Utah Bar Journal

April 20, 2005 marked the Security Rule compliance date for most health care organization. Despite this deadline, the Bureau of National Affairs recently reported that only 43% of health care providers have achieved Security Rule compliance.1 The Security Rule includes administrative safeguards, which are policies, procedures and actions that protect the security of electronic protected health information ("EPHI"). This article will discuss the steps necessary to comply with the administrative safeguards of the HIPAA Security Rule.

Who is subject to HIPAA?
HIPAA standards and requirements apply to Òcovered entities.Ó These entities are:

1. Health plans (i.e., any individual or group plan that provides or pays the cost of health care),

2. Health care providers who transmit any health information in electronic format, and

3. Health care clearinghouses.

With the passage of the Medicare Prescription Drug, Improvement and Modernization Act of 2003 ("MMA"), Congress added a fourth entity to the list - Medicare prescription drug card sponsors. 42 U.S.C.A. ¤ 1395W-141(h)(6) (West 2004). This fourth category of covered entity will remain in effect until the MMA drug card program ends in January 2006.

Compliance dates
Compliance with HIPAA regulations is both challenging and complex. For this reason, HHS established a series of compliance deadlines that allow a covered entity to gradually implement HIPAA. The following are some of the HIPAA major compliance deadlines:

* Standards for Electronic Transactions and Code Sets: October 16, 2002.

* Privacy Rule: April 14, 2003 (the Privacy Rule established standards that govern the use and disclosure of protected health information).

* Standard Unique Identifier for Employers: July 30, 2004. The compliance date for small health plans (defined as health plans with $5 million or less in annual receipts) was August 1, 2005.

* Security Rule: April 20, 2005. The compliance date for small health plans is April 20, 2006.

* Standard Unique Health Care Provider Identifier: May 23, 2007. The compliance date for small health plans is May 23, 2008.

What is the Security Rule?
The Security Rule is probably best understood by its four general obligations. First, a covered entity must ensure the confidentiality, integrity, and availability of all EPHI that it creates or receives. Second, it must protect against any reasonably anticipated threats or hazards to the security of EPHI. Third, it must protect against any reasonably anticipated uses or disclosures of EPHI in violation of HIPAA. And fourth, a covered entity must ensure compliance with the Security Rule by its workforce.

The Security Rule is divided into the categories of administrative, physical, and technical safeguards. Each safeguard includes general standards with which a covered entity must comply. The standards are comprised of "implementation specifications" that are either "required" or "addressable." If an implementation specification is required, then the covered entity must implement those policies and/or procedures. If it is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity's environment. Should a covered entity decide not to implement an addressable specification after this assessment, it must document the reason and, if reasonable, document an equivalent alternative measure.

A covered entity has some discretion when implementing the Security Rule. It may consider any security measures that allow it to reasonably and appropriately implement the standards and implementation specifications of the Security Rule. When making this determination, the covered entity can consider its own size and complexity, its technical infrastructure, its software and hardware capabilities, the cost of implementing the security measures, and the probability and criticality of potential risks to its EPHI.

Administrative Safeguards

1. Security Management Process
Every covered entity must implement a Security Management Process ("SMP") to "prevent, detect, contain, and correct" security violations. 45 C.F.R. ¤ 164.308(a). The SMP consists of four required implementation specifications: (a) risk analysis, (b)risk management, (c) sanction policy, and (d) information system activity review. Each of these four requirements will be discussed in greater detail below.

First, a covered entity must conduct a risk analysis. Specifically, this requires an accurate and thorough assessment of the potential risks to and vulnerabilities of the covered entity's EPHI. The risk analysis should probably be conducted before any of the other required implementation specifications so the covered entity can make an initial evaluation of all the risks and vulnerabilities to its EPHI.

Second, the risk management requirement requires a covered entity to implement security measures that are sufficient to reduce risks and vulnerabilities to a reasonable level. These security measures must remain current and should be periodically updated as needed. Third, a sanction policy is necessary to appropriately sanction workforce members who fail to comply with the security policies and procedures of the covered entity. Finally, a covered entity must have an information system activity review. To achieve this, a covered entity must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

2. Appoint a Security Officer
A covered entity must designate a member of its workforce as the HIPAA security officer. This individual is responsible for the covered entity's implementation of the Security Rule's policies and procedures. A corresponding position - a privacy officer - is required by HIPAA's Privacy Rule (see 45 C.F.R. ¤ 164.530(a)(1)). The security officer can be the same person as the privacy officer.

3. Company Training
The Security Rule requires that a covered entity train its workforce to implement security awareness. All members of an organizationÕs workforce, including management and executive-level employees, should participate in this training. A record should be maintained to verify which employees have received the training.

4. Amend Business Associate Agreements
HIPAA's Privacy Rule requires each covered entity to have contracts with business associates who have access to the covered entity's PHI. These contracts are called ÒBusiness Associate Agreements' ("BAAs"). If the business associate receives or maintains EPHI on the covered entity's behalf, then the BAA must be amended to include the standards of the Security Rule. These amendments must provide that the business associate will:

a. Implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of the EPHI that it maintains on behalf of the covered entity;

b. Ensure that any agent, including a subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect the EPHI;

c. Report to the covered entity any security incident2 of which it becomes aware; and

d. Permit the covered entity to terminate the BAA if the covered entity determines that the business associate has violated a material term of the contract.

5. Contingency Plan
Each covered entity must establish policies and procedures for responding to an emergency or other similar occurrence (i.e., fire, vandalism, system failure, natural disaster, etc.) that damages the systems that maintain EPHI. This contingency plan includes three mandatory implementation specifications:

a. Data backup plan. A covered entity must develop procedures to maintain retrievable, exact copies of its EPHI.

b. Disaster recovery plan. Procedures must be established to restore any loss of data.

c. Emergency mode operation plan. A covered entity must establish procedures to protect the security of EPHI while operating in an emergency mode.

6. Physical and Technical Safeguards
As noted earlier, the Security Rule is divided into two additional categories of safeguards: Physical and Technical. A detailed discussion of these safeguards is beyond the scope of this article, but a brief description here will suffice. In general, Physical safeguards are the mechanisms required to protect electronic systems, equipment, and their data from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI, retaining off-site computer backups, workstation security, and data backup and storage. See 45 C.F.R. ¤ 164.310(a)-(d).

Technical safeguards are primarily the automated processes used to protect and control access to EPHI. They include using authentication controls to verify that a person signing onto a computer is authorized to access EPHI, encryption and decryption of EPHI as it is stored and transmitted, and mechanisms to protect data from being altered or destroyed in an unauthorized manner. See 45 C.F.R. ¤ 164.312(a)-(c).

Conclusion
Although the April 20, 2005, deadline for the Security Rule has passed for most covered entities, compliance is a continuing obligation. As the Centers for Medicare and Medicaid Services ("CMS") explained on their website: "Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as covered entities' organizations and technologies change." A covered entity must therefore regularly review its Administrative Safeguards and modify them as needed to ensure continued compliance with HIPAA.

1. Many Organizations Not in Compliance with HIPAA Rules, According to a Survey, Pension & Benefits Reporter (BNA) 1718-19 (August 9, 2005).

2. A "security incident" is defined as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system." 45 C.F.R. ¤ 164.304.