In this
issue, we are using this column to provide an overview of
HIPAA's Final Security Rule
Relevant
dates: The Final Security Rule became effective April
21, 2003, and compliance is required by covered entities
as of April 21, 2005.
Purpose:
The purpose of the Security Rule is to require covered
entities to protect against reasonably anticipated threats
or hazards, and improper use or disclosure of electronic
protected health information.
Information
covered: Whereas the Privacy Rule's standards apply
to all protected health information in all forms (i.e.,
electronic, paper, and oral information), the Security Rule's
standards apply only to electronically maintained or transmitted
protected health information.
Core
concepts: The Department of Health and Human Services
(HHS) has indicated that the Security Rule is based on the
following three concepts: 1) the Rule should be comprehensive
and coordinated to address all aspects of security, 2) the
Rule should be scalable, so that it can be effectively implemented
by covered entities of all types and sizes, and 3) the Rule
should be technology-neutral. Accordingly, the Security
Rule allows covered entities to determine and implement
what is reasonable and appropriate for their own individual
practices.
Flexibility
of the Security Rule: The regulation itself, at §164.306(b),
addresses the flexibility of the Security Rule as follows:
(1) Covered entities may use any security measures that
allow the covered entity to reasonably and appropriately
implement the standards and implementation specifications…
(2) In deciding which security measures to use, a covered
entity must take into account the following factors:
(i) the size, complexity, and capabilities of the covered
entity,
(ii) the covered entity's technical infrastructure, hardware,
and software security capabilities,
(iii) the costs of security measures, and
(iv) the probability and criticality of potential risks
to electronic protected health information.
General
requirements: Basically, the Security Rule requires
covered providers to do the following: 1) conduct a risk
analysis to assess potential risks and vulnerability to
the confidentiality, integrity, and availability of electronic
protected health information held by the covered provider,
2) develop, implement, and maintain appropriate security
measures for the potential risks, 3) document the security
measures in policies and procedures, and 4) review and update
the risks and security measures.
Safeguards and standards: The Security Rule includes
administrative, physical, and technical safeguards. Each
of these safeguards consist of "standards" (what
must be done) and "implementation specifications"
(how it must be done) for the protection of electronic health
information. There are two types of standards - "required
standards", which all covered entities must carry out,
and "addressable standards", which covered entities
determine if it is reasonable to do using a risk/benefit
analysis.
The
Security Rule is inextricably linked with the Privacy Rule:
The confidentiality protections contained in the Privacy
Rule depend on specific security measures taken to protect
the information. The Privacy Rule requires that the information
be protected, and the Security Rule specifies what must
be done to protect the information. Violation of a Privacy
Rule provision, such as unauthorized employee access, may
also constitute a Security Rule violation (if the improperly
accessed information was electronic protected health information).
Violation of the Security Rule by an employee would also
violate the Privacy Rule.
Electronic
Signatures: Not included in the Final Security Rule;
HHS will publish a Final Rule for Electronic Signatures
at a later date.
Penalties:
The penalties for violations of the Security Rule are
the same as for violations of the Privacy Rule. Civil penalties
are $100 per violation, up to $25,000 per year for each
requirement violated. And, there are criminal penalties
up to $250,000 in fines and 10 years in jail wrongful disclosures
committed for "commercial advantage, personal gain,
or malicious harm". [42 USC 1320d-6].
Enforcement:
The Security Rule is enforced by HHS' Centers for Medicare
and Medicaid (CMS).
For
more information:
HHS'
Centers for Medicare and Medicaid:
· FAQs
· news and updates
· access to the text of the Security Rule,
and
· contact information for CMS (askhipaa@cms.hhs.gov
and 866-282-0659)
American
Health Information Management Association (under
Resources):
· Journal article - Translating the Language
of Security, June 2003
· Practice Brief - A HIPAA Security Overview,
April 2004
· Practice Brief - Security Risk Analysis
and Management: An Overview, October 2003
Workgroup
for Electronic Data Interchange:
· SECURITY: Small Practice Implementation
White Paper, April 2004
· SECURITY: Risk Analysis White Paper, July
2004
The
Psychiatrists' Program:
· HIPAA Help
section
· Online Education
Center with the following multimedia presentations:
- HIPAA's Security Rule - What You Need
to Know
- HIPAA - You Asked For It!
- Who Must Comply with the Privacy Rule
- An Overview of HIPAA's Privacy Rule
