Why is the HIPAA Security Rule needed and what is the purpose of the security standards?
In enacting HIPAA, Congress mandated the establishment of Federal standards for the security of electronic protected health information (ePHI). The purpose of the Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Standards for security are needed because there is a growth in the exchange of protected health information between covered entities as well as non-covered entities.
Is the use of encryption mandatory in the Security Rule?
The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
The Security Rule defines security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. The Security Incident Procedures standard requires a covered entity to implement policies and procedures to address security incidents. The associated implementation specification for response and reporting requires a covered entity to identify and respond to suspected or known security incidents, mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes.
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.
Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic ePHI?
Yes. Covered entities that allow employees to telecommute or work out of home-based offices, and have access to ePHI, must implement appropriate safeguards to protect the organization’s data. The automatic logoff implementation specification is addressable, and must therefore be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment.
Does the Security Rule allow for sending ePHI in an email or over the Internet? If so, what protections must be applied?
The Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect ePHI as it is transmitted, select a solution, and document the decision.
How can a small provider implement the standards in the Security Rule?
The Security Rule standards allow any covered entity (including small providers) to use any security measures that help the covered entity to reasonably and appropriately implement the standards to protect electronic health information. In deciding what security measures to use, a covered entity can take into account its size, capabilities, and costs of security measures. A small provider who is a covered entity would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities.
How will we know if our organization and our systems are compliant with the Security Rule’s requirements?
The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of ePHI that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities. Covered entities should look to the Security Rule for guidance to support decisions on how to comply with the standards
Do the standards of the Security Rule require use of specific technologies?
No. The Security standards were designed to be “technology neutral” in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.
What does the Security Rule mean by physical safeguards?
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.
What is the difference between Risk Analysis and Risk Management in the Security Rule?
Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of ePHI held by a covered entity, and the likelihood of occurrence. The risk analysis may include taking inventory of all systems and applications that are used to access and house data, and classifying them by level of risk. A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage. Risk management is the actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI and to meet the general security standards.
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information ePHI. Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.
Are covered entities required to use the National Institute of Standards and Technology (NIST) guidance documents referred to in the preamble to the final Security Rule
No. Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, their use is not required by the Security Rule.
Does the Security Rule allow you to network computers?
There is nothing in the Security Rule that prohibits the networking of computers, whether inside the same company, or between two unrelated companies who conduct business together. However, the covered entity must demonstrate that it has evaluated the risks associated with a network connection, and document that it has established all of the safeguards (technical, physical and administrative) that would serve to reasonably protect the information that is exchanged along the network. That will include an assessment of everything from the firewall to the designation and training of the individuals who have access to the data.
Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?
No. Under the Security Rule, covered entities, regardless of their size, are required to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined as a “person or entity with authorized access.” Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains ePHI, so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.
Who enforces the health information privacy and security standards established under the Health Insurance Portability and Accountability Act (HIPAA)?
The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights. The Office of E-Health Standards and Services within the Centers for Medicare & Medicaid Services enforces the Transactions and Code Sets and National Identifiers (Employer and Provider identifiers) regulations of the Health Insurance Portability and Accountability Act (HIPAA).
What is the difference between addressable and required implementation specifications in the Security Rule?
If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.
What is encryption?
Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. For more information about encryption.
What are some examples of threats that covered entities should address when conducting their risk analysis in order to comply with the Security Rule?
The risk analysis process will identify potential threats to, and vulnerabilities of, systems containing ePHI. The risks a covered entity decides to address, and how the covered entity decides to address the risks, will depend on the probability and likely impact of threats affecting the confidentiality, integrity, and/or availability of e-PHI. Threats may affect information (data) and systems.
May a HIPAA covered entity or its business associate disclose protected health information for purposes of cybersecurity information-sharing of cyber threat indicators?
No, unless the disclosure is otherwise permitted under the HIPAA Privacy Rule, particularly given that cyber threat indicators do not generally include PHI.