The HIPAA Security Rule specifically focuses on the safeguarding of EPHI (Electronic Protected Health Information). All HIPAA-covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:
-
Covered Health Care Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
-
Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
-
Health Care Clearinghouses— A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.
-
Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act. This fourth category of “covered entity” will remain in effect until the drug card program ends in 2006.
This section identifies the main goals, explains some of the structure and organization, and identifies the purpose of the sections of the Security Rule.
HIPAA Security Laws: Goals and Objectives
As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must:
-
Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits,
-
Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI, and
-
Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule.
In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304:
-
Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
-
Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.”
-
Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”
Security Rule Organization
To understand the requirements of the HIPAA Security Rule, it is helpful to be familiar with the basic security terminology it uses to describe the security standards. The Security Rule is separated into six main sections that each include several standards and implementation specifications a covered entity must address. Each of the six sections is listed below.
-
Security standards: General Rules – includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications (both required and addressable); outlines decisions a covered entity must make regarding addressable implementation specifications; and requires maintenance of security measures to continue reasonable and appropriate protection of electronically protected health information.
-
Administrative Safeguards – are defined in the Security Rule as the “administrative actions and policies, and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
-
Physical Safeguards – are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
-
Technical Safeguards – are defined as “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.”
-
Organizational Requirements – includes standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans.
-
Policies and Procedures and Documentation Requirements – requires the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Rule; maintenance of written (which may be electronic) documentation and/or records that includes policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability and update requirements related to the documentation.
Within the Security, Rule sections are standards and implementation specifications. Each HIPAA Security Rule standard is required. A covered entity is required to comply with all standards of the Security Rule with respect to all EPHI.
Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard.9 Implementation specifications are either required or addressable. However, regardless of whether a standard includes implementation specifications, covered entities must comply with each standard.
-
A required implementation specification is similar to a standard, in that a covered entity must comply with it.
-
For addressable implementation specifications, covered entities must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all decisions. For federal agencies, however, all of the HIPAA Security Rule’s addressable implementation specifications will most likely be reasonable and appropriate safeguards for implementation, given their sizes, missions, and resources.
Where there are no implementation specifications identified in the Security Rule for a particular standard, such as for the “Assigned Security Responsibility” and “Evaluation” standards, compliance with the standard itself is required.
Anyone seeking clarification regarding the principles of the HIPAA Security Rule should send inquiries to the CMS e-mail address askhipaa@cms.hhs.gov, or contact the CMS HIPAA Hotline, 1-866-282-0659 or visit www.cms.hhs.gov
Safeguards Sections of the HIPAA Security Rule
Table 1 lists the standards and implementation specifications within the Administrative, Physical, and Technical Safeguards sections of the Security Rule. The table is categorized according to the categorization of standards within each of the safeguards sections in the Security Rule.
-
Column 1 of the table lists the Security Rule standards.
-
Column 2 indicates the regulatory citation to the appropriate section of the Security Rule where the standard can be found.
-
Column 3 lists the implementation specifications associated with the standard, if any exist, and designates the specification as required or addressable.
Table 1. HIPAA Security Rule Standards and Implementation Specifications
|
Standards
|
Sections |
Implementation Specifications |
|
|
Administrative Safeguards |
|||
|
Security Management Process |
164.308(a)(1) |
Risk Analysis (R) |
Sanction Policy (R) |
|
Assigned Security Responsibility |
164.308(a)(2) |
[None] |
|
|
Workforce Security |
164.308(a)(3) |
Authorization and/or Supervision (A) |
|
|
Information Access Management |
164.308(a)(4) |
Isolating Health Care Clearinghouse Functions (R) |
|
|
Security Awareness and Training |
164.308(a)(5) |
Security Reminders (A) |
|
|
Security Incident Procedures |
164.308(a)(6) |
Response and Reporting (R) |
|
|
Contingency Plan |
164.308(a)(7) |
Data Backup Plan (R) |
|
|
Evaluation |
164.308(a)(8) |
[None] |
|
|
Business Associate Contracts and Other Arrangements |
164.308(b)(1) |
Written Contract or Other Arrangement (R) |
|
|
Physical Safeguards |
|||
|
Facility Access Controls |
164.310(a)(1) |
Contingency Operations (A) |
|
|
Workstation Use |
164.310(b) |
[None] |
|
|
Workstation Security |
164.310(c) |
[None] |
|
|
Device and Media Controls |
164.310(d)(1) |
Disposal (R) |
Accountability (A) |
|
Technical Safeguards |
|||
|
Access Control |
164.312(a)(1) |
Unique User Identification (R) |
Automatic Logoff (A) |
|
Audit Controls |
164.312(b) |
[None] |
|
|
Integrity |
164.312(c)(1) |
Mechanism to Authenticate Electronic Protected Health Information (A) |
|
|
Person or Entity Authentication |
164.312(d) |
[None] |
|
|
Transmission Security |
164.312(e)(1) |
Integrity Controls (A) |
Encryption (A) |
Business Associates
-
Similar to the Privacy Rule requirement, covered entities must enter into a contract or other arrangement with business associates.
-
The contract must require the business associate to:
- Implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronically protected health information that it creates, receives, maintains, or transmits;
- Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards;
- Report to the covered entity any security incident of which it becomes aware;
- Make its policies and procedures, and documentation required by the Security Rule relating to such safeguards, available to the Secretary for purposes of determining the covered entity’s compliance with the regulations; and,
- Authorize termination of the contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract.
-
The regulations contain certain exemptions to the above rules when both the covered entity and the business associate are governmental entities. This includes deferring to existing law and regulations and allowing the two organizations to enter into a memorandum of understanding, rather than a contract, that contains terms that accomplish the objectives of the business associate contract.
HIPAA Resource:
HIPAA Laws Overview
HIPAA Timelines
HIPAA Penalties
HIPAA links
Official Checklist of HIPAA Security Audit Checklist released by DHHS
Let us help you understand HIPAA regulations through our training classes offered in different cities with a flexible training schedule. You may buy our self-study kit or attend virtual classroom training if due to your busy schedule you cannot attend training. Please contact us for more information at Bob@training-hipaa.net or call (515) 865-4591.
Adopted from the special publication of NIST 800-26.