HIPAA Security Rule

HIPAA Security Rule
Steven Weil 2004-03-02

1. Introduction

Thousands of US organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.

If your organization is a Covered Entity (one that must comply with HIPAA), it is imperative that you understand the rule and take the necessary steps toward compliance. This article presents a detailed overview of the Security Rule and key factors you should consider when preparing to comply with the rule.

1.1 The basics

What	The rule applies to *electronic protected health information (EPHI), which is individually identifiable health information (IIHI)* in electronic form. IIHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
Who	*Covered Entities (CEs)* must comply with the Security Rule. These are health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and repricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any EPHI.
How	CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.
When	The final Security Rule became effective as of April 21, 2003. Most CEs must be in compliance by April 21, 2005; small health plans (those with annual receipts of $5 million or less) have until April 21, 2006.

1.2 Penalties

CEs that do not comply with the Security Rule requirements are subject to a number of penalties. Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.

Though not formally defined in HIPAA, CEs that do not comply with the Security Rule could find themselves facing other unfavorable consequences:

Negative publicity	Non-compliant organizations may be discussed in public media (newspaper, radio, television) for not adequately protecting their customers' EPHI.
Loss of Customers	Customers are increasingly aware of their rights under HIPAA and want their EPHI protected. They may refrain from doing business with organizations they believe do not adequately protect EPHI.
Loss of Business Partners	HIPAA requires that covered entities permit other organizations to create, receive, maintain, or transmit EPHI on their behalf only if the second organization can appropriately safeguard the information. CEs may be unwilling to exchange EPHI with organizations that do not adequately protect EPHI.
Legal Liability	Many attorneys are aware of HIPAA and are ready to sue on behalf of clients whose rights are violated. For the first time ever, the federal government has put forth a set of requirements prescribing how EPHI must be protected. Attorneys are prepared to use these requirements to file civil suits against non-compliant CEs.

1.3 Guiding principles

The Security Rule is based on several important principles.

Scalability	All sizes of CEs must be able to comply with the rule, from the one-person doctor office to the insurance company with thousands of employees.
Comprehensiveness	CEs must have a unified security approach based on the principle of "defense in depth."
Technology neutral	The rule does not require CEs to implement specific security technology (for example, a specific type of firewall or IDS). Each CE must choose the appropriate technology to protect its EPHI.
Internal and external security threats	CEs must protect their EPHI against both internal and external threats.
Risk analysis	CEs must regularly conduct thorough and accurate risk analysis.

1.4 Key Concepts

Key concepts of the Security Rule include:

Principle-based	The rule requires CEs to comply with a series of security best practices and principles. Step-by-step checklists are not provided.
Reasonableness	CEs must take appropriate measures to mitigate all reasonably-anticipated risks to their EPHI. They must balance their resources and business requirements against the risks to their EPHI.
Full compliance	All members of a CE's workforce, including management and those who work from home, must comply with the rule.
Documentation	CEs must formally document and approve a wide variety of security processes, policies, and procedures.
Ongoing compliance	CEs must provide regular security training and awareness to its workforce and revise its security policies and procedures as needed.

2. General requirements and structure

The Security Rule's requirements are organized into three categories: administrative safeguards, physical safeguards, and technical safeguards. Within these three categories are 18 standards, 12 of which have implementation specifications, six of which do not.

A standard defines what a CE must do; implementation specifications describe how it must be done.

The Security Rule has 36 implementation specifications, which are further divided into two types: required (14) and addressable (22). Required specifications are critical and CEs must implement them. CEs have three choices, however, for handling addressable implementation specifications:

If a specific addressable implementation specification is determined to be reasonable and appropriate, the CE must implement it.
If implementing a specific addressable implementation specification is not reasonable and appropriate, but the overall standard cannot be met without an additional security measure, a CE must:
If implementing a specific addressable implementation specification is not reasonable and appropriate, but the overall standard can be met without implementation of an alternative security measure, a CE must document:

The specifications can be implemented in any order, as long as the standards are met by the Security Rule deadline.

2.1 Administrative safeguards

Administrative safeguards make up 50% of the Security Rule's standards. They require documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to EPHI, and the selection, development, and use of security controls. The specific standards of the administrative safeguards are:

Security management process	An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.
Assigned security responsibility	A single individual must be designated as having overall responsibility for the security of a CE's EPHI.
Workforce security	Policies, procedures, and processes must be developed and implemented that ensure only properly-authorized workforce members have access to EPHI.
Information access management	Policies, procedures, and processes must be developed and implemented for authorizing, establishing, and modifying access to EPHI.
Security awareness and training	A security awareness and training program for a CE's entire workforce must be developed and implemented.
Security incident procedures	Policies, procedures, and processes must be developed and implemented for reporting, responding to, and managing security incidents.
Contingency plan	Policies, procedures, and processes must be developed and implemented for responding to a disaster or emergency that damages information systems containing EPHI.
Evaluation	CEs must perform periodic technical and non-technical evaluations that determine the extent to which a CE's security policies, procedures, and processes meet the ongoing requirements of the Security Rule.
Business associate contracts and other arrangements	CEs must -- when dealing with business associates that create, receive, maintain, or transmit EPHI on the CE's behalf -- develop and implement contracts that ensure the business associate will appropriately safeguard the information.

2.2 Physical safeguards

The physical safeguards are a series of requirements meant to protect a CE's electronic information systems and EPHI from unauthorized physical access. CEs must limit physical access while permitting properly-authorized access. The specific standards are:

Facility access controls	An overall requirement to implement policies, procedures, and processes that limit physical access to electronic information systems while ensuring that properly-authorized access is allowed.
Workstation use	Policies and procedures must be developed and implemented that specify appropriate use of workstations and the characteristics of the physical environment of workstations that can access EPHI.
Workstation security	CES must implement physical safeguards for all workstations that can access EPHI in order to limit access to only authorized users.
Device and media controls	Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media that contain EPHI into and out of a CE, and the movement of those items within a CE.

2.3 Technical safeguards

The technical safeguards are several requirements for using technology to protect EPHI, particularly controlling access to it. The specific standards are:

Access control	Policies, procedures, and processes must be developed and implemented for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights.
Audit controls	Mechanisms must be implemented to record and examine activity in information systems that contain or use EPHI.
Integrity	Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction.
Person or entity authentication	Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who or what they claim to be.
Transmission security	Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet).

2.4 Documentation standard

CEs must maintain all documentation (e.g., policies, procedures) required by the Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, CEs must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of EPHI.

3. Key Factors for Compliance

Complying with the HIPAA Security Rule can require significant time and effort. CEs must comply with 18 broad standards, many of which have specific requirements. The time and effort required will vary significantly, depending, in part, on the security policies, procedures, and processes an organization already has in effect.

If your organization regularly conducts risk analysis, uses a unified, "defense in depth" security approach, has formal, documented security policies and procedures, and conducts regular workforce training, it will almost certainly require less time and effort to comply with the Security Rule than an organization who does not. The complexity of your organization will also determine the time and effort required to comply. A five-person dentist's office will likely require less time and effort than a highly decentralized hospital employing thousands.

Regardless of size or complexity, if your organization is a CE, there are eight key steps you should consider when preparing to comply with the Security Rule.

Obtain and Maintain Senior Management Support
Because compliance can require significant time, effort, and resources, it is critical that senior management be educated about the Security Rule and make a clear statement of support for compliance before compliance efforts begin. If possible, senior managers should be project sponsors for Security Rule compliance projects. If senior managers resist allocating adequate resources for compliance efforts, present them with the unpleasant consequences of non-compliance, discussed earlier. It is reasonable to assume that senior managers of CEs that do not comply with the Security Rule will be the focus of auditors, unhappy consumers, and eager attorneys. As compliance efforts progress, keep senior management informed and up-to-date.

Develop and Implement Security Policies
Before implementing security processes and methods to protect EPHI, carefully identify and define what security policies you need to develop and implement. As noted earlier, the rule requires a number of formal, documented security policies. These will help define your organization's security strategic goals, identify critical assets, and provide a foundation for the selection and use of security technologies.
Security policies will also provide your organization with an overall security framework, ensuring that your security efforts are consistent and integrated rather than fragmented. Additionally, security policies are a clear mandate from senior management that security is a necessary and important part of your organization.

Conduct and Maintain Inventory of EPHI
It is difficult to ensure the confidentiality, integrity, and availability of EPHI if you can't locate it (or worse, if you don't even know you have it). Imagine one of your senior managers being questioned by an auditor or jury and trying to explain that some of your organization's EPHI was misused because your organization didn't know it had the EPHI. This is a risky and unpleasant position to be in.
You should regularly identify and document the location of your organization's EPHI. It is particularly important to identify and document the flow of EPHI in, out, and throughout your organization. Do you regularly exchange EPHI with certain business partners? Does information system A regularly send EPHI to information system B? Does your organization regularly send EPHI over the Internet?

Be Aware of Political and Cultural Issues Raised by HIPAA
Compliance with the Security Rule is not just developing and implementing security technology. Compliance may require significant changes in your organizational culture, particularly in how workforce members interact with EPHI.
For example, changes to a CE's access control policy may mean that workforce members who had unrestricted access to EPHI may now have only limited access, i.e., access only to the EPHI necessary to carry out their jobs. Another example would be new policies and procedures that require the monitoring or auditing of employee actions. Such changes can provoke fear, confusion, resistance, or political battles within an organization.
You can mitigate such issues by educating all workforce members about the requirements of the Security Rule, why it's important to protect EPHI, and the general steps your organization will be taking to comply with the rule. This should be done early in the compliance process. Soliciting workforce member feedback and review on proposed security policies and processes can also help. People are much more likely to understand and comply with security policies and processes they have helped develop than those they haven't.

Conduct Regular and Detailed Risk Analysis
"Risk" can be simply defined as "the likelihood that a specific threat will exploit a certain vulnerability, and the resulting impact of that event." "Risk analysis" is a systematic and analytical approach that identifies and assesses risks and provides recommendations to reduce risk to a reasonable and appropriate level.
Risk analysis enables a CE to identify and define its critical assets and the risks to them. Risk analysis will enable senior management to understand the risks to your organization's EPHI, and to allocate appropriate resources to mitigate those risks and reasonably protect that EPHI.
A detailed discussion of how to conduct effective risk analysis for the Security Rule can be found at http://www.hipaadvisory.com/alert/vol4/number2.htm#four.

Determine What is Appropriate and Reasonable
You should use risk analysis as the basis for developing and implementing appropriate and reasonable protections for your organization's EPHI. The Security Rule does not expect CEs to protect their EPHI against all possible risks or to have "perfect" security. Nor does the Security Rule assume that CEs have unlimited time, money and resources for protecting EPHI. Rather, the rule expects CEs to understand their EPHI, the reasonably anticipated risks to the EPHI, and the CE's capabilities to then develop and implement security measures.
Soliciting workforce member feedback will help ensure that proposed security policies and processes are appropriate and reasonable and do not affect your organization's core functionality or mission.

Documentation
The Security Rule requires CEs to document a wide variety of security policies, procedures, and decisions. It is very important that these be formally documented and approved by senior management and regularly reviewed and revised as necessary.
If your organization is visited by an auditor or an attorney, one of the first requests they will likely make is to view your security policies. They will want to compare your security practices against those required by the policies. A CE with no or limited documented security policies will be at significant risk.
Auditors and attorneys will also want to see written documentation of the addressable implementation specification decisions your organization makes. For example, if you determine that it is not reasonable and appropriate to encrypt EPHI when sending it over the Internet, it's very important to formally document and approve this decision. A CE that does not document such a decision but instead, has to resort to telling an auditor or attorney, "We don't really remember how or why that decision was made. We think the system administrators decided that..." will be at significant risk.
You should also formally document any changes to addressable implementation specification decisions.

Prepare for ongoing compliance
CEs are expected to comply with the Security Rule on an ongoing basis. You should develop and implement security policies, procedures, processes, and controls with the understanding that they must be regularly reviewed and modified as necessary.
In the future, risks to EPHI and associated mitigation measures are likely to change; you must understand and be prepared to respond to these changes. Additionally, as a piece of federal legislation, the Security Rule is subject to change by the US government or courts. You should regularly monitor the rule for changes.

4. Conclusion

Health care consumers expect their medical information to be appropriately protected. After much delay, the HIPAA Security Rule has arrived in an effort to address their concerns. Compliance will require CEs to (1) identify the risks to their EPHI and (2) implement a wide variety of security best practices. Complying with the Security Rule can require significant time and resources. Now is the time to begin compliance efforts.

About the author

Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning and security assessments. He can be reached at sweil@sla.com.

SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.