“What is the purpose of the HIPAA Security Rule?”
Answer: Paper files are no longer the sole system for managing patient information. Our health and personal information today is primarily held and transmitted electronically. The convenience and ease of sharing benefits are contradicted by new privacy risks. The Security Rule provides clear standards to address these risks and ensure that every covered entity has safeguards in place to protect the confidentiality, integrity, and availability of ePHI. The standards mandated in the Security Rule protect an individual’s health information while permitting the appropriate and necessary access and use of that information. State laws which may provide more stringent standards will continue to apply over and above the Federal security standards.
“Are we required to “certify” our organization’s compliance?”
Answer: No. HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule. It is important to understand that such certifications do not absolve covered entities of their legal obligations under the Security Rule.
The evaluation standard § 164.308(a)(8) requires a periodic technical and non-technical assessment is conducted to establish the extent to which an entity’s policies and procedures meet the security requirements. This assessment can be performed internally by the covered entity or by an external organization.
“How can we know if our organization meets the HIPAA Security Rule requirements?”
Answer: Compliance is different for each organization and no single strategy will serve all covered entities. Understanding your organization’s state of compliance generally requires:
- a thorough, up to date risk analysis;
- a review of current policies and security measures in place;
- up to date documentation and training to support policies and procedures;
- and other appropriate documentation as needed.
Compliance is not a one-time goal but, rather, an ongoing process. Meeting the requirements set out in the evaluation standard at § 164.308(a)(8), performing periodic technical and non-technical assessments, is the first step to maintaining substantial compliance and ensuring the security of ePHI.
“Who should perform the required Risk Assessment?”
Answer: As part of the Security Management Process within the Administrative Safeguards of the Security Rule, organizations should conduct periodic risk assessments. The assessment can be conducted internally or by engaging a third party.
This assessment process may include interviews, vulnerability testing, process walkthroughs, and/or a review of documented processes. Larger organizations should consider a more formalized review while smaller organizations may consider less formal means of evaluation. If this process is to be conducted internally, the individuals who conduct these evaluations should not be the same as those responsible for carrying out the process and they should be reasonably qualified to make the necessary evaluations.
“Does the Security Rule apply to written and oral communications?”
Answer: No. The standards of the Security Rule are specific to electronic protected health information (ePHI) including telephone voice response and fax back systems (because they can be used as input and output devices for electronic information systems.) ePHI does not include paper-to-paper faxes, video teleconferencing or messages left on voice mail (because the information being exchanged did not exist in electronic form before the transmission). However, the requirements of the HIPAA Privacy Rule apply to all forms of PHI, including written and oral.
“Does the Security Rule require the use of specific technologies, software, or tools?”
Answer: No. The Security standards are “technology neutral.” Any mandate regarding technology to be used would only bind organizations to specific systems and/or software that may be superseded by rapidly developing technologies and improvements. Allowing healthcare organizations to determine the best tools to suit their needs encourages them to use the latest and most innovative technologies to best meet their individual needs along with those of their business associates and subcontractors.
“What is the difference between addressable and required implementation specifications in the Security Rule?”
Answer: As you would expect, “required” implementation specifications must be implemented. The additional category of “addressable” implementation specifications was developed to provide organizations a degree of flexibility in compliance with the security standards.
In meeting standards that contain addressable implementation specifications, the organization may implement the addressable implementation specifications or alternative security measures to accomplish the same purpose – but no action is necessarily required.
The organization’s decision must be appropriately documented. The organization must determine whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, an entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate and if a reasonable and appropriate alternative exists.
This decision will depend on a variety of factors unique to the organization. Considerations may include the entity’s risk analysis, risk mitigation strategy, what security measures are already in place and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
“Is the Security Rule suspended during a national or public health emergency?”
Answer: No, the Security Rule is not suspended during a national or public health emergency.
If the President declares an emergency or disaster and the Secretary of HHS declares a public health emergency, the Secretary may waive sanctions and penalties arising from certain provisions of the Privacy Rule under the Project BioShield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
These provisions, however, have no application to the Security Rule. The Security Rule includes requirements for business entities to ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain or transmit. The rule further requires that entities protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Other provisions of the Security Rule require organizations to implement security measures that specifically contemplate emergency conditions.
“Who enforces the HIPAA privacy and security standards?”
Answer: The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services. OCR may conduct complaint investigations and compliance reviews. The Office of E-Health Standards and Services within the Centers for Medicare & Medicaid Services (CMS) enforces the Transactions and Code Sets and National Identifiers (Employer and Provider identifiers) regulations of HIPAA. CMS also enforces the insurance portability requirements under Title I of HIPAA.
“Is the use of encryption mandatory in the Security Rule?”
Answer: No. The final Security Rule made the use of encryption an addressable implementation specification. This means that it must be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of ePHI. If the entity decides that this addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, an organization may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.
Encryption is explained further in our IT Security Questions and Answers under “What is encryption.” Many security incidents and breaches that have resulted in heavy HIPAA penalites could have been avoided using simple encryption.
“What does the Security Rule mean by physical safeguards?”
Answer: Physical safeguards are physical measures, policies, and procedures instituted to protect an entity’s electronic information systems and related buildings and equipment from unauthorized intrusion as well as natural or environmental hazards. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the organization’s premises or at another location.
“What is the difference between Risk Analysis and Risk Management in the Security Rule?”
Answer: Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the ePHI held by a covered entity or its business associates and the likelihood of occurrence.
The risk analysis may include taking inventory of all systems and applications that are used to access and house data and classifying them by level of risk. A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage.
Risk management is the actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI and to meet the general security standards.
“What threats should covered entities address when conducting their risk analysis in order to comply with the Security Rule?”
Answer: The risk analysis process will identify potential threats and vulnerabilities that may affect systems containing ePHI. The risks an entity decides to address, and how the entity decides to address the risks, will depend on the probability and likely impact of threats affecting the confidentiality, integrity, and/or availability of ePHI. Threats may affect information (data) and systems. The National Institute of Standards and Technology (NIST) provides information security guidance materials. NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems categorizes threats into three common categories: Human, Natural, and Environmental. The list below is adapted from this NIST SP and is just a sampling of possible risk categories and associated threats.
1. Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
2. Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network-based attacks, malicious software upload, unauthorized access to confidential information).
3. Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.
An example of a natural threat is the occurrence of a hurricane. Depending on the geographic location of the entity, the likelihood of that occurrence could be low, medium, or high. One of the risks associated with the occurrence may be a power failure rendering the information systems unavailable. Based on the assessment conducted, the organization can prioritize threats to develop a strategy to manage the risks associated with the potential of such a threat.
“What must an organization do to comply with the Security Incidents Procedures standard?”
Answer: 45 CFR § 164.304 defines security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
The Security Incident Procedures standard at § 164.308(a)(6)(i) requires an entity to implement policies and procedures to address security incidents. The associated implementation specification for response and reporting at § 164.308(a)(6)(ii) requires organizations to identify and respond to suspected or known security incidents, mitigate (to the extent practicable) harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes.
In order to maintain a flexible, scalable and technology neutral approach to the Security Rule, no single method is identified for addressing security incidents that will apply to all entities. As stated in the preamble to the Security Rule, 68 Fed. Reg. 8350, an entity should be able to rely upon the information gathered in complying with the other security standards (for example, its risk assessment and risk management procedures and the Privacy Rule standards) to determine what constitutes a security incident in the context of its business operations. In addressing the Security Incident Procedures standard, organizations may consider some of the following questions:
- What specific actions would be considered security incidents?
- How will incidents be documented and reported?
- What information should be contained in the documentation?
- How often and to whom should incidents be reported?
- What are the appropriate responses to certain incidents?
When considering the requirements of § 164.306(a) and (b) and its risk analysis, the entity may decide that certain types of attempted or successful security incidents or patterns of attempted or successful incidents warrant different actions.
“How can a small healthcare provider implement the standards in the Security Rule?”
Answer: The Security Rule standards allow any covered entity (including small providers) to use any security measures that help the covered entity to reasonably and appropriately implement the standards to protect electronic health information. In deciding what security measures to use, a covered entity can take into account its size, capabilities, and costs of security measures. A small provider who is a covered entity would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities. Following this assessment, they should determine what additional measures, if any, need to be taken to meet the standards; taking into account their capabilities and the cost of those measures.
“Do the Security Rule requirements for access control apply to employees who telecommute or have home-based offices?”
Answer: Yes. Entities that allow employees to telecommute or work out of home-based offices with access to ePHI must implement appropriate safeguards to protect the organization’s data.
The automatic logoff implementation specification in the Security Rule is addressable, and must, therefore, be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the logoff implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.
The information access management and access control standards, however, require organizations to implement policies and procedures for authorizing access to ePHI and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights.
“Can ePHI be sent in an email or over the Internet?”
Answer: The Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.
The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the entity must assess its use of open networks, identify the available and appropriate means to protect ePHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected.
“Does the Security Rule require the use of an electronic or digital signature?”
Answer: No, the Security Rule does not require the use of electronic or digital signatures. However, electronic or digital signatures could be used as a security measure if the entity determines their use is reasonable and appropriate.[/spoiler]
“Does the Security Rule mandate minimum operating system requirements for personal computer systems?”
Answer: No. The Security Rule was written to allow flexibility for entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems but it does mandate requirements for information systems that contain ePHI.
Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the organization’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
“Are covered entities required to use the National Institute of Standards and Technology (NIST) guidance documents?”
Answer: No. Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, their use is not required by the Security Rule.
“Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?”
Answer: No. Under the Security Rule, entities, regardless of their size, are required under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.”
A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the Security Rule requires entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains ePHI, so that system access and activity can be identified and tracked by each individual user.[/spoiler]
“Does the Security Rule allow us to network (connect) computers within the covered entity, between two covered entities, or between a covered entity and its business associate(s) so that they can exchange information directly?”
Answer: There is nothing in the Security Rule that prohibits the networking of computers whether inside the same company or between two unrelated companies who conduct business together. However, the entity must demonstrate that it has evaluated the risks associated with a network connection and document that it has established all of the safeguards (technical, physical and administrative) that would serve to reasonably protect the information that is exchanged over the network. The necessary documentation will include an assessment of everything from the firewall to the designation and training of the individuals who have access to the data.
“What are Administrative Safeguards within the Security Rule?”
Answer: Administrative Safeguards include incorporating the following into your compliance initiatives:
- Security Management Process. As explained previously, organizations must identify and analyze potential risks to ePHI and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. An entity must designate a security official who is responsible for developing and implementing security policies and procedures.
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires organizations to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management. An entity must provide for appropriate authorization and supervision of workforce members who work with ePHI. Organizations must train all workforce members regarding their security policies and procedures and must have and apply appropriate sanctions against workforce members who violate those policies and procedures.
- Evaluation. An entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.[/spoiler]
“What are Physical Safeguards within the Security Rule?”
Answer: Physical Safeguards include incorporating the following into your compliance initiatives:
- Facility Access and Control. An entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. Organizations must implement policies and procedures to specify proper use of and access to workstations and electronic media. An entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of ePHI.[/spoiler]
“What are Technical Safeguards within the Security Rule?”
Answer: Technical Safeguards include incorporating the following into your compliance initiatives:
- Access Control. An entity must implement technical policies and procedures that allow only authorized persons to access ePHI.
- Audit Controls. An entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
- Integrity Controls. An entity must implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
- Transmission Security. An entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.[/spoiler]
“What are the key requirements for Policies & Procedures and Documentation?”
Answer: Organizations must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. An entity must maintain (for six years after the date of their creation or last effective date – the later of the two) written security policies and procedures and written records of required actions, activities or assessments. An entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI.
“What about State laws and preemption?”
Answer: In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply. “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
However, where State laws are not contrary but actually provide more stringent standards, the State laws will apply over (in addition to) the Federal security standards.
phone (813) 600-3005
Share your question below and Loricca’s IT Security and Compliance experts will be happy to answer it. You can also email firstname.lastname@example.org your question. We will do our best to have the answer for you within one business day.