifications covered entities must perform an assessment
to determine whether the implementation specification
is a reasonable and appropriate safeguard for implementation
in the covered entity’s environment. In general,
after performing the assessment a covered entity decides
if it will implement the addressable implementation specification;
implement an equivalent alternative measure that allows
the entity to comply with the standard; or not implement
the addressable specification or any alternative measures,
if equivalent measures are not reasonable and appropriate
within its environment. Covered entities are required
to document these assessments and all decisions. For federal
agencies, however, all of the HIPAA Security Rule’s
addressable implementation specifications will most likely
be reasonable and appropriate safeguards for implementation,
given their sizes, missions, and resources.
Where there are no implementation specifications
identified in the Security Rule for a particular standard,
such as for the “Assigned Security Responsibility”
and “Evaluation” standards, compliance with the
standard itself is required.
Anyone seeking clarification regarding the principles of the
HIPAA Security Rule should send inquiries to the CMS e-mail
address askhipaa@cms.hhs.gov, or contact the CMS HIPAA Hotline,
1-866-282-0659 or visit www.cms.hhs.gov
Safeguards Sections of the HIPAA Security Rule
Table 1 lists the standards and implementation
specifications within the Administrative, Physical, and Technical
Safeguards sections of the Security Rule. The table is categorized
according to the categorization of standards within each of
the safeguards sections in the Security Rule.
-
Column 1 of the table lists the Security
Rule standards.
-
Column 2 indicates the regulatory
citation to the appropriate section of the Security Rule
where the standard can be found.
-
Column 3 lists the implementation
specifications associated with the standard, if any exist,
and designates the specification as required or addressable.
Table 1. HIPAA Security Rule Standards and Implementation
Specifications
Standards
|
Sections
|
Implementation
Specifications
(R)=Required (A)=Addressable
|
Administrative
Safeguards |
Security Management Process
|
164.308(a)(1) |
Risk Analysis (R)
Risk Management (R) |
Sanction
Policy (R)
Information System Activity Review (R) |
Assigned Security Responsibility
|
164.308(a)(2) |
[None]
|
Workforce Security |
164.308(a)(3) |
Authorization
and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A) |
Information Access Management
|
164.308(a)(4) |
Isolating
Health Care Clearinghouse Functions (R)
Access Authorization (A)
Access Establishment and Modification (A) |
Security Awareness and
Training |
164.308(a)(5) |
Security
Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A) |
Security Incident Procedures
|
164.308(a)(6) |
Response
and Reporting (R) |
Contingency Plan |
164.308(a)(7) |
Data
Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedures (A)
Applications and Data Criticality Analysis A) |
Evaluation |
164.308(a)(8) |
[None]
|
Business Associate Contracts
and Other Arrangements |
164.308(b)(1) |
Written
Contract or Other Arrangement (R) |
Physical
Safeguards |
Facility Access Controls
|
164.310(a)(1) |
Contingency
Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A) |
Workstation Use |
164.310(b) |
[None]
|
Workstation Security
|
164.310(c) |
[None]
|
Device and Media Controls
|
164.310(d)(1) |
Disposal (R)
Media Re-use (R) |
Accountability
(A)
Data Backup and Storage (A) |
Technical
Safeguards |
Access Control |
164.312(a)(1) |
Unique User Identification
(R)
Emergency Access Procedure (R) |
Automatic
Logoff (A)
Encryption and Decryption (A) |
Audit Controls |
164.312(b) |
[None]
|
Integrity |
164.312(c)(1) |
Mechanism
to Authenticate Electronic Protected Health Information
(A) |
Person or Entity Authentication
|
164.312(d) |
[None]
|
Transmission Security
|
164.312(e)(1) |
Integrity Controls (A)
|
Encryption
(A) |
Business Associates
-
Similar to the Privacy Rule requirement,
covered entities must enter into a contract or other arrangement
with business associates.
-
The contract must require the business
associate to:
- Implement safeguards that reasonably and appropriately
protect the confidentiality, integrity, and availability
of the electronic protected health information that
it creates, receives, maintains, or transmits;
- Ensure that any agent, including a subcontractor,
to whom it provides this information agrees to implement
reasonable and appropriate safeguards;
- Report to the covered entity any security incident
of which it becomes aware;
- Make its policies and procedures, and documentation
required by the Security Rule relating to such safeguards,
available to the Secretary for purposes of determining
the covered entity’s compliance with the regulations;
and,
- Authorize termination of the contract by the covered
entity if the covered entity determines that the business
associate has violated a material term of the contract.
-
The regulations contain certain exemptions
to the above rules when both the covered entity and the
business associate are governmental entities. This includes
deferring to existing law and regulations, and allowing
the two organizations to enter into a memorandum of understanding,
rather than a contract, that contains terms that accomplish
the objectives of the business associate contract.
HIPAA Resource:
HIPAA Laws Overview
HIPAA Timelines
HIPAA Penalties
HIPAA links
Official Checklist of HIPAA Security Audit Checklist
released by DHHS
Let us help you understand HIPAA regulations
through our training classes offered in different cities with
flexible training schedule. You may buy our self study kit
or attend virtual classroom training, if due to your busy
schedule you cannot attend training. Please contact us for
more information at Sales@training-HIPAA.net
or call (515) 865-4591.
Adopted from special publication of NIST
800-26.
|
|
