Security
Identity theft, stolen computer disks, malfunctioning computers, hackers, and other preventable losses of information - these are just a few of the hazards facing all businesses that receive, store, and transmit data in electronic form. Many health care providers too face these same hazards. Much of the electronic protected health information (EPHI) they hold is critical to their business and vital to the care of their patients. Providers face major problems if their patient’s sensitive information is stolen, misused, or unavailable.
The HIPAA Security Standards provide a structure for covered entities (health plans, clearinghouses, or covered health care providers) to develop and implement policies and procedures to guard against and react to security incidents. The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with the unique circumstances of their size and environment.
To understand the requirements of the Security Rule, it is helpful to be familiar with the basic concepts that comprise the security standards and implementation specifications. The Security Rule is divided into six main sections – each representing a set of standards and implementation specifications that must be addressed by all covered entities. Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.
Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard. Implementation specifications are either required or addressable. Regardless of whether a standard includes one or more implementation specifications, covered entities must comply with each standard. Where there is no implementation specification for a particular standard, such as the “Workstation Use” and “Person or Entity Authentication” standards, compliance with the standard itself is required.
• A required implementation specification is similar to a standard, in that a covered entity must comply with it. For example, all covered entities including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
• For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all decisions. For example, all covered entities includingsmall providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.
• Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.
Administrative Safeguards
These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.”
| Title | Standard |
|---|---|
| SECURITY MANAGEMENT PROCESS | Implement policies and procedures to prevent, detect, contain and correct security violations. |
| WORKFORCE SECURITY | Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. |
| SECURITY AWARENESS AND TRAINING | Implement a security awareness and training program for all members of its workforce (including management). |
| CONTINGENCY PLAN | Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. |
| BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS | A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. |
Physical Safeguards
These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
| Title | Standard |
|---|---|
| FACILITY ACCESS CONTROLS | Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. |
| WORKSTATION USE | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. |
| DEVICE AND MEDIA CONTROLS | Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. |
Technical Safeguards
These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”
| Title | Standard |
|---|---|
| ACCESS CONTROL | Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)) [(Information Access Management)]. |
| PERSON OR ENTITY AUTHENTICATION | Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
| TRANSMISSION SECURITY | Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
