Covered entities should be aware of differences between the Privacy and Security Rule requirements regarding protected health information. One major distinction is that the HIPAA Security Rule only applies to electronic protected health information (e-PHI). A covered entity is responsible for maintaining confidentiality, integrity and availability of all e-PHI.
Under the HIPAA Security Rule, covered entities are required to do a risk analysis to document any risks or vulnerabilities to e-PHI. Any risks or vulnerabilities identified should be appropriately addressed and steps for mitigation documented, including necessary changes to policies and procedures. All documents should be kept for at least 6 years.
A plan should be developed based on the risk analysis results and should include how the practice uses the administrative, physical and technical safeguards to mitigate risks. This risk analysis should be an ongoing process and to achieve Meaningful Use, a review is required periodically. This is not a “one-size fits all” so the security measures are scalable to any size practice.
The Administrative, Physical and Technical Safeguards are the focus of the OCR Audit Program Protocol for the Security Rule.
Covered entities must comply with all of the standards listed below and some of these standards also have required implementation specifications that must be followed:
- Security Management Process (Required Implementation Specifications for Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review)
- Assigned Security Responsibility (Required Implementation Specification to Identify Security Official)
- Workforce Security
- Information Access Management (Required Implementation Specifications for Isolating Healthcare Clearinghouse Function)
- Security Awareness and Training
- Security Incident Procedures (Required Implementation Specification for Response and Reporting)
- Contingency Plan (Required Implementation Specifications for Data Backup Plan and Disaster Recovery Plan and Develop and Implementation of an Emergent Mode Operation Plan)
- Evaluation (Required Implementation Specification for Periodic Technical and Non-technical Evaluation)
- Business Associate Contracts and Other Arrangements (Required Implementation Specifications for a Written Contract)
- Facility Access Controls
- Workstation Use (Required Implementation Specification for Function and Physical Attributes)
- Workstation Security (Required Implementation Specification for Physical Safeguards and Access Restrictions)
- Device and Media Controls (Required Implementation Specifications regarding Methods for Final Disposal of e-PHI and Procedures for Reuse of Electronic Media)
- Access Controls (Required Implementation Specifications to Assign All System Users a Unique Identifier and to Establish Emergency Access Procedure)
- Audit Controls (Required Implementation Specification to Record and Examine Activity)
- Integrity Controls
- Transmission Controls
- Person or Entity Authentication (Required Implementation Specification for Authentication Procedures)
With the enactment of HITECH, the HIPAA Enforcement Rule allows Civil Monetary Penalties (CMP) for violations of the Privacy and/or Security Rules. A covered entity could be assessed a fine of up to $1.5M for identical violations in one calendar year even if the covered entity did not know about a violation and if known, the correction must occur in 30 days from discovery or be subject to maximum penalties.