Download a PDF of the Current Issue 2015 Volume 12 Number 3 July- September

HIPAA Final Security Regulations

Gregory A. Chaires, Esq.
2-2-1 The final Security Standards under the Health Insurance Portability and Accountability Act (HIPAA), published in February 2003, become effective on April 20, 2005. All covered entities are required to develop security policies and procedures in order to guarantee compliance with the HIPAA Security Rule. Covered entities include a health plan, a health care clearinghouse, and a health care provider who transmits any health information in electronic form.  The date of compliance is only two weeks away and all compliance measures are required to be in place and instituted by that time (except for small health plans, which have an additional year).  It is critical that all covered entities have policies and procedures in place to implement the required security measures.   HIPAA security covers a wide spectrum of physical, technical, and administrative safeguards that are put in place to protect electronic Protected Health Information (ePHI). Covered entities are required to ensure the confidentiality, integrity, and availability of all ePHI that they create, receive, maintain, or transmit.  A covered entity has an affirmative obligation to protect against any plausible threats or hazards to the security of the information. It must protect against any reasonable expected uses or disclosures of the information. The covered entity must also ensure that its workforce is in compliance. Although all covered entities are required to comply with the applicable standards, implementation specifications, and other requirements with respect to ePHI, each organization can decide for itself how to implement the standards. However, the covered entity must establish and follow security measures.   Covered entities may use any security measure that allows them to reasonably and appropriately employ the standards and implementation specifications required under the Security Rule.  When deciding which security measures to use, the following factors should be considered:  

1. Size,

2. Complexity,

3. Capabilities of the entity,

4. Technical infrastructure,

5. Hardware and software security capabilities,

6. Costs of security measures, and

7. Probability and criticality of potential risks to electronic protected health information.

  The Security Rule is broken down into physical, technical, and administrative safeguards. Within the safeguards there are 17 individual standards that discuss how the organization should address compliance. Within the 17 standards there are required and addressable implementation specifications. When a specified standard includes a required implementation specification, a covered entity must carry out the implementation specification.  When the standard includes addressable implementation specifications, a covered entity must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment.  If it is deemed unreasonable, the covered entity must document why and, if possible, implement an equivalent alternative measure.   The Physical Safeguards protect ePHI from unauthorized disclosure, modification, or destruction. This includes standards for Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. The Facility Access Controls describe what the organization should do to appropriately limit physical access to the information systems contained within its facilities while ensuring that properly authorized employees can physically access such systems.  Workstation Use and Workstation Security apply to what the organization should do to appropriately protect the organization’s workstations through implementation of policies and procedures for workstation use, as well as the physical safeguards for those workstations. The Device and Media Controls discuss what the organization should do to appropriately protect information systems and electronic media containing ePHI that are moved to various organizational locations.  The required implementation specifications within this section include what each organization should do to appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed. It also includes what the organization should do to erase ePHI from electronic media before reusing the media.   The Technical Safeguards are primarily the automated processes used to protect data and control access to data. These include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI or ensuring encryption and decryption of the data as it is being stored or transmitted.   The Administrative Safeguards are the administrative functions that should be implemented to meet the security standards.  These include assignment or delegation of security responsibility to an individual, as well as security training requirements.  Within the Administrative Safeguards there are nine standards, including Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, and Business Associate Contracts and Other Arrangements.   The Security Standards are quite extensive. That is why every organization, if it has not begun to do so already, must immediately implement policies and procedures to comply with the standards and implementation specifications. To comply with the Security Rule, each covered entity should evaluate the security measures that are presently in place and perform a complete risk analysis to determine what additional measures must be taken to be compliant.  To do this, each office should have in place a designated person who is responsible for conducting HIPAA compliance activities. To assist in the compliance efforts, there is compliance program guidance for individual and small group physician practices that was created by the Department of Health and Human Services (HHS). Among the list of components suggested, HHS includes conducting internal monitoring and auditing, implementing compliance and practice standards, conducting appropriate training and education, responding appropriately to detected offenses, and developing corrective actions.   Examples of some specific activities to assist with getting started in your HIPAA compliance efforts include:

1. Starting with an initial review of the practice’s business operations and the HIPAA Electronic Transactions and Code Sets;

2. Communicating with your vendors, billing services, and clearinghouses;

3. Testing your office operations and insure that those who electronically process claims on your behalf have a testing plan in place; and

4. Investigating and understanding the Trading Partner Agreements with your health plans.

  Keep in mind the Security Rule sets a minimum standard of security for entities to comply with. It is always the entity’s choice to implement more stringent standards if it feels stronger protections are needed. It is a good idea to assess the potential risks and vulnerabilities of your organization to ensure that the rules you set in place are right for your office.   Failure to comply with the Security Rule can result in severe civil and criminal penalties. Civil penalties include $100.00 per violation with a cap of $25,000.00 per year. Criminal penalties include a $50,000.00 fine and one-year imprisonment for violations and a $250,000.00 fine and ten years imprisonment if the violations were committed for gain or malicious intent. It is important that every covered entity take seriously its requirements to comply with the Security Rule.   For a complete review of the HIPAA Security Standards, please visit- http://www.cms.hhs.gov/regulations/hipaa/c ms0003-5/0049f-econ-ofr-2-12-03.pdf, or contact your facility Privacy Officer.