The murky waters of the HIPAA security rule

Laura Rose Lambert Electronic records, TWH blog 1 Comment

Security rule framework for your HIPAA notebook

The following will help you frame your notebook. Each section has required and addressable items listed under standards. You absolutely must develop a policy for, carry out the required items and consider if the addressable items are possible in your practice. 164.306 (d)(3) outlines how to treat addressable items:

addressable hipaa

Please don’t take my framework as a replacement for looking at the source text. HIPAA updates often and I am not perfect. Consult your lawyer when needed. I encourage you to use the links to the source I have provided and look at both while building your notebook.

Universally apply some parts of this law to your entire practice. Assess each service or device that handles ePHI and develop specific procedures and policies regarding each item. Use your common sense with this. If at any time the terminology is confusing you can look up definitions in section 164.304 of the security rule.

For further guidance use the Security Series developed by the Department of Health & Human Services. You can find the entire series at the HHS website. I have also linked the articles separately throughout the text.

Administrative Safeguards (164.308)

9 Standards – 10 Required 11 Addressable

Please look at the HHS Administrative Safeguards guide for more examples of how to implement this section of HIPAA.

  1. Policies and procedures to prevent, detect, contain and correct security violations.
    For the following two requirements I also used a document developed by the Department of Health & Human Services titled the Basics of Risk Analysis and Risk Management.

    1. Required – Risk analysis
    2. Required – Risk management
    3. Required – Sanction policy – what you will do to ensure everybody follows the security policies and procedures you have in place for if someone violates these policies.
    4. Required – Information system activity review – lots of software and internet services can keep record of the when, where and what of log in activity and use. Schedule a regular time to review these logs and save them to a document.
  2. Identify a ‘security official’ who is responsible for the development and implementation of all your procedures and policies.
  3. Policies and procedures for all providers/staff on how to gain and restrict access to PHI.
    1. Addressable – Develop procedures for the authorization and/or supervision of members who work with ePHI.
    2. Addressable – Outline the factors that determine what access to ePHI is appropriate for users.
    3. Addressable – What is your procedure for when you need to terminate access to ePHI? For example: When a provider leaves the practice.
  4. Policies and procedures for authorizing access to PHI
    1. Required – If a healthcare clearing house is part of a larger organization there must be policies in place to keep ePHI separate from the larger organization.
    2. Addressable – Policies and procedures for granting access to ePHI
    3. Addressable – Create a set method of how to establish, document, review and modify a user’s right of access to the technology in your office.
  5. Security awareness and training program for everyone in practice.
    1. Addressable – Update security periodically.
    2. Addressable – Procedures for guarding against, detecting and reporting malicious software. This is as simple as using comprehensive security and anti-virus software such as AVG, Norton, etc. AND scheduling regular scans and updates.
    3. Addressable – Procedures for monitoring log-in attempts and reporting discrepancies.
    4. Addressable – Procedures for creating, changing and safeguarding passwords.
  6. Policies and procedures to address security incidents.
    1. Required – Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
  7. Develop policies and procedures for emergencies (fire, vandalism, system failure, and other natural disasters).
    1. Required – Have a way of retrieving exact copies of ePHI. You need back-ups of your back-ups. Secure off-site storage is essential to emergency plans.
    2. Required – Develop procedures to restore any loss data. (Don’t be in denial, your hard drive WILL fail.)
    3. Required – Develop procedures to enable continuation of critical business processes for protection of ePHI while in an emergency.
    4. Addressable – Schedule periodic testing and revision of contingency plans.
    5. Addressable – Assess how important each device, software or electronic service that handles ePHI is in light of an emergency. Prioritize from most critical to unimportant.
  8. Create a plan for technical and nontechnical evaluation or how to change policies and procedures in response to environmental or operational changes (For example when you switch your practice management software or you move locations)
  9. Use business associate contracts with those who create, receive, maintain or transmit ePHI on your behalf.
    1. Required – Keep record of written contracts with business associates and their assurances of compliance to the HIPAA security and privacy rules.

Okay let’s pause and talk about business associates. Always keep business associate contracts in your collection of legal forms.

With a few exceptions section 160.103 defines a business associate as a person, separate from your workforce, that performs or

Kindle And Writing Pad by Jon Luty

Kindle And Writing Pad by Jon Luty

assists in:

  1. A function or activity that uses or discloses PHI, including claims processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.
  2. Any other function found under the HIPAA law.
  3. Any legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for you that involves disclosure of PHI. (Best example is your online scheduling service who may see the names and times of your appointments.)

The recent HIPAA omnibus modifications added these organizations and services to the business associate definition:

  • Patient Safety Organizations (PSOs)
  • Health Information Organizations
  • E-prescribing Gateway OR
  • any other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to ePHI
  • Entities that maintain or store ePHI, even if they don’t see the data directly.
  • A person who offers a personal health record to one or more individuals on behalf of a covered entity.
  • Subcontractors, that an existing business associate hires, create, receive, maintain, or transmit protected health information are your business associate as well (although you do not need to have a contract with them your business associate should contract with them).

 Exceptions:

  1. Transmission of ePHI between health care providers concerning the treatment of an individual.
  2. Transmission of ePHI by a group health plan, HMO or health insurance issuer on behalf of a group health plan to a plan sponsor (while adhering to 164.314(b) and 164.504(f))
  3. Transmission of ePHI from or to other agencies providing services and when the entity is a health plan that is a government program, if 164.502(e)(1)(ii)(C) requirements are met.

Legal liability: The recent modifications reinforces that in some circumstances you are liable for the actions of your business associates. It is vital to know who you are working with, even if it is a tech company hundreds of miles away. Drafting a business associate contract that is specific to your situation is vital. This requires direct, personal contact with the companies you work with to manage your ePHI. For more information on what HIPAA law requires in the business associate contract follow the link to the Health and Human Services page on business associate contracts.

Required and addressable items that require an activity log: 1(d), 4(c), 5(c), 6(a)

Required and addressable items that require scheduled maintenance: 1(d), 5(a), 7(d)

Physical Safeguards (164.310)

4 standards – 2 required6 addressable

For more examples and further explanation visit HHS HIPAA series article, “Security Standards: Physical safeguards

  1. Policies and procedures to limit physical access to your electronic systems and the place they are housed in. This can be compared to locking your file cabinet and always keeping patient charts with you when in use or at least putting them somewhere no one with access.
    1. Addressable – Procedures that allow facility access during an emergency event in order to restore lost data and operate in emergency mode.
    2. Addressable – Policies and procedures to safeguard the facility and the equipment therein against physical access, tampering and theft.
    3. Addressable – Implement procedures to control and validate a person’s access to facilities based on their function. Have a policy concerning visitors and access to software programs for testing and revisions.
    4. Addressable – Document repairs and modifications  to the physical components of a facility related to security (hardware, walls, doors & locks)
  2. Policies and procedures to outline how, why, when and where to use a “work station” – computer, ipad etc. – You should also specify what items in the office are considered “workstations”
  3. Create physical safeguards for all workstations. Just something that restricts access to authorized users only.
  4. Policies and procedures that govern the receipt and removal of hardware and electronic media that contains ePHI within the office and in and out of the office.
    1. Required – Develop policies and procedures to address the final disposition of ePHI and/or the hardware of electronic media on which it is stored.
    2. Required – Implement policies fro removal of ePHI from electronic media before the media is re-used.
    3. Addressable – Document the who, when where and movements of hardware and electronic media.
    4. Addressable – Create a retrievable, exact copy of ePHI before movement of equipment.

Required and addressable items that require an activity log: 1(d), 4(d)

Required and addressable items that require scheduled maintenance: none

Technical Safeguards (164.312)

5 standards – 2 required5 addressable

You can also refer to the HHS article on technical safeguards.

  1. Control access electronically to ePHI – this may be restricting user to certain software and creating user accounts with unique, secure passwords.
    1. Required – Assign a unique name and/or number for identifying and tracking user identity.
    2. Required – Create procedures for obtaining ePHI during an emergency.
    3. Addressable – Implement electronic procedures that terminate a session after a predetermined time of inactivity.
    4. Addressable – Implement a mechanism to encrypt and decrypt ePHI.
  2. Create or install hardware, software and/or procedural mechanisms that record and examine activity when accessing and using ePHI
  3. Create policies and procedures that protect ePHI from improper alteration or destruction.
    1. Addressable – Implement electronic mechanisms to corroborate ePHI has not been altered or destroyed in an unauthorized manner.
  4. Create a system which verifies that a person or entity seeking access to ePHI is who they claim to be.
  5. Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over a communications network.
    1. Addressable – Implement security measures to ensure electronically transmitted ePHI is not improperly modified while in transport.
    2. Addressable – Implement mechanism to encrypt ePHI whenever deemed appropriate.

Required and addressable items that require an activity log: 1(d), 2

Required and addressable items that require scheduled maintenance: none

Organization Requirements (164.314)

2 standards – 2 required (1 relevant to us)

  1. The business associate contracts and relationships you are in must meet certain standards. Please refer to the article published by the Health and Human services on business associate contracts.
    1. Required – Business associate contracts must include certain aspects that you can find outlined in the link mentioned above.
  2. This standard relates to group health plans, so I’m not going to cover it here.

Required and addressable items that require an activity log: none

Required and addressable items that require scheduled maintenance: none

Policies & Procedures & Documentation requirements (164.316)

2 standards – 3 required – 0 addressable

  1. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements of HIPAA law.
  2. Maintain a written record of the policies and procedures created to comply with the law. In addition keep records of any required actions, activities or assessments.
    1. Required – You must keep keep records of these items 6 years from the date of its creation or the date when it was last in effect, whichever is later.
    2. Required – Make documentation easily available to regulators and those responsible for following them.
    3. Required – Review documentation periodically and update if needed (environmental or operational changes affecting security).

Required and addressable items that require an activity log: 2(a)

Required and addressable items that require scheduled maintenance: 2(c)

I am sure you have more questions than answers at this point. But I also hope you feel like you have your bearings in the HIPAA compliant use of technology with healthcare. This is a well-informed jumping off point. For the rest of this article I want to address some of the questions you may have.

Comments 1

  1. Laura, what a wonderful breakdown of the HIPAA Security compliance process. I’m not just saying that because you quoted me, either. 😉

    I should point out that HIPAA is also not the only player in these processes. For example, clients are given leeway to accept the risks of email by HIPAA. State licensing boards or legislatures may have caveats or gotchas around that, though. My board, for example, requires email to be secured if I am to use it for therapeutic communications. Without security, I need to keep it to scheduling and other administrivia. HIPAA would let me send the client’s whole medical record by email if the client wanted it.

Leave a Reply

Your email address will not be published. Required fields are marked *