About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
Complying with the Standards is two-fold: first, you must understand the minimum administrative, physical, and technical standards that HIPAA requires to be in place to help protect the integrity, confidentiality, and availability of protected health information, and second, assuming you are a covered entity, you must implement such Standards in your practice.
by David G. Jensen, JD Staff Attorney
Updated August 2010 by David G. Jensen, JD, Staff Attorney
(Author's Note: This is Part II of a two-part series on HIPAA's Security Standards. In Part I, which appeared in the September/October 2003 issue of The Therapist, we gave you an overview of the Security Standards and in this issue we will focus on complying with such standards. The information provided herein is based on my review of 45 CFR 164.)
--------------------------------------------------------------------------------
The Security Standards ("Standards") have been enacted by The Department of Health and Human Services to give the health care industry a minimum set of administrative, technical, and physical safeguards for covered entities ("CEs") to implement to help CEs safeguard the confidentiality, integrity, and availability of electronic protected health information ("EPHI"). A CE must comply with these Standards with respect to EPHI that the CE creates, stores, and transmits. In general, as a review, the Standards require CEs to:
CEs will fulfill these four objectives by implementing HIPAA's minimum administrative, technical, and physical safeguards. As you know from reading Part I of this series, there is no one approach to complying with these Standards; conversely, each CE must create and implement its own individualized plan for complying with them.
However, a CE's plan does not have to make it impregnable to all possible threats to the confidentiality, integrity, or availability of the EPHI that the CE creates, receives, maintains, or transmits. In fact, there really is no such thing as an impregnable CE. Given enough time, enough money, and enough determination, any CE's computer system can be compromised and EPHI can then be used or disclosed for unauthorized purposes. Congress is sensitive to this reality and to the financial costs of implementing the Standards. Hence, Congress has made the Standards "scalable," meaning that they can be customized by CEs in light of their financial and technical resources. The emphasis is on each CE adopting reasonable and appropriate measures to guard against any unauthorized uses or disclosures of EPHI.
Moreover, a CE's responsibility to implement the Standards extends to members of its workforce who work at home as well as the office. Keep in mind that a CE is responsible for maintaining the confidentiality, integrity, and availability of all of the EPHI that it creates, receives, maintains, or transmits. Consequently, if the CE allows EPHI to be utilized by someone at his or her home, the CE must include the at home functions within its security plans.
The Standards also require CEs to manage the conduct of employees who have access to EPHI, which also entails training employees about the CE's security policies and procedures as well as deciding which, if any, of the CE's employees need to have access to EPHI to perform their work activities and how much access to EPHI such employees should be given.
Furthermore, each of the Standards may have required or addressable implementation specifications. These specifications detail how the CE is supposed to implement a particular standard. Keep in mind that a required specification is one that a CE must implement and an addressable specification is one that a CE may have to implement depending on whether the specification is a reasonable and appropriate safeguard for the CE to adopt. To determine if a particular required or addressable standard is a reasonable and appropriate specification to adopt, a CE must take into account the following four factors:
As an aside, I apologize for the technical nature of the rest of this article, but, like traffic in Los Angeles during rush hour, the technical stuff cannot be avoided. I have attempted to cull the necessary information from the irrelevant, but it is still dense material. However, CEs must understand the administrative, physical, and technical safeguards, and all of the required and addressable specifications, to be able to comply with the Standards.
Administrative Safeguards There are nine security standards that comprise the Administrative Safeguards, and they require a CE to have policies and procedures (P&Ps) to manage the selection, development, and use of security measures to protect EPHI.
1. Security management process. A CE must implement P&Ps to prevent, detect, punish, and correct security violations, which entails implementing a security management process and documenting the CE's security measures. This standard has four implementation specifications:
a. Risk Analysis. A CE must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the CE. This specification essentially requires a CE to conduct a risk analysis, which is a process whereby cost-effective security measures are selected and implemented by the CE to guard against inadvertent or unauthorized uses or disclosures of EPHI. (Required)
b. Risk Management. A CE must implement security measures sufficient to reduce risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the CE, which essentially means that a CE must take appropriate actions to prevent the risks that have been identified in subsection a. above from occurring. (Required)
c. Sanction Policy. A CE must apply appropriate sanctions against workforce members who fail to comply with the CE's security P&Ps. This essentially means that a CE must discipline employees for violating the CE's security policies and procedures (P&Ps). Such discipline could include written warnings or terminating employees for egregious violations. (Required)
d. Information System Activity Review. A CE must implement P&Ps to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The goal is to determine if any EPHI is being used or disclosed inappropriately. (Required)
2. Assigned security responsibility. A CE must designate a person responsible for developing and implementing the CE's security P&Ps.
a. Security Official. A CE must identify one person as the CE's security official who is responsible for the development and implementation of the CE's security P&Ps. (Required)
3. Workforce security. A CE must implement P&Ps to ensure that its employees who need to have access to EPHI have the access that they need to perform their work activities and that employees who do not need to have access to EPHI do not have such access. For small practices, however, it is permissible under HIPAA for all employees to have access to all EPHI if all employees need to have such access to perform their work activities.
a. Authorization and Supervision. A CE must implement P&Ps for the authorization and/or supervision of workforce members who work with EPHI or in locations where EPHI might be accessed. A CE should establish written P&Ps for granting and revoking access to EPHI. Authorization, which means the act of determining whether a particular person has the right to carry out a particular function, and the concomitant subject of authentication, which means having a particular user prove that he or she is such user (passwords) become very important when the CE has employees. When a CE has employees, it must decide how much access to EPHI should be given to each employee, or whether it is necessary to allow all employees access to all EPHI. In such a situation, the CE must then ensure that each member of the workforce is using EPHI for appropriate uses and disclosures. Obviously, if the CE does not have any employees, then these issues are moot. (Addressable)
b. Workforce Clearance Procedure. A CE must implement P&Ps to determine that a workforce member's access to EPHI is appropriate, which essentially means that a CE should conduct personnel and professional reference checks before allowing anyone to access EPHI. This policy should apply to anyone who needs access to EPHI, including, but limited to maintenance workers and computer technicians as well as employees. (Addressable)
c. Termination Procedures. A CE must implement P&Ps for terminating access to EPHI when the employment of a workforce member ends, which essentially means that a CE should document the security steps to follow when an employee is terminated, i.e., changing passwords and removing the employee from access lists, etc. (Addressable)
4. Information access management. A CE must implement P&Ps for authorizing access to EPHI.
a. Isolating Health Care Clearinghouse Functions. This specification is not applicable to MFTs.
b. Access Authorization. A CE must implement P&Ps for granting access to EPHI, for example, through access to a workstation, transaction, program, or process. A CE should develop and implement P&Ps for granting and maintaining privileges for individuals to access EPHI. If the CE has employees, the CE's security officer should keep access authorization records that document the access to EPHI that each employee has, including why such employee has such access. Keep in mind that the goal under HIPAA is to provide the employee with the minimum amount of access to EPHI that the employee needs to perform his or her assigned tasks. However, in some small practices it may be necessary for all employees to have equal access to EPHI. Again, this universal access is acceptable under HIPAA as long as the reasons for such access are documented. When non-office personnel use the computer for maintenance or hardware installation, such personnel should sign and date some sort of business associate agreement in which they promise to abide by the CE's security P&Ps. (Addressable)
c. Access Establishment & Modification. A CE must implement P&Ps that, based upon the CE's access authorization, establish, document, review, and modify a user's right of access to a workstation, program, or process. This essentially means that a CE must be reviewing these issues on an ongoing basis and documenting any changes. (Addressable)
5. Security awareness and training. A CE must implement a security awareness and training program for its workforce.
a. Security Reminders. A CE must conduct periodic reviews of its security P&Ps to determine if they need to be updated, which essentially means that a CE should remind employees of their security responsibilities at monthly or quarterly staff-meetings, as needed. (Addressable)
b. Protection from Malicious Software. A CE must implement P&Ps for guarding against, detecting, and reporting malicious software, which means that a CE should not allow anyone to bring in any software or diskettes from home and a CE should not allow anyone to download any games, data, or software that have not been authorized or checked by the CE's security officer. Moreover, a CE should have virus protection software in place to detect computer viruses. (Addressable)
c. Log-in Monitoring. A CE must have P&Ps for monitoring log-in attempts and reporting discrepancies, which may mean having some sort of software program that limits the number of attempts a person can make when trying to access a computer with access to EPHI before the computer shuts down. (Addressable)
d. Password Management. A CE must have P&Ps for creating, changing, and safeguarding passwords, which essentially means that a CE should educate its workforce members about the proper use of passwords. (Addressable)
6. Security incident procedures. A CE must implement P&Ps on reporting and responding to known security incidents. A security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
a. Response & Reporting. A CE must identify, respond to, and document suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the CE; and document their outcome. (Required)
7. Contingency plan. A CE must implement P&Ps for responding to an emergency or other occurrence that damages the CE's equipment or systems containing EPHI.
a. Data Backup Plan. A CE must establish and implement P&Ps to create and maintain retrievable exact copies of EPHI, which essentially means that a CE must back up its data on a regular basis. The data can then be stored onsite in some sort of "Data Safe" or stored offsite in a secure location. And, access to the backup data should be protected by a password. (Required)
b. Disaster Recovery Plan. A CE must establish (and implement as needed) P&Ps to restore any loss of data, which essentially means that a CE must have a plan for recovering and restoring data in the case of an emergency. The plan should focus on restoring the most critical information first, i.e., patient records before computer games. (Required)
c. Emergency Mode Operation Plan. A CE must establish (and implement as needed) P&Ps to enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode, which essentially means that a CE must have a plan in place to carry out critical business functions (accessing patient records, scheduling, billing) if the CE must go without access to EPHI for an extended period of time, i.e., more than a few days. (Required)
d. Testing & Revision Procedures. A CE must implement P&Ps for the periodic testing & revision of contingency plans. (Addressable)
e. Applications & Data Criticality Analysis. A CE must assess the relative criticality of specific applications and data in support of other contingency plan components, which essentially means that a CE should determine before an emergency occurs which applications would be restored first, i.e., which applications are most critical to the operation of the practice. (Addressable)
8. Evaluation. A CE must perform a periodic technical and nontechnical evaluation to determine the extent to which the CE's security P&Ps meet the requirements of the security regulations.
a. Business Associate Contracts. A CE may permit a business associate to create, receive, maintain, or transmit EPHI on behalf of the CE if the CE has obtained from the business associate "satisfactory assurances" that the business associate will safeguard the EPHI. CEs are required to document the "satisfactory assurances" received from business associates. This specification requires a CE to enter into Business Associate Agreements with certain outside parties who have access to EPHI. CAMFT is in the process of drafting a sample business associate agreement for such use. (Required)
Physical Safeguards There are four physical safeguards aimed at ensuring that physical safeguards are implemented to protect a CE's electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. The emphasis is on limiting physical access to EPHI within the CE's office.
1. Facility access controls. A CE must implement P&Ps that limit physical access to electronic information systems and their locations to authorized individuals only.
a. Contingency Operations. A CE must establish (and implement as needed) P&Ps that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency, which essentially means that a CE should ensure that those who need access to EPHI, in the event of an emergency, are able to get such access. (Addressable)
b. Facility Security Plan. A CE must implement P&Ps to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft, which essentially means that a CE needs to take appropriate precautions to ensure that unauthorized individuals are not allowed access to computers or computer systems. Such precautions would include things like locks on doors, issuing keys to certain individuals, and locating workforce members in places where they can see and control what is going on in the practice. (Addressable)
c. Access Control & Validation Procedures. A CE must implement P&Ps to control and validate a person's access to facilities based on his or her role or function, including visitor control, and control of access to software programs for testing and revision, which essentially means that a CE should limit physical access to its facilities to only appropriately authorized individuals. (Addressable)
d. Maintenance Records. A CE must implement P&Ps to document repairs and modifications to the physical components of its facility that are related to security (for example, hardware, doors, walls, and locks), which essentially means that a CE should keep written records of actions taken to secure its physical facility. For instance, if the CE changes the locks on its office doors because a disgruntled ex-employee has threatened to steal computer equipment, the CE should keep written records evidencing the changes made to the locks. (Addressable)
2. Workstation use. A CE must implement P&Ps that describe what tasks can be performed at a particular workstation, how those tasks are to be performed, and the physical surroundings of workstations that can access EPHI. This specification relates to the physical surroundings of a workstation and to the use and storage of laptop computers, diskettes, and CDs. For instance, a CE needs to ensure that casual observers cannot view computer screens with EPHI on them and that laptop computers, diskettes, and CDs are stored in such a way that unauthorized individuals cannot gain access to them.
3. Workstation security. A CE must implement physical safeguards for workstations that can access EPHI to protect them from unauthorized users. For small practices, given space limitations, it is not always feasible to locate workstations in completely secure areas. However, the CE can still limit physical access to computers by utilizing access controls, passwords, locks on doors, and automatic logoffs.
4. Device & media controls. A CE must implement P&Ps governing the transport (receipt & removal) of hardware and electronic media that contain EPHI into, out of, and within the organization.
a. Disposal. A CE must implement P&Ps to address the final disposition of EPHI and/or the hardware or electronic media on which the EPHI is stored, which essentially requires a CE to properly dispose of its EPHI and computer hardware. Simply deleting the information from the system is not sufficient. (Required)
b. Media Re-use. A CE must implement P&Ps for the removal of EPHI from electronic media before the media are made available for reuse, which essentially requires a CE to properly cleanse storage media, such as diskettes, CDs, and DVDs, of EPHI before the media arereused. There are a number of softwareprograms on the market thatcan cleanse media for reuse.(Required)
c. Accountability. A CE must maintain a record of the movement of hardware and electronic media and any person responsible therefore, which essentially means that a CE should keep an up -to- date inventory of any hardware, software, and related devices or media that contain EPHI. The inventory should document when and where and who moves these things. (Addressable)
d. Data Backup & Storage. A CE must create a retrievable, exact copy of EPHI, when needed, before the equipment is moved, which essentially requires a CE to back up EPHI before computer equipment is moved. (Addressable)
Technical Safeguards There are five technical safeguards aimed at to use technology to protect EPHI and control access to it.
1. Access control. A CE must implement Ps to limit access to electronic information systems that contain EPHI only persons or software programs with access rights.
a. Unique User Identification. A CE must assign a unique name and/or number for identifying and tracking user identity, which essentially requires a CE to assign each workforce member a username and password. These passwords should be changed periodically and passwords should contain at least 8 alphanumeric characters to make them difficult to decode or guess. (Required)
b. Emergency Access Procedure. A CE must establish (and implement as necessary) P&Ps for obtaining necessary EPHI during an emergency. This specification was addressed under Contingency Planning. (Required)
c. Automatic Log-off. A CE must implement electronic procedures that terminate an electronic session after a predetermined time of inactivity, which essentially means that a CE should implement automatic logoff procedures through its operating systems. (Addressable)
d. Encryption & Decryption. A CE must implement a mechanism to encrypt and decrypt EPHI, which essentially means that a CE needs to address the question of whether to encrypt EPHI when it is transmitted over an "open" network like the Internet. Although a CE does not have to encrypt such information, at a minimum a CE utilizing e-mail should apprise its patients that the CE will only communicate with patients via e-mail if the patient has signed a statement acknowledging that he or she understands that utilizing e-mail without encryption may lead to the patient's confidentiality being compromised. (Addressable)
2. Audit controls. A CE must install hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI. (Required)This specification requires a CE to have in place audit controls to monitor activity on its computer system and the CE must review those records to ensure that activity on its system is appropriate. This could include reviewing and monitoring log ons and log offs, file accesses, updates, edits, or other system activity as well as any security incidents.
3. Integrity. A CE must implement P&Ps to protect EPHI from being improperly changed or destroyed, which essentially means that EPHI should not be altered without the CE's knowledge or approval. (Addressable)
4. Person or entity authentication. A CE must implement P&Ps to ensure that persons or organizations seeking access to EPHI are who they claim to be, which essentially requires a CE to verify the identities of those having or needing access to EPHI. For instance, if a CE hires a computer company to perform work on the CE's computer system, the CE should verify that the person sent to work on the system is really an employee of the company that the CE contracted with for such services. (Required)
5. Transmission security. A CE must implement security measures to prevent unauthorized access to EPHI that is being transmitted over an electronic communications network.
a. Integrity Controls. A CE must implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of. This specification relates to several discussed above, i.e., data authentication so that by complying with the other specifications a CE will also comply with this one. (Addressable)
Organizational & Documentation Requirements
a. Time Limit. A CE must retain its P&Ps for six years from the date the P&Ps were created or the date they were last in effect, whichever is later. (Required)
b. Availability. A CE must make documentation available to those persons responsible for implementing the P&Ps to which the documentation pertains. (Required)
c. Updates. A CE must review its documentation periodically, and update its documentation as needed, in response to environmental or operational changes affecting the security of the EPHI. (Required)
As a review, complying with the Standards means adopting certain minimum Administrative, Physical, and Technical Safeguards, via the required and addressable specifications, to prevent unauthorized uses or disclosures of EPHI.
Ultimately, the Standards require CEs to do three things: first, CEs must understand how the Standards, via the required and addressable implementation specifications, help prevent unauthorized uses and disclosures of EPHI. Second, CEs must adopt the required specifications and reasonable and appropriate addressable specifications to help prevent unauthorized uses and disclosures of EPHI. And third, CEs must document what they have done, and what they will do, to comply with the Standards. Moreover, especially in the area of the addressable specifications, CEs must document why they have chosen one method of complying with a particular specification over another method. The key is having reasons for adopting or not adopting addressable specifications.
The first part of this article has been designed to give CEs an understanding of the specific requirements of the Administrative, Physical, and Technical Safeguards by delving into the required and addressable specifications. In the next section, we will focus on formulating a plan for complying with them.
To assist CEs in complying with the Standards, CAMFT has formulated the accompanying Compliance Worksheet ("Worksheet"). This Worksheet has been designed to get CEs thinking about how EPHI is managed within the CE. Because compliance plans will vary from CE to CE, we cannot formulate a set of security policies and procedures to cover all of the marriage and family therapy practices in California. There are simply too many variables from CE to CE to perform such a task. Therefore, CEs should use the Worksheet as a tool in terms of formulating their own security policies and procedures. Because of the technical nature of the issues raised in the Worksheet, we strongly recommend that CEs work with their computer consultants to address the questions raised in the Worksheet. Then, with the answers to the questions in hand, the CE will be able to implement its own security policies and procedures.
The information contained in this article is intended to provide guidelines for addressing difficult business and legal dilemmas. It is not intended to address every situation that could possibly arise, nor is it intended to be a substitute for independent advice or consultation. When using such information as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein. 1 42 CFR 164.306(a)(1-4)