THE SECURITY RULE

HIPAAWeek 3

SECURITY RULE

The Security Rule (SR) deals with ONLY electronic Protected Health Information (ePHI), which is essentially a subset of what the Privacy Rule encompasses (includes oral, hard copy and electronic PHI)

GOAL OF SECURITY RULE To ensure reasonable and appropriate

administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information.

FOCUS OF SECURITY RULE Both external and internal threats Prevention of denial of service Theft of private information Integrity of information

FOUNDATION

Security protections are “reasonable and appropriate”

THE STANDARDS…Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards

GENERAL REQUIREMENTSOF THE STANDARDS…

Ensure: Confidentiality (only the right people

see it) Integrity (the information is what it is

supposed to be – it hasn’t been changed)

Availability (the right people can see it when needed)

RULE HAS 4 CATEGORIES 1. Administrative Procedures 2. Physical Safeguards 3. Technical data security services 4. Technical security mechanisms

ADMINISTRATIVE PROCEDURES: 12 REQUIREMENTS

1. Certification 2. Chain of Trust

Agreements 3.Contingency Plan 4. Mechanism for

processing records 5. Information

Access Control 6. Internal Audit

7. Personnel Security 8. Security

configuration Management

9. Security Incident Procedures

10. Security Management

11. Termination Procedures

12. Training

PHYSICAL SAFEGUARDS: 6 REQUIREMENTS

1. Assigned Security Responsibility 2. Media Controls 3. Physical Access Controls 4. Policy on Workstation Use 5. Secure Workstation Location 6. Security Awareness Training

TECHNICAL DATA SECURITY SERVICES: 5 REQUIREMENTS

1. Access Control 2. Audit Controls 3. Authorization Control 4. Data Authentication 5. Entity Authentication

TECHNICAL SECURITY MECHANISM: 1 REQUIREMENT

1. Protections for health information transmitted over open networks via: Integrity controls, and Message authentication, and Access controls OR encryption

NEW RULES FOR BREACHES The new Privacy requirements apply if all of the following

are present in a Privacy Event: •There is a “Breach.” The Rule defines “Breach” to

mean (subject to certain exceptions) the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”).

•The PHI is “unsecured.” The Rule defines “unsecured protected health information” to mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS guidance.

•The Breach “compromises the security of the PHI.” Under the Rule, this occurs when there is a significant risk of financial, reputational, or other harm to the individual who’s PHI has been compromised.

NOTIFICATION OF BREACHES Prior to HITECH Act, no mandated

reporting to outside authorities Since HITECH: notifications are

mandatory for breach of unsecured ePHI

BREACHES OCR received 7,116 complaints in

2009, a sharp decline from the 8,526 received in 2008 and 8,174 received in 2007. In 2006, OCR received 7,334 complaints.

PRIMARY REASONS FOR THE VIOLATIONS Incidental disclosure of individually

identifiable health information Lack of adequate safeguards Not providing a copy of records to

patients Disclosure of more than necessary

information Failure to give notice of privacy

practice

NOTIFICATION GUIDELINES: Notification to Individuals.

A covered entity must send the required notification to each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the Breach, without unreasonable delay.

Must be in plain reasonable language If patient is deceased, must notify next of

kin.

NOTIFICATION GUIDELINES: Notification to Media. If a covered

entity discovers a Breach affecting 500 or more residents of a state or jurisdiction, it must provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay

NOTIFICATION GUIDELINES: Notification to HHS. If 500 or more

individuals are involved in the Breach, then the covered entity must notify HHS concurrently with the individual notifications.

HHS (through the HHS enforcement agency; The Office of Civil Rights or ‘OCR’) requires annual notification for Breaches involving less than 500 individuals per Event annually

ENFORCEMENT Enforcement and Penalties begins

February 2010 Projected to be increased enforcement

from OCR In the past CMS (Centers for Medicare

and Medicaid Services) has enforced HIPAA Security Rules while OCR has handled Privacy Rule compliance.

ENFORCEMNET CON’T Now: Privacy and Security enforcement

will be combined under one agency (OCR). This will eliminate duplication of work and

increase efficiency according to the HHS Secretary.

Another significant enforcement change is that under HITECH State Attorney Generals can now bring actions for Privacy violations in federal court.

NEW RULE The “Stimulus Act” requires that within

the next three years regulations are passed that will allow individual victims of a HIPAA violation to receive a percentage of any monetary penalty collected from the offense.

  This monetary incentive could significantly increase the number of HIPAA complaints brought by individuals.

IMPLEMENTATION Implement the necessary safeguards

Perform a risk analysis Risk management Ensure policies are in place

Stay attuned to deadlines and changes in the law!

KEY IMPACTS OF HIPAA" INCLUDE

Development and documentation of policies and procedures Designation of a privacy official Identifying and contracting with business associates Development of patient consent and authorization forms Distributing and updating notice of privacy practices and

associated procedures Development and distribution of patient notice Capturing, tracking, and maintaining history of data disclosures Tracking and resolving individual complaint Training workforce members who have access to patient

identifiable information Altering the oral communication culture of the organization

REFERENCES:McLendon, K. (nd). HIPAA Privacy Summary, http://www.hixperts.com/HIX%20HIPAA%20Summary%20(01%2026%2010).pdf

Graham, D., & Stubbs, (2009). Significant HIPAA Modifications in the American Recovery and Reinvestment Act of 2009. Available from: http://www.dgslaw.com/documents/articles/HIPAA_Stimulus09_893166.html

Leyva, D, & Leyva, C.(nd). HITECH Survival Guide. Available from:

http://www.hipaasurvivalguide.com/hipaa-survival-guide-16.php