The Privacy Rule establishes the standards for the protection of certain health information and the Security Rule defines the security standards for protecting health information that is held or transferred in electronic form. Thus the Security Rule operationalizes the protections implied by the Privacy Rule by addressing the technical and non-technical safeguards that, organizations called “covered entities”, must put in place to ensure security of individuals electronic protected health information (e-PHI).
Given the fact that the health care marketplace is diverse in nature, the Security Rule has been designed to be flexible & scalable so that “covered entity” can implement policies, procedures, and technologies as suitable based on entity’s size, structure and consumer specific risks.
What information is protected (PHI & e-PHI)?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).
The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Key Elements of the HIPAA Security Rule
Please note that below section is just an overview of the Security Rule and it does not address every detail of each provision. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI. The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically covered entities must:
1.Ensure the confidentiality, integrity, and availability (CIA) of all e-PHI they create, receive, maintain or transmit.
2.Identify & protect against reasonably anticipated threats to the security or integrity of the information.
3.Protect against reasonably anticipated, impermissible uses or disclosures and ensure compliance by their workforce.
“Confidentiality” means that e-PHI is not available or disclosed to unauthorized persons.
“Integrity” means that e-PHI is not altered or destroyed in an unauthorized manner
“Availability” means that e-PHI is accessible and usable on demand by an authorized person.
Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.
It is recommended that below activities should be included into risk analysis process in addition to other factors as applicable with respective entity:
- Evaluate the likelihood and impact of potential risks to e-PHI.
- Implement appropriate security measures to address the risks identified in the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable, and appropriate security protections.
- Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
Security Management Process: A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Security Personnel: A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Information Access Management: Limiting uses & disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
Workforce Training and Management: A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Evaluation: A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Facility Access and Control: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security: A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Covered Entity Responsibilities: If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
Business Associate Contracts: Covered entities must have contracts in place with their contractors and others ensuring that they use and disclose your health information properly and safeguard it appropriately. HHS is developing regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
Updates: A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).
Who is covered by the Security Rule?
The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
What individual Information Is Protected?
Information your doctors, nurses, and other health care providers put in your medical record.
Conversations your doctor has about your care or treatment with nurses and others.
Information about you in your health insurer’s computer system
Billing information about you at your clinic.
Most other health information about you held by those who must follow these laws.
Who Is Not Required to Follow These Laws?
Many organizations that have health information about you do not have to follow these laws. Examples of organizations that do not have to follow the Privacy and Security Rules include:
Life insurers, employers, workers compensation carriers, many schools and school districts, many state agencies like child protective service agencies, many law enforcement agencies, and many municipal offices.