FINAL HIPAA SECURITY STANDARDS
FOR HEALTH CARE INFORMATION

In February 2003 the Department of Health and Human Services issued the long-awaited final Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  It was worth the wait.  In many ways, the final regulation is less onerous, more streamlined, and more flexible than the proposed rule.

That doesn't mean, however, that health care providers can take the new standards lightly.  To the contrary, the standards make it clear that the compliance bar is set quite high.  Providers have two years to clear that bar before the requirements become enforceable in April 2005.

Security should not be a new concept to providers who have come into compliance with the HIPAA Privacy regulation.  The Privacy rule includes a "mini-security" provision requiring providers to implement "appropriate administrative, technical and physical safeguards" for health information.  Security considerations should already have been factored into the development of Privacy policies and procedures.

Application of the Security Standards - Electronic Information Only

Both the Privacy and Security regulations apply to individually identifiable health information, known as Protected Health Information ("PHI").  The Privacy safeguards apply to PHI in all forms (e.g., electronic, paper, verbal).  The Security regulation, however, applies more narrowly.  It covers only Electronic Protected Health Information  ("EPHI") - PHI that is stored in, or transmitted by, electronic media.

Electronic storage media include computer hard drives, magnetic tapes and disks.  Transmissions are covered if they involve information that exists in electronic format before the transmission.  For example, transmissions via the Internet, dial-up lines, leased lines or private networks are subject to the Security regulation because the information starts in electronic format.  Physically moving a disk containing PHI is covered for the same reason.  However, fax transmission of a paper document and telephone communication are not covered because the information did not exist in electronic format before the transmission.

What's Required?

The Security Rule sets out four core requirements.  Covered entities must:

• Ensure the confidentiality, integrity and availability of all EPHI they create, receive, maintain or transmit;
• Protect against reasonably anticipated threats or hazards to the security or integrity of EPHI;
• Protect against reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the Privacy regulation; and
• Ensure compliance with the Security Rule by their workforces.

To accomplish these requirements, the Rule establishes standards and implementation specifications.  The standards explain what must be done; the implementation specifications explain how to do it.

The implementation specifications are designated as either "required" or "addressable."  Required specifications must be implemented as described in the Rule.  Addressable implementation specifications give covered entities more flexibility to determine how best to achieve the standard within their own organization.  For addressable specifications, a covered entity must first assess whether the specification is reasonable and appropriate in its own environment.  If it is reasonable and appropriate, it must be implemented as written.  If it is not, the covered entity must document why it is not and implement an equivalent alternative security measure that better fits the organization.

HHS gives providers guidance on how to determine whether a given safeguard is reasonable and appropriate.  The Rule specifically states that, in deciding which security measures to use, a covered entity must take into account:

• The entity's size, complexity and capabilities;
• The entity's technical infrastructure, hardware and software security capabilities;
• The costs of security measures; and
• The probability and criticality of potential risks to EPHI.

The specific allowance for cost to be one of the determining factors is a significant improvement over the proposed regulation for small providers.  HHS cautions, however, that compliance with every standard is required and cost considerations will not excuse ineffective security.  "[T]here is a clear requirement that adequate security measures be implemented . . .Cost is not meant to free covered entities from this responsibility."

The Standards

The Security standards are grouped into three broad categories: Administrative, Physical and Technical.  (All of the standards and implementation specifications are provided in the matrix at the end of this overview.)

Administrative Safeguards

The first Administrative standard requires a security management process to prevent, detect, contain and correct security violations.  Its implementation specifications begin with the key component of any effective security program -- a thorough risk assessment to identify the potential risks and vulnerabilities to EPHI.  The risk assessment will provide the road map for how to prioritize and implement all of the standards and implementation specifications.

Other Administrative requirements include:

• Designating a security officer;
• Ensuring appropriate access (or limitations on access) to EPHI for workforce members;
• Providing security training;
• Implementing procedures to respond to security breaches;
• Establishing a contingency plan for responding to emergencies affecting EPHI;
• Performing periodic evaluations to confirm that security measures are keeping pace with changes in technology and the organization.

Like the Privacy Rule, the Security Rule requires covered entities to enter into contracts to ensure continued protection of EPHI in the hands of business associates that create, receive, maintain or transmit covered information on the covered entities' behalf.

Physical Safeguards

The Physical safeguard requirements address how the covered entity will limit physical access to its EPHI systems while ensuring that properly authorized access is allowed.  The standards require covered entities to implement policies, procedures and safeguards:

• Governing access to the facility;
• Specifying the proper uses and physical attributes of workstations;
• Restricting access to EPHI to authorized users;
• Governing the receipt and removal of hardware and electronic media that contain EPHI.

Technical Safeguards

The Technical standards call for policies, procedures and technical mechanisms to:

• Control access to EPHI;
• Audit activity in electronic information systems;
• Protect EPHI from improper alteration or destruction;
• Authenticate users;
• Guard against unauthorized access to EPHI that is being transmitted over a network.

The Security Rule is clear that the standards and implementation specifications are scalable and technologically neutral.  No specific hardware or software is mandated.  Each covered entity has the flexibility to adopt the technology that most reasonably and appropriately enables them to meet the standards.

Conclusion

Although providers are still catching their breaths from implementing the Privacy regulation, it is clear from the Security Rule that they cannot yet relax their HIPAA guard.  The final rule eliminates much of the confusion and concern generated by the proposed regulation.  But it is also clear that HHS has set a high standard for the security of electronic health information.  Focused, diligent efforts will be required for compliance.

HIPAA Security Rule Matrix 

Revised: March 2004