Getting Serious About Security:
Final HIPAA Security Regulations
HEALTH AND WELFARE BENEFITS
- 2009 Health and Welfare Plan Compliance Checklist
- GINA Interim Final Regulations Issued — Wellness Programs Impacted
- READY, SET, COMPLY! — New HIPAA Security Breach Notification Rules Require Prompt Action by Covered Entities
- Update on Discretionary Clauses in Disability Insurance Policies in California and Their Impact on ERISA Plans
- Significant HIPAA Changes Imposed by the American Recovery and Reinvestment Act of 2009
- COBRA Premium Reduction Guidance — What Do We Do Now?
- Ninth Circuit Denies Petition for Rehearing En Banc in Golden Gate Restaurant Association v. City and County of San Francisco
- Children's Health Insurance Program Reauthorization Act of 2009 — Impact on Group Health Plans
- New COBRA Subsidy Available Under Stimulus Package
- Massachusetts Issues Final Regulations Establishing Minimum Creditable Coverage Standards
- Ninth Circuit Holds San Francisco Health Care Security Ordinance is Not Preempted by ERISA
- New Genetic Nondiscrimination Act Creates Restrictions for Health Plans, Insurers and Employers
- New Leave Entitlements for Military Reasons Added to Family and Medical Leave Act
- Ninth Circuit Lets San Francisco Health Care Security Ordinance Take Effect
- IRS Issues New Proposed Section 125 Cafeteria Plan Regulations
- Recent Court Decision Paves Way for Coordination of Retiree Health Benefits with Medicare Benefits — AARP v. EEOC
- New Rules for HSAs
- Final Regulations on HIPAA Nondiscrimination Provisions and Wellness Programs
- New Guidance on the Use of Electronic Payment Cards for Health FSAs, HRAs and DCAPs
- Supreme Court's Sereboff Opinion Clarifies "Equitable Relief" Under ERISA
- Continuing Notice Obligations Under Medicare Part D
- Section 125 Plan 2½ Month Grace Period: Participants’ Bonus and Administrators’ Bane
- CMS Issues Final Regulations
on Medicare Part D - HIPAA Portability Regulations Finalized
- Medicare Prescription Drug, Improvement and Modernization Act of 2003: Retiree Prescription Drug Coverage
- The Working Families Tax Relief Act of 2004: Changes to Tax Rules for Health and Accident Coverage and to Other Employee Benefits
- Recent Guidance on Health Savings Accounts
- Discretionary Clauses in Disability Insurance Policies Ruled Illegal in California
- California Repeals Senior COBRA Program
- The U.S. Department of Labor Issues Final Regulations Regarding COBRA Notices
- Ninth Circuit Holds that Health Plan Reimbursement and Subrogation Provisions are Enforceable Under State Law
- Health Savings Accounts — the New Tax-Favored Vehicle for the Payment of Health Care Expenses
- Electronic Cards Permitted for Health Flexible Spending Accounts and Health Reimbursement Arrangements
- California Mandates Pay or Play Health Coverage
- Supreme Court Reverses Ninth Circuit’s Adoption of the Treating Physician Rule
- IRS Permits Reimbursement for Certain Non-Prescription Medicines and Drugs
In February of 2003, the Department of Health and Human Services published the final security regulations under the Health Insurance Portability and Account-ability Act of 1996 (HIPAA). The final regulations, commonly referred to as the HIPAA security rule, are part of HIPAA?s administrative simplification, designed to encourage automation in healthcare information management while addressing concerns about privacy and security. The HIPAA security rule requires health plans, health care clearinghouses, and health care providers that maintain or transmit electronic health information to maintain reasonable and appropriate safeguards to:
- ensure the integrity and confidentiality of health information;
- protect against threats to security and unauthorized uses and disclosures of health information; and
- otherwise ensure their officers? and employees? compliance with the security standards.
Like the HIPAA privacy rule, the HIPAA security rule applies to health information that has not been de-identified by removing all individual identifiers. Unlike the HIPAA privacy rule, the HIPAA security rule only applies to electronic health information; it does not apply to paper files or forms. Additionally, the HIPAA security rule, unlike the HIPAA privacy rule, contains no exemption or special rule for fully insured plans.
ERISA health plans and health insurers should begin planning now for HIPAA security rule compliance. Large plans must comply by April 21, 2005. Small plans (plans with annual receipts of under five million dollars) have an additional year to comply.
Plan Sponsors Should Take HIPAA Security Rule Planning SeriouslyCompliance Could be Costly and Complicated
Plan sponsors will need to develop, implement, and test administrative, physical, and technical safeguards to protect health information maintained by their health plans. In many instances, upgrades to worksite security, hardware, and software will be required. These types of upgrades can be costly, might impact system operations if not carefully designed, and will require participation by multiple workgroups, including human resources, legal, facilities, upper management and IT.
Failure to Comply Exposes Companies to Lawsuits and Penalties.
Failure to implement and document reasonable and appropriate security safeguards could have very serious consequences. Recently, security failures have become a growing source of litigation. In one action, TriWest, a third party administrator, was sued by a class of 550,000 beneficiaries enrolled in TRICARE through TriWest Healthcare Alliance Corporation for negligent disclosure when several hard drives were stolen from the property manager?s office. Lawsuits for security failures are generally brought under state statutes or as common law tort claims for negligent disclosure. Historically, Plaintiffs have had difficulty proving negligence because there has been uncertainty as to the standard of care companies owe when computer technology is involved. Now, the HIPAA security rule establishes a uniform federal standard. Additionally, HIPAA requires that plan?s document their compliance. This documentation creates both the sword and the shield that may determine the outcome of future lawsuits involving the security of electronic health information. Additionally, companies? public and employee perception can be injured by security failures and the Department of Human Services may impose civil monetary penalties of $100 per HIPAA security violation with a maximum fine of $25,000 per calendar year for multiple identical violations.
Compliance Must be Specifically Tailored to Each PlanThe HIPAA security rule is designed to be flexible, scaleable, and technology neutral. To comply with the HIPAA security rule, the plan will need to conduct a risk analysis. Based on that risk analysis, the plan must design a security policy and implement administrative, physical, and technical safeguards. To do so, the plan must adhere to 13 "required implementation specifications" and will address 22 additional "addressable implementation specifications." The plan will need to consider whether each "addressable implementation specification" is reasonable and appropriate taking into account the plan?s size, complexity, capabilities, technical infrastructure, security capabilities, hardware security capabilities, software security capabilities, costs, and the likelihood and seriousness of potential risks. Implementation specifications that are unreasonable or inappropriate may be disregarded if the overall safeguard can be met without it; otherwise, an alternative means of meeting the safeguard must be found. The process must be documented and updated as technology advances.
Compliance Involves Process, People and TechnologyMany health plan administrators and advisors are under the misperception that security compliance will be handled by the IT department. The IT department should be involved in security compliance, but cannot complete compliance alone. HIPAA security standards require specific processes and documentation for human resources, facilities, and technology. No one department can alone secure compliance. The IT department will need guidance to determine where firewalls are needed. Password security requires support from all employees. Human Resources will need to develop training and awareness programs, impose sanctions for violations, and consider hiring, firing, and security clearance issues. Facilities will need to be secured and maintained. Legal personnel will need to ensure that each implementation specification is addressed and that the risk assessment, the security policy, and the security procedures are adequately documented taking into account the litigation risks. Even purely technology based security measures such as scanners, intrusion detection, and logging tools need to be implemented with the plan itself in mind and will need to take into account existing privacy procedures. This type of collaboration requires leadership and planning, which means that upper management must be aware and involved.
Security Compliance Planning Should Start NowThe compliance deadline for large plans is only 15 months away. It will take time to coordinate between departments and it will take a significant amount of time to develop, implement, and test devices and procedures. At a minimum, large health plans should take the following steps over the next few months:
- Create a Security Team. Human resources, legal, IT and facilities must be involved.
- Alert Upper Management. Upper management must understand the importance of HIPAA security rule compliance and the risks involved.
- Take Inventory. Inventory current security procedures and vulnerabilities.
- Develop a Budget. The budget should anticipate the purchase of hardware and software, facility improvements, legal and consulting fees.
Administrative safeguards assign responsibility for security implementation and require processes and procedures to effectuate compliance.
- Security Management Process. Formal polices and procedures must prevent, detect, contain, and correct security violations.
- Assigned Security Responsibility. One person must be ultimately responsible for security.
- Workforce Security. Access to electronic health information must be limited to appropriate em-ployees.
- Information Access Management. Authority to access electronic health information must granted using established procedures.
- Security Awareness. Employees must receive train-ing regarding security.
- Security Incident. The plan must identify, document, and respond to security incidents.
- Contingent Covered Entity. Security and critical processes must continue in an emergency.
- Evaluation. Required evaluations may be internal or external.
- Business Associate Contracts and Other Arrangements. Business associate contracts must be re-vised to document written security assurances.
Physical safeguards require secured facilities and work-stations for computers, devices, and hardware.
- Facility Access Controls. Access to the facilities must be controlled.
- Workstation Use. The functions and physical attri-butes of each workstation with access to electronic health information must be specified.
- Workstation Security. Access to workstations must be limited.
- Device and Media Controls. The movement and disposal of hardware and electronic media containing electronic health information must be controlled.
Technical safeguards require authorization, verification, and controls to maintain network and computer security and to protect the integrity of electronic information.
- Access Control. Information systems must limit access to authorized persons and software.
- Audit Control. Information system activity must be recorded and examined.
- Integrity. Improper alteration or destruction of electronic health information must be prevented.
- Person or Entity Authentication. The identity of per-sons or entities seeking access to electronic health information must be verified.
- Transmission Security. Unauthorized access to electronic health information transmitted over a network must be prevented.
Copyright © 2006 Trucker Huss. All rights reserved. This article is published as an information source for our clients and colleagues. The article is current as of the date shown above, is general in nature and is not the substitute for legal advice or opinion in a particular case. In response to new IRS rules of practice, we inform you that any federal tax information contained in this writing cannot be used for the purpose of avoiding tax-related penalties or promoting, marketing or recommending to another party any tax-related matters in this writing.