The HIPAA Security Rule

1
The HIPAA Security Rule

• The Third Leg of HIPAA Has Finally Hit The Ground!

2
In a nutshell

• Ensure the confidentiality, integrity, and
  availability of all electronic protected health
  information the CE creates, receives, maintains
  or transmits
• Protects against any reasonably anticipated
  threats of hazards to the security or integrity
  of the information
• Protect against any reasonably anticipated uses
  or disclosures not permitted by Privacy Rule

3
But they are being flexible

• Covered entities may use any security measures
  that allow the covered entity to reasonably and
  appropriately implement the rule
• Take into account
• size, complexity, and capabilities of the covered
  entity.
• The technical infrastructure, hardware, and
  software security capabilities.
• The costs of security measures.
• The probability and criticality of potential
  risks to electronic protected health information.

4
OK, fairly flexible

• There are two implementation specifications
• Required
• no choice, you have to do it as described.
• Addressable
• assess to see if it is reasonable
• If not, document that fact and,
• Implement an equivalent alternative measure

5
Other pieces

• It only applies to electronic health information.
• Technology neutral.
• It is a mandated floor of protection.
• Concerns stored and transmitted PHI.
• No longer concerns electronic signatures.
• DHHS has simplified it a bit.
• Compliance due by April 21, 2005.

6
Outline

• 3 Categories of safeguards
• Administrative
• Physical
• Technical
• Others
• Organizational requirements
• Policies and procedures
• R Required, A - Addressable

7
Administrative Safeguards

• 164.308
• Security management process
• Risk analysis (R)
• Risk management (R)
• Sanction policy (R)
• Information system activity review (R)
• Assigned security responsibility
• One individual (not an organization) with
  responsibility (R)

8
Admin Safeguards (cont)

• Workforce Security
• Authorization and/or supervision (A)
• Workforce clearance procedure (A)
• Termination procedures (A)
• Information access management
• Minimum necessary rule

9
Admin Safeguards (cont)

• Security Awareness and Training
• Security reminders (A)
• Protection from malicious software (A)
• Log-in monitoring (A)
• Password management (A)
• Security Incident Procedures (R)

10
Admin Safeguards (cont)

• Contingency Plan
• Data backup plan (R)
• Disaster recovery plan (R)
• Emergency mode operations plan (R)
• Testing and revision procedures (A)
• Applications and data criticality analysis (A)
• Evaluation
• Business Associate contracts

11
Physical Safeguards
Implement policies and procedures to limit
physical access to its electronic information
systems and the facilities in which they are
housed.

• 164.310
• Facility Access Controls
• Contingency operations (A)
• Facility Security Plan (A)
• Access Control and Validation Procedures (A)
• Maintenance Records (A)
• Workstation Use
• Includes portable devices

12
Physical Safeguards (Cont)

• Workstation Security
• Device and Media Controls
• Disposal (R)
• Media re-use (R)
• Accountability (A)
• Data backup and Storage (A)

13
Technical Safeguards

• 164.312
• Access Control
• Unique user identification (R)
• Emergency access procedure (R)
• Automatic logoff (A)
• Encryption and decryption (A)
• Audit Controls
• Integrity (A)

14
Technical Safeguards (cont)

• Person or entity authentication
• Transmission security
• Integrity controls (A)
• Encryption (A)

15
Organizational Requirements

• Business Associate Contracts
• Similar to privacy
• Replaces chain of trust agreement
• Applies to subcontractors of BAs
• Requirements for Group Health Plans

16
Policy and Procedure Documentation

• Implement reasonable and appropriate policies and
  procedures
• Documentation
• Retain documents for 6 years
• Make documents available
• Review and update documentation periodically

17
What to watch for

• While deadline is two years away, public
  entities will need to start preparing FY05
  budgets during the Fall of 2003!