Getting Serious About Security: Final HIPAA Security Regulations

In February of 2003, the Department of Health and Human Services published the final security regulations under the Health Insurance Portability and Account-ability Act of 1996 (HIPAA). The final regulations, commonly referred to as the HIPAA security rule, are part of HIPAA?s administrative simplification, designed to encourage automation in healthcare information management while addressing concerns about privacy and security. The HIPAA security rule requires health plans, health care clearinghouses, and health care providers that maintain or transmit electronic health information to maintain reasonable and appropriate safeguards to:

  • ensure the integrity and confidentiality of health information;
  • protect against threats to security and unauthorized uses and disclosures of health information; and
  • otherwise ensure their officers? and employees? compliance with the security standards.

Like the HIPAA privacy rule, the HIPAA security rule applies to health information that has not been de-identified by removing all individual identifiers. Unlike the HIPAA privacy rule, the HIPAA security rule only applies to electronic health information; it does not apply to paper files or forms. Additionally, the HIPAA security rule, unlike the HIPAA privacy rule, contains no exemption or special rule for fully insured plans.

ERISA health plans and health insurers should begin planning now for HIPAA security rule compliance. Large plans must comply by April 21, 2005. Small plans (plans with annual receipts of under five million dollars) have an additional year to comply.

Plan Sponsors Should Take HIPAA Security Rule Planning Seriously

Compliance Could be Costly and Complicated

Plan sponsors will need to develop, implement, and test administrative, physical, and technical safeguards to protect health information maintained by their health plans. In many instances, upgrades to worksite security, hardware, and software will be required. These types of upgrades can be costly, might impact system operations if not carefully designed, and will require participation by multiple workgroups, including human resources, legal, facilities, upper management and IT.

Failure to Comply Exposes Companies to Lawsuits and Penalties.

Failure to implement and document reasonable and appropriate security safeguards could have very serious consequences. Recently, security failures have become a growing source of litigation. In one action, TriWest, a third party administrator, was sued by a class of 550,000 beneficiaries enrolled in TRICARE through TriWest Healthcare Alliance Corporation for negligent disclosure when several hard drives were stolen from the property manager?s office. Lawsuits for security failures are generally brought under state statutes or as common law tort claims for negligent disclosure. Historically, Plaintiffs have had difficulty proving negligence because there has been uncertainty as to the standard of care companies owe when computer technology is involved. Now, the HIPAA security rule establishes a uniform federal standard. Additionally, HIPAA requires that plan?s document their compliance. This documentation creates both the sword and the shield that may determine the outcome of future lawsuits involving the security of electronic health information. Additionally, companies? public and employee perception can be injured by security failures and the Department of Human Services may impose civil monetary penalties of $100 per HIPAA security violation with a maximum fine of $25,000 per calendar year for multiple identical violations.

Compliance Must be Specifically Tailored to Each Plan

The HIPAA security rule is designed to be flexible, scaleable, and technology neutral. To comply with the HIPAA security rule, the plan will need to conduct a risk analysis. Based on that risk analysis, the plan must design a security policy and implement administrative, physical, and technical safeguards. To do so, the plan must adhere to 13 “required implementation specifications” and will address 22 additional “addressable implementation specifications.” The plan will need to consider whether each “addressable implementation specification” is reasonable and appropriate taking into account the plan?s size, complexity, capabilities, technical infrastructure, security capabilities, hardware security capabilities, software security capabilities, costs, and the likelihood and seriousness of potential risks. Implementation specifications that are unreasonable or inappropriate may be disregarded if the overall safeguard can be met without it; otherwise, an alternative means of meeting the safeguard must be found. The process must be documented and updated as technology advances.

Compliance Involves Process, People and Technology

Many health plan administrators and advisors are under the misperception that security compliance will be handled by the IT department. The IT department should be involved in security compliance, but cannot complete compliance alone. HIPAA security standards require specific processes and documentation for human resources, facilities, and technology. No one department can alone secure compliance. The IT department will need guidance to determine where firewalls are needed. Password security requires support from all employees. Human Resources will need to develop training and awareness programs, impose sanctions for violations, and consider hiring, firing, and security clearance issues. Facilities will need to be secured and maintained. Legal personnel will need to ensure that each implementation specification is addressed and that the risk assessment, the security policy, and the security procedures are adequately documented taking into account the litigation risks. Even purely technology based security measures such as scanners, intrusion detection, and logging tools need to be implemented with the plan itself in mind and will need to take into account existing privacy procedures. This type of collaboration requires leadership and planning, which means that upper management must be aware and involved.

Security Compliance Planning Should Start Now

The compliance deadline for large plans is only 15 months away. It will take time to coordinate between departments and it will take a significant amount of time to develop, implement, and test devices and procedures. At a minimum, large health plans should take the following steps over the next few months:

  • Create a Security Team. Human resources, legal, IT and facilities must be involved.
  • Alert Upper Management. Upper management must understand the importance of HIPAA security rule compliance and the risks involved.
  • Take Inventory. Inventory current security procedures and vulnerabilities.
  • Develop a Budget. The budget should anticipate the purchase of hardware and software, facility improvements, legal and consulting fees.

Administrative Safeguards

Administrative safeguards assign responsibility for security implementation and require processes and procedures to effectuate compliance.

  • Security Management Process. Formal polices and procedures must prevent, detect, contain, and correct security violations.
  • Assigned Security Responsibility. One person must be ultimately responsible for security.
  • Workforce Security. Access to electronic health information must be limited to appropriate em-ployees.
  • Information Access Management. Authority to access electronic health information must granted using established procedures.
  • Security Awareness. Employees must receive train-ing regarding security.
  • Security Incident. The plan must identify, document, and respond to security incidents.
  • Contingent Covered Entity. Security and critical processes must continue in an emergency.
  • Evaluation. Required evaluations may be internal or external.
  • Business Associate Contracts and Other Arrangements. Business associate contracts must be re-vised to document written security assurances.

Physical Safeguards

Physical safeguards require secured facilities and work-stations for computers, devices, and hardware.

  • Facility Access Controls. Access to the facilities must be controlled.
  • Workstation Use. The functions and physical attri-butes of each workstation with access to electronic health information must be specified.
  • Workstation Security. Access to workstations must be limited.
  • Device and Media Controls. The movement and disposal of hardware and electronic media containing electronic health information must be controlled.

Technical Safeguards

Technical safeguards require authorization, verification, and controls to maintain network and computer security and to protect the integrity of electronic information.

  • Access Control. Information systems must limit access to authorized persons and software.
  • Audit Control. Information system activity must be recorded and examined.
  • Integrity. Improper alteration or destruction of electronic health information must be prevented.
  • Person or Entity Authentication. The identity of per-sons or entities seeking access to electronic health information must be verified.
  • Transmission Security. Unauthorized access to electronic health information transmitted over a network must be prevented.