Hm300 week 7 part 2 of 2

© 2017 American Health Information Management Association© 2017 American Health Information Management Association
Chapter 12: The HIPAA Security
Rule
Fundamentals of Law for Health
Informatics and Information
Management, Third Edition

© 2017 American Health Information Management Association
HIPAA Security Rule
• Security: Protection of information from
loss, unauthorized access, or misuse,
along with protecting its confidentiality
• Difference between privacy rule and
security rule
– Privacy rule: Protects PHI regardless of the
medium on which it resides
– Security rule: Protects electronic PHI (ePHI)

HIPAA Security Rule
• Two primary purposes:
– Implement appropriate security safeguards to
protect ePHI that may be at risk
– Protect an individual’s health information while
permitting appropriate access and use

HIPAA Security Rule
• Requires covered entities to ensure
– Integrity: Lack of alteration of destruction in an
unauthorized manner
– Confidentiality: Not made available or
disclosed to unauthorized persons or
processes

HIPAA Security Rule
• Protects ePHI that is
– Created
– Maintained
– Transmitted
– Received
• Applies to
– Covered healthcare providers
– Health plans
– Healthcare clearinghouses
– Also applies to business associates (BAs) and their
subcontractors (per HITECH)

HIPAA Security Rule
• History
– Required compliance date: April 2005
• Small health plans: April 2006
– Changes included as part of HITECH (a portion of
ARRA)
• Passed by Congress in February 2009
– Enforcement of the Security Rule was assumed
by the Office for Civil Rights of HHS in 2009
(taken over from Centers for Medicare and
Medicaid Services)

HIPAA Security Rule
• Part of Title II: Administrative Simplification
• Focuses solely on ePHI
– Thus, more technical in nature
• But, is
– Flexible
– Scalable
– Technology neutral

HIPAA Security Rule v. Privacy
Rule
• ePHI: PHI maintained or transmitted in
electronic form
– For example, tapes, disks, optical disks, hard
drives, servers, Internet, private networks
– Not included: Voice mail messages, paper-to-
paper faxes; copy machines

HIPAA Security Rule—Another
Difference
• Most standards contain implementation
specifications
– Required (R): Must be implemented
– Addressable (A): Must be implemented as the
rule states or in an alternate manner or
documented that risk does not exist or is
negligible
• Addressable implementation specifications cannot
be ignored

HIPAA Security Rule
• Under the General Requirements, a CE must:
– Ensure confidentiality, integrity, and availability of
all ePHI created, received, maintained or
transmitted
– Protect the security or integrity of ePHI from
reasonably anticipated threats or hazards
– Protect against reasonably anticipated ePHI uses
or disclosures not permitted or required by the
privacy rule
– Ensure workforce compliance with the security
rule

HIPAA Security Rule
(continued)
• When considering flexibility of
implementation, these must be considered
when deciding on the most appropriate
security measures
– CE size, complexity, and capabilities
– Security capabilities of CE’s hardware and
software
– Costs of security measures
– Likelihood and severity of potential risks to ePHI
(risk management)

HIPAA Security Rule
(continued)
HHS recommends the following security
process:
– Assess current security, risks, and gaps
– Develop an implementation plan
– Implement solutions
– Document decisions
– Reassess periodically

HIPAA Security Rule
(continued)
• Covered entities and BAs must use a risk
analysis to decide which security
measures to implement.
– Financial analysis should be conducted to
determine the cost of compliance.

HIPAA Security Rule
(continued)
• 5 categories of safeguards
– Administrative Safeguards (164.308)
– Physical Safeguards (164.310)
– Technical Safeguards (164.312)
– Organizational Requirements (164.314)
– Policies, Procedures, and Documentation
(164.316)

HIPAA Security Rule
(continued)
• The rule’s maintenance requirement
provides that a continuing review of the
reasonableness and appropriateness of a
covered entity’s or BA’s (or
subcontractor’s) security measures should
be conducted
– Modify as needed
– Update documentation of review and
modifications

HIPAA Security Rule Standards
• Administrative Safeguards (164.308)
– Security management process
– Assigned security responsibility
– Workforce security
– Information access management
– Security awareness training
– Security incident reporting
– Contingency plan
– Evaluation
– BA contracts and other arrangements

Administrative Safeguards:
Security Management Process
(164.308(a)(1))
• Implement policies and procedures to prevent, detect,
contain, and correct security violations
– Risk Analysis (R)—Accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity,
and availability of ePHI
– Risk Management (R)—Implement security measures sufficient
to reduce risks and vulnerabilities to a reasonable and
appropriate level
– Sanction Policy (R)—Apply appropriate sanctions for non-
compliance with security policy
– Information System Activity Review (R)—Implement procedures
to regularly review system activity, such as audit logs, access
reports, and security incident tracking reports

Assigned Security
Responsibility (164.308(a)(2))
• Identify a security official to develop and
implement security policies and
procedures to manage and supervise the
use of security measures and the conduct
of personnel in relation to protecting the
data
• No implementation specifications
• Required

Workforce Security
(164.308(a)(3))
• Implement policies and procedures to ensure
appropriate access to ePHI
– Authorization/supervision (A): Implement procedures
to authorize/supervise personnel working w/ePHI or
who may inadvertently access ePHI
– Clearance procedures (A): Implement procedures to
help ensure appropriate access of personnel (based
on need-to-know)
– Termination procedures (A): Implement procedures
for ending access to ePHI when employment/contract
ends or responsibilities change

Information Access
Management (164.308(a)(4))
• Implement policies and procedures authorizing access to
ePHI
– Isolate clearinghouse functions (R): If a healthcare
clearinghouse is part of a larger organization, the clearinghouse
must implement P&P that protect the ePHI of the clearinghouse
from unauthorized access by the larger organization.
– Access authorization (A): Implement P&P for granting access to
ePHI, for example, through access to a workstation, transaction,
program, process, or other mechanism
– Access establishment & modification (A): Implement procedures
that establish, document, review, and modify a user's right of
access to a workstation, transaction, program, or process based
on Access Authorization procedures

Security Awareness Training
(164.308(a)(5))
• Implement a security and awareness training
program for all workforce members
– Security reminders (A): Periodic security
updates/reminders for workforce
– Protection from malicious software (A):
Procedures for guarding against, detecting, and
reporting malicious software
– Login monitoring (A): Procedures for monitoring
login attempts and reporting discrepancies
– Password management (A): Procedures for
creating, changing, and securing passwords

Security Incident Procedures
(164.308(a)(6))
• Implement policies & procedures to
address security incidents
– Response & reporting (R)
• Identify and respond to suspected or known
security incidents
• Mitigate, to the extent practicable, harmful effects
of security incidents that are known to the covered
entity
• Document security incidents and their outcomes

Contingency Plan
(164.308(a)(7))
• Establish policies and procedures for responding to an emergency
or other occurrence (for example, fire, vandalism, system failure,
and natural disaster) that damages systems containing ePHI
– Data backup plan (R): Establish and implement procedures to create
and maintain retrievable exact copies of ePHI
– Disaster Recovery (R): Establish procedures to restore data after loss
– Emergency mode operation (R): Establish procedures to enable
continuation of critical business processes for ePHI security while
operating in emergency mode
– Testing and revision procedures (A): Implement procedures for periodic
testing and revision of contingency plans
– Applications and data criticality analysis (A): Assess relative criticality of
specific applications and data in support of other contingency plan
components

Evaluation (164.308(a)(8))
• Perform a periodic technical and non-
technical evaluation, based initially upon the
standards implemented under this rule and
subsequently, in response to environmental
or operational changes affecting the security
of ePHI, that establishes extent to which an
entity's security policies and procedures meet
HIPAA requirements
• Required

Business Associate Contracts &
Other Arrangements
(164.308(b)(1))
• A covered entity may permit a BA to create, receive, maintain, or
transmit ePHI on the covered entity’s behalf only if the covered
entity obtains satisfactory assurances the BA will appropriately
safeguard the information
• Does not apply to the following:
– Transmission by a covered entity of ePHI to provider for treatment
– Transmission of ePHI by a group health plan or an HMO or health
insurance issuer on behalf of a group health plan to a plan sponsor
– Transmission of ePHI to/from other agencies providing services when
the covered entity is a health plan (government program) providing
public benefits
• Written contract or other arrangement (R): Document the
satisfactory assurances of this section through a written contract or
other arrangement

• Physical Safeguards (164.310)
– Facility access controls
– Workstation use
– Workstation security
– Device and media controls

Physical Safeguards:
Facility Access Controls
(164.310(a)(1))
• Implement policies and procedures to limit physical access to
electronic information systems and the facility(ies) in which they are
housed, while ensuring that properly authorized access is allowed
– Contingency operations (A): Establish procedures allowing facility
access in support of restoring lost data under DRP and EMO plans
during an emergency
– Facility security plan (A): To safeguard the facility and the equipment
therein from unauthorized physical access, tampering, and theft
– Access control and validation procedures (A): To control and validate a
person's access to facilities based on role or function, including visitor
control, and control of access to software programs for testing and
revision
– Maintenance records (A): To document repairs and modifications to the
physical components of a facility that are related to security (e.g.,
hardware, walls, doors, locks, etc.)

Workstation Use (164.310(b))
• Implement policies and procedures that
specify the proper functions to be performed,
the manner in which those functions are to be
performed, and the physical attributes of the
surroundings of a specific workstation or
class of workstation that can access ePHI
• Required

Workstation Security
(164.310(c ))
• Implement physical safeguards for all
workstations that access ePHI, to restrict
access to authorized users
• Required

Device and Media Controls
(164.310(d)(1))
• Implement policies and procedures that govern the
receipt/removal of hardware and electronic media containing
ePHI into and out of a facility, and the movement of these
items within the facility
– Disposal (R): To address the final disposition of ePHI and/or the
hardware or electronic media on which it is stored
– Media re-use (R): Implement procedures for removal of ePHI
from electronic media before the media are made available for
re-use
– Accountability (A): Maintain a record of the movements of
hardware and electronic media and any person responsible
– Data backup and storage (A): Create a retrievable, exact copy of
ePHI, when needed, before movement of equipment

• Technical Safeguards (164.312)
– Access control
– Audit controls
– Integrity
– Person or entity authentication
– Transmission security

Technical Safeguards:
Access Controls (164.312(a)(1))
• Implement technical policies and procedures for
electronic information systems that maintain ePHI to
allow access only to those persons or software
programs that have been granted access rights
– Unique user identification (R): Assign a unique name
and/or number for identifying and tracking user identity
– Emergency access procedures (R): Establish procedures
for obtaining necessary ePHI during an emergency
– Automatic logoff (A): Implement electronic procedures that
terminate an electronic session after a predetermined time
of inactivity
– Encryption and decryption (A): Implement a mechanism to
encrypt and decrypt electronic protected health information

Audit Controls (164.312(b))
• Implement hardware, software, or
procedural mechanisms that record and
examine activity in information systems
that contain or use ePHI
• No implementation specifications required

Integrity (164.312 (c)(1))
• Implement policies and procedures to
protect ePHI from improper
alteration/destruction
– Mechanism to authenticate ePHI (A):
Implement electronic mechanisms to
corroborate that ePHI has not been altered or
destroyed in an unauthorized manner

Person or Entity Authentication
(164.312(d))
• Implement procedures to ensure the
validity of a person or vendor seeking
access is the one claimed
• Required

Transmission Security
(164.312(e)(1))
• Implement technical security measures to
guard against unauthorized access to ePHI
transmitted over an electronic
communications network
– Integrity controls (A): Implement security
measures to ensure that electronically transmitted
PHI is not improperly modified without detection
until disposed of
– Encryption (A): Implement a mechanism to
encrypt ePHI when deemed appropriate

• Organizational Requirements (164.314)
– Business associate contracts or other
arrangements
– Group health plans

Organizational Requirements:
Business associate contracts or
other arrangements
(164.314(a)(1))
– Business associate contracts (R): Contract must provide
for BA compliance and ensure subcontractors that create,
receive, maintain, or transmit ePHI on behalf of BA agree
to comply by entering into a contract or arrangement; must
report to covered entity any security incident of which it
becomes aware, including breaches of unsecured PHI
– Other arrangements (R): Covered entity is in compliance if
it has another arrangement that meets requirements of
164.504(e)(3)
– Business associate contracts with subcontractors (R):
Requirements between a covered entity and BA also apply
to the contract or arrangement between a BA and a
subcontractor

Organizational Requirements:
Group health plans
(164.314(b)(1))
• Requires plan sponsor to reasonably and
appropriately safeguard the confidentiality,
integrity, and availability of ePHI
– Plan document (R): Group health plan documents
must require sponsor to implement administrative,
physical, and technical safeguards that protect the
confidentiality, integrity, and availability of ePHI that it
creates, receives, maintains, or transmits on behalf of
the group plan; separation of ePHI is supported by
security measures; ensure that any agent to whom it
provides information agrees to implement security
measures to protect information and report to the
health plan any security incident of which it is aware

• Policies, procedures, and documentation
(164.316)
– Policies and procedures
– Documentation

Policies, Procedures, and Documentation:
Policies and Procedures (164.316)(a))
• Implement policies and procedures to
comply with the standards, implementation
specifications, and other requirements
• Policies and procedures may be changed
at any time, as long as the changes are
documented and implemented

Policies, Procedures, and
Documentation:
Documentation (164.316)(b))
• Requires maintenance of policies and
procedures implemented to comply with the
security rule in written form
– Time limit (R): Retain documentation for 6 years
from date of creation or when it was last in effect,
whichever is later
– Availability (R): Make documentation available to
those responsible for implementing policies and
procedures
– Updates (R): Review documentation periodically
and update as needed

HIPAA Security Rule:
Security Officer Designation
• Required per an implementation specification
in the administrative safeguards standards
• Individual must be assigned to be responsible
for overseeing information security program
• Title of security officer or chief security officer
– May comprise 100% or a portion of individual’s
duties
– Depends on the size of the organization and
extent of health information technology used

Enforcement and Penalties for
Non-Compliance
• HITECH established four violation
categories
– Nature and extent of both the violation and
the harm are considered
– Maximum of $1.5 million for all identical
violations within one calendar year
– Penalties mandatory in all except the lowest
(unknowing) category of violations

Non-Compliance
• Penalty process
– Begins with complaint (although random
audits have been phased in per HITECH)
– If investigation concludes non-compliance:
• Goal of voluntary compliance; otherwise, corrective
action or resolution agreement
• Non-cooperation may result in civil monetary
penalties
• If deemed a potentially criminal action, case may
be referred to US Department of Justice

Non-Compliance
• Tiers of violations/penalties
– Unknowing violations: $100–$50,000/violation
– Due to reasonable cause (and not willful neglect):
• $1,000–$50,000/violation
– Due to willful neglect and corrected within 30
days of discovery: $10,000–$50,000/violation
– Due to willful neglect and not corrected as
required: $50,000+/violation
• Cap of $1.5 million for each violation category

Disaster planning
• Part of administration and physical
safeguards
• Should be part of the BA and CE risk
assessment

Hm300 week 7 part 2 of 2

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Hm300 week 7 part 2 of 2

Similar to Hm300 week 7 part 2 of 2 (20)

More from BealCollegeOnline

More from BealCollegeOnline (20)

Recently uploaded

Recently uploaded (20)

Hm300 week 7 part 2 of 2