HIPAA Security Rule – Global Privacy Book

Francoise Gilbert

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications.

In all cases, each covered entity must meet the standards. Each standard is associated with Implementation Specifications, which are either “required” or ” addressable.”

Required Implementation Specifications must be implemented by all covered entities.

Addressable Implementation Specifications allow some flexibility. Each organization must decide whether the security measure to apply fits within its particular security framework. Based on its evaluation of its specific circumstances, each covered entity can (1) implement the specification if reasonable and appropriate; (2) implement an alternative security measure to accomplish the purposes of the standard; or (3) not implement anything if the specification is not reasonable and appropriate and the standard can still be met.

The nine Administrative Safeguards include requirements for the implementation of Security Management Process, assigning Security Management Responsibility, establishing Workforce Security. A covered entity must implement Information Access Management, and Security Awareness and Training. Formal, documented Security Incident Procedures must be in place to ensure that security violations are reported and handled promptly. A Contingency Plan must be in effect for responding to system emergencies. Like for the Privacy Rule, the covered entity must obtain Satisfactory Assurances from its Business Associates that each of them will appropriately safeguard the information in accordance with the Security Standards. Finally, to demonstrate and document their compliance with the entity’s security policy and the other requirements of the Security Rule, the covered entity must periodically conduct an Evaluation of its security safeguards.

The four Physical Safeguards include Facility Access Controls, control of the Workstation Use and Workstation Security, and of other Device and Media. For example, a covered entity must implement policies and procedures to document modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks. In addition, each organization must put in place physical safeguards to secure workstations, and control the use of other devices and media. This would involve policies and procedures that govern the receipt and removal of hardware and/or software (for example, diskettes and tapes) into and out of a facility.

Five Technical Safeguards require policies and procedures for Access Control, Audit Control, ensuring Integrity of the protected health information, Mechanism to Authenticate the persons or entities sending the data, and Transmission Security.

The Security Rule includes, in addition, requirements for the Implementation of the standards. Final responsibility for a covered entity’s security must be assigned to one Official who will manage and supervise the use of security measures to protect data, and the conduct of personnel in relation to the protection of data. The covered entity must implement written policies and procedures to comply with standards and implementation specifications, and review these policies and procedures periodically and update them as needed. The covered entity must also document in writing its actions, activities, or assessments taken or conducted. All documentation must be retained for 6 years from date of creation or from date when last in effect.

The Center for Medicaid and Medicare Services (CMS) is responsible for implementing and enforcing the Security Rule, whereas HHS’ Office for Civil Rights is responsible for implementing and enforcing the Privacy Rule.

The Security Rule works in concert with the final Privacy Rule, which was adopted by HHS in its final form in August 2002, and took effect for most covered entities on April 14, 2003. The HIPAA Privacy Rule defines the authorized or required uses of PII, and the patients’ rights with respect to their PII. The HIPAA Privacy Rule is available at: http://www.hhs.gov/ocr/hipaa/finalreg.html.

The HIPAA Security Rule resides in part 164 of subchapter C of title 45 of the Code of Federal Regulations. The complete text of the final Security Rules is available at http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp – TopOfPage.