Thousands of US health-care organizations have been waiting for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to be finalized. First proposed nearly five years ago, the rule has now been issued in final form. The Security Rule is just one part of HIPAA - federal legislation that was passed into law in August 1996. The act is meant to provide better access to health insurance, limit fraud and abuse, and reduce the overall cost of health care.
The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form.
Who: Covered Entities (CEs) must comply with the rule’s requirements. These are health plans, health care clearinghouses, or health care providers who transmit any protected health information in electronic form.
How: CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI.
The basic purpose of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.
The final Security Rule will be effective as of April 21, 2003. Most CEs will have until April 21, 2005 to comply; small health plans (those with annual receipts of $5 million or less) will have until April 21, 2006.
After years of delay, the final HIPAA Security Rule is here. Compliance will require CEs to (1) fully understand the threats to and vulnerabilities of their EPHI and (2) implement a wide variety of security best practices. In the past few years, customers and business partners have increasingly expected health care organizations to appropriately protect EPHI; the Security Rule makes it a federal law to do so. Complying with the Security Rule can require significant time and resources. This is the time to gain an understanding of the rule and to take initial steps toward compliance.
• Guiding Principals and Key Concepts
• General Requirements and Structure
• Administrative, Physical and Technical Safeguards
• Documentation Standard
Guiding Principals and Key Concepts
Is it a Policy, a Standard or a Guideline? According to the SANS Institute, “Effective security policies make frequent references to standards and guidelines that exist within an organization.” A policy, “is typically a document that outlines specific requirements or rules that must be met.” A standard, “is typically collections of system-specific or procedural-specific requirements that must be met by everyone.” And, a guideline, “is typically a collection of system specific or procedural specific ‘suggestions’ for best practice. They are not requirements to be met, but are strongly recommended.”
Final HIPAA Security Rule
Guiding Principles and Key Concepts
There are several principles upon which the final Security Rule is based:
• Scalability. All sizes of healthcare entities must be able to comply with the rule.
• Comprehensiveness. The rule is meant to result in a unified system of protection for EPHI. CEs must use a defense in depth security approach.
• Technology neutral. The rule contains no specific technology recommendations (e.g., specific type of firewall, IDS, access control system). Each CE must choose the appropriate technology to protect its EPHI.
• Internal and external security threats. CEs must protect EPHI against both internal and external threats.
• Minimum standard. The Security Rule defines the least that CEs must do to protect EPHI. They may choose to do more.
• Risk analysis. (the cost of a security measure vs. the cost of not having the measure). The Security Rule requires CEs to conduct a thorough and accurate risk analysis that considers “all relevant losses” that would be expected if specific security measures are not in place. “Relevant losses” include losses caused by unauthorized use and disclosure of data and unauthorized modification of data.
The Security Rule has several key concepts:
• Principle based. The Security Rule presents a series of security best practices and principles with which CEs must comply. No step by step checklists are provided.
• Reasonableness. CEs must do everything that is appropriate to avert all reasonably anticipated risks to their EPHI. They must balance their resources and business requirements against the risks to EPHI.
• Full compliance. All CE staff, including management and those who work at home, must comply with the Security Rule.
• Developed from multiple security guidelines and standards. The creators of the Security Rule found no existing single security standard or best practice that described how to comprehensively protect EPHI. The rule therefore, is based on many different security guidelines, standards, and best practices.
• Documentation. CEs must document a variety of security processes, policies, and procedures. They must also document Security Rule implementation decisions.
• Ongoing compliance. CEs must regularly train employees and revise security policies and procedures as needed.
About the author
Steven Weil, CISSP, CISA, is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning and security assessments. He can be reached at firstname.lastname@example.org
General Requirements and Structure
The Security Rule’s requirements are grouped into three categories: administrative safeguards, physical safeguards, and technical safeguards.