General Rules-Chapter 10

• CE's must demonstrate and document that they have done the following:

  • Ensured the confidentiality, integrity, and availability of all ePHI that is created received, maintained, or transmitted by the covered entity

  • Protected ePHI against any reasonably anticipated threats or hazards to the security or integrity of ePHI

  • Protected ePHI against any reasonable or anticipated uses or disclosures that are not permitted under the HIPAA Privacy Rule

  • Ensured compliance with the HIPAA Security Rule by workforce members

• The Security Tule is flexible, scalable, and technology neutral. Regarding flexibility, HIPAA allows a CE to adopt security protection measures that are appropriate and reasonable for it.

  • Ex. Security mechanisms will be more complex in a large hospital than in a small group practice. Determining which security measures to use, the following must be taken into account:

    • Size, complexity, and capabilities of the CE

    • Technical infrastructure, hardware, and software capabilities

    • Security measure costs

    • Probability and criticality of the potential risks to ePHI

• Scalable means that the Security Rule is written so that it accommodates CEs of any size. Technology neutral means that specific technologies are not prescribed, allowing organizations to develop as their technological capabilities evolve

• The HIPAA Security Rule identifies standards that CEs must comply with. Business associates, hybrid entities, and other related entities are also required to comply with these standards.

• Implementation specifications define how standards are to be implemented. Implementation specifications are either required or addressable. CEs must apply all implementation specifications that are required. Addressable does NOT mean optional.

  • For specifications listed as addressable the CE must conduct a risk assessment and evaluate whether the specification is appropriate to its environment.

• If the CE may decide not to encrypt PHI because it deems too expensive. The CE must do the following:

  • Document why it is not reasonable and appropriate to implement that specification as written.

  • Implement an equivalent alternative method if reasonable and appropriate

• MAINTENANCE: HIPAA requires CEs and business associates to maintain their security measures. Maintenance requires review and modification, as needed, to comply with the provision of reasonable and appropriate protection of ePHI.

ADMINISTRATIVE SAFEGUARDS

• Documented formal practices to manage data security measures throughout the CE.

• Require the CE to establish a security management process

• Detail how the security program should be managed from the CE’s perspective

• Policies and procedures should be written and formalized in a policy manual.

• There are a number of ways a CE can control the use of terminals, including user limitations such as maximum allowed log-in attempts, screen savers, and the timing out of terminals when a determined period of inactivity has been reached.

Administrative safeguards include the following:

• Security management process:

  • A CE must have a defined security management process. This means that there is a process in place for creating, maintaining, and overseeing the development of security policies and procedures; identifying vulnerabilities and conducting risk analysis, establishing a risk management program; developing a sanction policy and reviewing information system activity

• Assigned Security Responsibility:

  • Each CE must designate a security official to assume the role described earlier in this chapter.

• Workforce Security:

  • The CE must ensure appropriate clearance procedures to grant access to individually identifiable information to workforce members who need to use ePHI to perform their job duties and must maintain appropriate oversight of authorization and access.

  • The CE must prevent access to information to those who do not need it and have clear procedures of access termination for employees who leave the CE.

• Information access management:

  • Requires the CE to implement a program of information access management. It includes specific policies and procedures to determine who should have access to what information.

• Security awareness and training:

  • Requires the CE to provide security training for all members of the workforce.

• Security incident procedures:

  • Requires implementation of policies and procedures to address security incidents, including responding to, reporting, and mitigating suspected or known incidents.

• Contingency plan:

  • Requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain ePHI.

  • Includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency.

• Evaluation:

  • A periodic evaluation must be performed in response to environmental or operational changes affecting the security of ePHI and appropriate improvements in policies and procedures should follow.

• Business associate contracts:

  • Requires business associates to appropriately safeguard information in their possession and CEs to receive satisfactory assurances that the business associates will do so

PHYSICAL SAFEGUARDS

• Include the protection of hardware, software, and data from natural and environmental hazards

Physical safeguards include:

• Facility access controls:

  • Policies and procedures must be implemented to appropriately manage not only the physical security