By Nancy W. Miller, Esq.
The HIPAA Privacy Rule states that physician practices must have appropriate administrative, technical and physical safeguards to protect the privacy of confidential information. Such safeguards refer to the security measures used to ensure the privacy of the information. However, the Privacy Rule does not specify the security measures necessary to implement these safeguards. Rather, they are specified as explicit standards in a separate Security Rule that was finalized in February, 2003.
One of goals of the Security Rule is to create greater coordination between the two rules – a clear acknowledgement that the concepts of security and privacy are inextricably linked. Therefore, it would be wise for physicians to integrate the security measures required under the Security Rule into their current Privacy Rule policies because the Security Rule provides the most authoritative guidance on appropriate safeguards. The benefit to this approach is that, as physicians move forward in implementing the security measures required under the privacy safeguards, they will also be implementing the Security Rule’s security measures at the same time.
The Privacy Rule is broader in scope than the Security Rule because it covers “protected health information” in all forms – oral, paper and electronic – whereas the Security Rule is applicable only to protected health information that is stored or transmitted in electronic form (such as computer hard drives, magnetic disks, the Internet and dial-up lines), identified by the acronym EPHI. Since the Privacy Rule requires security safeguards for all forms of information, it follows that if you fulfill the Privacy Rule requirements, you will also be fulfilling certain requirements of the Security Rule.
The Security Rule requires that physicians keep electronic personal health information confidential and protect it against threats to security or integrity and from any unauthorized use. The Security Rule sets forth specific requirements called “standards”which explain what a physician practice must do, and “implementation specifications” which explain how to do it. The implementation specifications are divided into two categories: required and addressable. As you might expect, a “required “specification must be implemented, and an “addressable” specification can be implemented if the physician determines it to be reasonable and appropriate.
Both rules require physicians and other covered entities to implement three categories of safeguards: administrative, physical and technical. One approach to satisfying the Privacy Rule is to begin to implement those safeguards which overlap between the Privacy and Security Rules. Remember that the Privacy Rule requires physicians to make efforts to ensure that confidential information is protected from unintentional use or disclosure. These procedures should be documented in your practice’s policy manual. The following discussion will give you some idea of the types of policies which you should begin to implement now which will allow you to comply with both sets of rules, in effect killing two birds with one stone.
Keeping in mind that the Security Rule’s central focus is on security management, it is not surprising that the administrative safeguards make up half of the standards included in the Security Rule. These standards generally require formal policies and procedures for daily operations, managing the conduct of employees and developing security controls. The standards which comprise the administrative safeguards include the following.
Security management process. First, this standard requires that the practice conduct a risk analysis to determine information security risks to the confidentiality, integrity and availability of your EPHI. Then, the practice must implement security measures to prevent, detect, contain and correct security violations. This process is called risk management. Further, the practice should establish and enforce sanctions against all employees who fail to comply with your security policies. Finally, you must implement a procedure called an “information system activity review” to regularly review records of your system’s activity, including audit logs, access reports and incident tracking reports.
Security officer. You must designate an individual who will be responsible for the implementation on the practice’s security policies. The Security Rule notes that the security officer and the privacy officer can be the same person.
Workforce security. This standard requires that you establish procedures to ensure that only those personnel who are allowed access to EPHI are given appropriate clearances.
Information access management. Information access management refers to the development of policies and procedures for authorizing access to EPHI. This is equivalent to the Privacy Rule requirement for authorizing access to the minimum amount of protected health information necessary for personnel to perform their job functions.
Security awareness and training. Like the Privacy Rule, the Security Rule requires that all members of your workforce, including physicians, must be trained in security awareness. Such training could be conducted along with your privacy training and could include topics covering security updates, procedures for guarding against “malicious software,” unauthorized log-in attempts and procedures for creating and changing passwords.
Security incident procedures. This standard calls for you to implement a procedure to identify and respond to suspected or known “security incidents,” including unauthorized access, disclosure, modification or destruction of information. Each of these incidents should be documented in your files.
Contingency plan. You must establish a plan to ensure that confidential data are available following any kind of disaster, such as fire, vandalism, system failure and natural disaster. These policies would include a data backup plan (preferably off-site storage) and a disaster recovery plan to restore any lost data. The practice must also develop an emergency operating plan. Some offices may simply close for awhile and others may find that a loss of computer or paper records may be recovered by gathering additional background information at the beginning of each patient visit, or perhaps, ordering a few extra tests to ensure proper decisions are made.
Evaluation. Here, you are required to perform periodic technical and non-technical evaluations to document compliance with your security policies. It is also important to assess the need for a new evaluation based on changes to your security environment since the pervious evaluation.
Business associate contracts. This standard is intended to allow you to combine the requirements under both the Security and Privacy Rules business associate rules in one contract. Compliance may require revising your current agreements with business associates.
The physical safeguards are security measures which focus on ensuring the protection of your computer systems and your office from intrusion, as well as natural and environmental hazards. Most of the implementation specifications are “addressable” which means that you can handle them in one of three ways: (1) implement the addressable specification found in the Security Rule if reasonable and appropriate; (2) implement an alternative security measure to accomplish the purposes of the specification; or (3) implement nothing if the specification is not appropriate and the standard can still be met. The standards for physical safeguards are as follows:
Facility access controls. This requires the implementation of policies that limit physical access to your information system and your office to those who are properly authorized to prevent unauthorized access, tampering and theft.
Workstation use. This standard requires the establishment of policies that specify the proper functions to be performed, the manner in which they are performed and the physical surroundings of those workstations which access EPHI.
Workstation security. You must also implement physical safeguards for all workstations that access EPHI to restrict access to authorized users.
Device and media controls. These controls address receipt and removal of hardware and electronic media that contain EPHI to and from your office, as well as the movement of it within the office, including topics covering disposal of hardware and removal of EPHI from electronic media before re-using the media.
The technical safeguards specify how to use technology to protect EPHI and control access to it. There are five standards involved:
Access control. These are technology-based procedures which include unique user identification to allow access only to those people who are authorized, as well as access procedures during an emergency.
Audit controls. The Security Rule requires practices to have an internal audit process which provides for the ongoing review of who is accessing what specific confidential information. The controls include hardware, software and/or procedural mechanisms designed to record and examine activity in information systems that contain EPHI. This requirement overlaps with the Privacy Rule requirement for accounting for disclosures which would likely utilize electronic systems to track and log the use and disclosure of PHI. However, they are used for different purposes. The Security Rule audit trails record use within an information system whereas the Privacy Rule accounting for disclosures applies to disclosures outside the practice. Thus, your system should be designed to track both the internal and external flow of information.
Integrity. This specification refers to the development of policies which protect EPHI from improper modification or destruction. Most hardware in use today possesses the capability to accomplish this requirement. Examples include error-correcting memory, magnetic disk storage and digital signatures.
Person or entity authentication. These policies should verify that a person or entity seeking access to EPHI is who or what they claim to be.
Transmission security. This specification requires the implementation of security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Physicians must determine how to protect EPHI in a manner commensurate with the associated risk. While encryption is included as an “addressable” implementation specification, the commentary to the Rules encourages covered entities to consider use of encryption technology for transmitting EPHI, particularly over the Internet.
Like the Privacy Rule, the Security Rule requires that you must maintain all documentation, such as your policies and procedures, for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Further, documentation must be made available to the persons responsible for implementing related procedures. And, finally, you must periodically review your policies and procedures and update them as changes affect the security of your electronic information.
In drafting the Security Rule, HHS tried to implement a common sense approach to security. To accomplish this, the standards are technology neutral and generic, rather than overly prescriptive. Because of the speed with which technology is evolving, specific requirements would be obsolete by the time compliance is required two years from now. Further, the standards are designed to be flexible and scalable, which means that they are to be interpreted and implemented appropriately from the smallest provider to the large health plan. What works for a small dentist office does not work for the Medicare program. For example, HHS understands that a computer system that requires all users to log on and to change their passwords periodically is an industry standard. However, if the user is not trained to know that it’s not okay to write his password on a yellow sticky note and stick it on the monitor, the technology solutions won’t work.
In addition, the cost of security measures has been included as a significant factor to be considered in making security decisions. This emphasis will be of particular benefit to small and rural providers, but HHS has made it clear that cost factors may not be used to free covered entities from the responsibility of implementing adequate security.
Because security measures are an integral part of the Privacy Rule, under no circumstances should security concerns be delayed or postponed until the Security Rule compliance date.
Nancy W. Miller, Esq., is an attorney with Houston Harbaugh, P.C., in Pittsburgh.