The Final HIPAA Security Rule

By Nicolas Richards

Click

April 2003

The final HIPAA security rule, "Health Insurance Reform: Security Standards," was published by the Department of Health and Human Services on February 13, 2003 adopting final standards for the security of electronic protected health information by health plans, health care clearinghouses and certain health care providers.

The good news is that HHS actually did listen to the 2,350 public comments they received from professional associations, health care workers, law firms, health insurers, hospitals and private individuals regarding the proposed rule. They adjusted some of the requirements of the law to make it a little more flexible, particularly for small businesses.

Here's how the final rule itself describes the changes:

"...the security requirements are both scalable and technically flexible. We have made significant changes to this final rule, reducing the number of required implementation features and providing for greater flexibility in satisfaction of the requirements. In other words, we have focused more on what needs to be done and less on how it should be accomplished."

What covered entities must do

The fundamental requirement was not altered, namely that all covered entities—private and governmental health insurers/plans, health care clearinghouses and certain health care providers—engaged in the electronic maintenance or transmission of health information pertaining to individuals must "assess potential risks and vulnerabilities to such information in electronic form."

They also must develop, implement and maintain appropriate security measures to protect the health information that they "collect, maintain, use or transmit" from "unauthorized access, alteration, deletion, and transmission" so as to ensure its "integrity, confidentiality, and availability."

Covered entities are required to maintain "reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information."

The measures adopted and implemented must be documented and kept current. The security standards apply to internal systems as well as to transactions between entities.

Business associates are affected by the final rule because the law requires covered entities to enter into agreements with associates that they will abide by the rule's requirements. Medical transcribers are covered as business associates, even if they are individuals working from home as contractors.

The fundamental goal of the final rule is to cover all stored electronic data.

Electronic transmissions include transactions using all media, even when the information is physically moved from one location to another using magnetic tape, disk, or other machine-readable media. Transmissions over the Internet, extranet, leased lines, dial-up lines, and private networks is included.

Portable devices are also included, as the definition of "workstation" has been clarified to include: "...an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment."

The final security rule requires covered entities to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity's security policy and the requirements of HIPAA; it can be done in-house, if the necessary expertise is available, or using an external entity.

The evaluation must now cover both technical and non-technical components of security. Obviously, there is little use in a strong electronic security policy if the computer on which the data resides is not protected from physical theft or alteration.

Each covered entity, even if using an external contractor, must assign security and privacy oversight to one individual inside the organization, to ensure accountability. There are new regulations on properly discarding equipment, such as hard drives, including a requirement to document the details of what was done and by whom.

The final rule calls for covered entities to consider how natural disasters could damage systems that contain protected health information and develop policies and procedures for responding to such situations and ensuring backup protocols so as to ensure the availability of data. The rule requires a unique user id and other provisions for emergency access procedures.

The final security rule does not endorse any specific security technology, leaving it to each covered entity to come up with a specific, tailored plan of compliance so as to meet the standards according to their size, resources, technological abilities and relative anticipated risk.

These are just a few highlights of the new rule. Most covered entities will have until April 21, 2005, to comply with the security standards; small health plans will have an additional year to comply. The encouragement in the rule, however, is to get started.

AT A GLANCE—HIPAA'S FINAL SECURITY RULE
Here is a breakdown of what is now required and what is addressable: Addressable safeguards are not optional. Addressable means you must have an alternative method of security or be able to demonstrate a lack of need or untoward burden/risk ratio that the safeguard would impose.
Administrative Safeguards
Required Administrative Safeguards
Security Management Process Risk analysis Risk management Sanction policy Information system activity review	Assigned Security Responsibility
Information Access Management Isolating Health Care Clearinghouse Function	Security Incident Procedures Response and Reporting
Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan	Evaluation
Business Associate Contracts and other Arrangement Written Contract or Other Arrangement
Addressable Administrative Safeguards
Workforce Security Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures	Information Access Management Access Authorization Access Establishment and Modification
Security Awareness and Training Security Reminders Protection from Malicious Software Log-in Monitoring Password Management	Contingency Plan Testing and Revision Procedure
Physical Safeguards
Required Physical Safeguards
Workstation Use	Workstation Security
Device and Media Controls Disposal Media Re-use
Addressable Physical Safeguards
Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records	Device and Media Controls Accountability Data Backup and Storage
Technical Safeguards
Required Technical Safeguards
Access Control Unique User Identification Emergency Access Procedure	Audit Controls
Person or Entity Authentication
Addressable Technical Safeguards
Access Control Automatic Logoff Encryption and Decryption	Integrity Mechanism to Authenticate Electronic Protected Health Information
Transmission Security Integrity Controls Encryption