Final HIPAA Security Rule

1
Final HIPAA Security Rule

• Tom Walsh, CISSP

2
Tom Walsh, CISSP

• Senior Consultant, E-Security
• Certified Information System Security
  Professional
• Invited speaker at national HIPAA conferences
• Emphasis on HIPAA security implementation
• Former Information Security Manager for large
  healthcare system in Kansas City
• DOE-certified safeguards and security instructor

3
Session Objectives
4
Session Objectives

• Provide an overview on the final HIPAA Security
  Rule
• Explain changes between the proposed rule and the
  final rule
• Review key concepts and terminologies employed
• Discuss benefits and impacts
• Discuss next steps toward compliance
• Provide an opportunity for questions

5
Overview
6
Security Rule Timeline

• Originally posted to the Federal Register on
  August 12, 1998
• Rule was sent to the Office of Management and
  Budget (OMB) on January 13, 2003
• Published in Federal Register on February 20
• Compliance by April 21, 2005
• An extra year for small payers Below 5
  million April, 2006

http//aspe.hhs.gov/adminsimp
7
Security Rule Sections

• 164.103 and 164.304 Definitions
• 164.105 Organizational requirements
• "Health care component and "Affiliated
  covered entities"
• 164.306 Security Standards General Rules
• 164.308 Administrative safeguards
• 164.310 Physical safeguards
• 164.312 Technical safeguards
• 164.314 Organizational requirements
• 164.316 Policies and procedures and
  documentation requirements
• 164.318 Compliance dates

8
Comparison of Rules

• Old vs. New Terminology
• 24 Requirements 18 Standards
• 69 Implementation Features
• 42 Implementation Specifications
• 20 Required or 22 Addressable
  

9
Administrative
10
Physical
11
Technical
12
Comparison of Rules

• Old Proposed Rule
• Section headings, Requirements and
  Implementation Features were listed in
  alphabetical order so as not to imply the
  importance of one requirement over another
• New Final Rule
• Standards and Implementation Specifications are
  grouped in a logical order within each of the
  three areas Administrative, Physical and
  Technical Safeguards

13
Other Changes

• Removes the Electronic signature standards
• Incorporates standards that parallel those in the
  Privacy Rule thus helping organizations meet a
  number of the security standards through the
  implementation of the privacy rule
• Covers only electronic protected health
  information (More limited than Privacy Rule)
• Requires a minimum level of documentation that
  must be periodically updated to reflect currently
  practices

14
HIPAA Security Standards

• Are based upon good business practices
• Basic concepts

15
Details
16
HIPAA Security Standards

• Administrative Safeguards (55)
• 12 Required, 11 Addressable
• Physical Safeguards (24)
• 4 Required, 6 Addressable
• Technical Safeguards (21)
• 4 Requirements, 5 Addressable

The final rule has been modified to increase
flexibility as to how protection is accomplished.
17
Administrative Safeguards
18
Administrative Safeguards

• Security Management Process
• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)
• Assigned Security Responsibility
• Workforce Security
• Authorization and/or Supervision (A)
• Workforce Clearance Procedure (A)
• Termination Procedures (A)

19
Administrative Safeguards

• Information Access Management
• Isolating Healthcare Clearinghouse Function (R)
• Access authorization (A)
• Access Establishment and Modification (A)
• Security Awareness and Training
• Security Reminders (A)
• Protection from Malicious Software (A)
• Log-in Monitoring (A)
• Password Management (A)
• Security Incident Procedures
• Response and Reporting (R)

20
Administrative Safeguards

• Contingency Plan
• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedure (A)
• Applications and Data Criticality Analysis (A)
• Evaluation
• Business Associate Contracts and Other
  Arrangement
• Written Contract or Other Arrangement (R)

21
Physical Safeguards
22
Physical Safeguards

• Facility Access Controls
• Contingency Operations (A)
• Facility Security Plan (A)
• Access Control and Validation Procedures (A)
• Maintenance Records (A)
• Workstation Use
• Workstation Security
• Device and Media controls
• Disposal (R)
• Media Re-use (R)
• Accountability (A)
• Data backup and Storage (A)

23
Technical Safeguards
24
Technical Safeguards

• Access Control
• Unique User Identification (R)
• Emergency Access Procedure (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)
• Audit Controls
• Integrity
• Mechanism to Authenticate Electronic PHI (A)
• Person or Entity Authentication
• Transmission Security
• Integrity Controls (A)
• Encryption (A)

25
Key Concepts
26
Risk Analysis

• The most appropriate means of compliance for any
  covered entity can only be determined by that
  entity assessing its own risks and deciding upon
  the measures that would best mitigate those
  risks
• Does not imply that organizations are given
  complete discretion to make their own rules
• Organizations determine their own technology
  choices to mitigate their risks

27
Addressable Implementation Specifications

• Covered eternities must assess if an
  implementation specification is reasonable and
  appropriate based upon factors such as
• Risk analysis and mitigation strategy
• Current security controls in place
• Costs of implementation
• Key concept reasonable and appropriate
• Cost is not meant to free covered entities from
  their security responsibilities

28
Addressable Implementation Specifications

• In meeting standards that contain addressable
  implementation specifications, a covered entity
  will ultimately do one of the following
• Implement one or more of the addressable
  implementation specifications
• Implement one or more alternative security
  measures
• Implement a combination of both or
• Not implement either an addressable
  implementation specification or an alternative
  security measure.

Must document!
29
Other Concepts

• Security standards extends to the members of a
  covered entitys workforce even if they work at
  home such as transcriptionists
• Security awareness and training is a critical
  activity, regardless of an organization's size
• Evaluation Periodic review of technical
  controls and procedural review of the entitys
  security program
• Documentation Retention Six years from the date
  of its creation or the date when it last was in
  effect, whichever is later

30
Terminologies
31
Terminologies Removed

• Formal Was used to convey documentation rather
  than word-of-mouth
• Breaches Replaced by security incident
• Open Networks Now up to the entity to determine
  when to apply encryption (addressable because
  there is not a simple solution to encrypting
  e-mails with patients)

Consider industry best practices.
32
Terminologies Clarified

• System "an interconnected set of information
  resources under the same direct management
  control that shares common functionality
  includes hardware, software, information, data,
  applications, communications, and people."
• Workstations "an electronic computing device,
  for example, a laptop or desktop computer, or any
  other device that performs similar functions, and
  electronic media stored in its immediate
  environment."

33
Benefits Impacts
34
Benefits

• Establishes minimum baseline
• Encourages the use of EDI (increased confidence
  in the reliability and confidentiality)
• Promotes connectivity to provide availability of
  information
• Reduces the risks and potential cost of a
  security incident versus the increase in costs of
  additional security controls for compliance

35
Impacts Responsibility

• Responsibility must rest with one individual to
  ensure accountability
• More than one individual may be given specific
  security responsibilities, especially within a
  large organization, but a single individual must
  be designated as having the overall final
  responsibility for the security of the entity's
  electronic protected health information.
• Aligns Security Rule with the Privacy Rule
  provisions concerning the Privacy Official

36
Other Impacts

• Impacts will be dependent upon the size,
  complexity, and capabilities of the covered
  entity
• Ensuring protection does not mean providing
  protection, no matter how expensive.
• Balance between the information's identifiable
  risks and vulnerabilities, and the cost of
  various protective measures
• Enforcement not defined in the rule

37
Next Steps
38
Next Steps

• Assign responsibility to one person
• Conduct a risk analysis
• Deliver security awareness in conjunction with
  privacy
• Develop policies, procedures, and documentation
  as needed
• Review and modify access and audit controls
• Establish security incident reporting and
  response procedures

39
Questions?