HIPAA Security

MSAI adheres to and fully supports the Health Care Industry Code of Ethics and Standards. Part of our commitment to our customers and the health care industry is recognizing the different challenges and the ever-changing regulatory standards.

Our team of Privacy Officers and Quality Assurance Associates manage information security and ensure compliance to HIPAA regulations standards. Our Associates assure delivery of the highest quality service through the synergy of effective security, proper training and timely delivery.

MSAI is committed to the development of a continuing educational program for our dedicated staff to keep them abreast with the latest HIPAA protocol and requirements. We orient them on each new project to ensure confidentiality and competence. We pay special attent to client requirements and guarantee complete satisfaction

The 18 HIPAA Security Rule Standards

Since the digitalization of modern medicine, among the vital concerns of the medical industry is the protection of the electronic health information. Now that the medical industry has fostered the growth of a whole slew of support industries – businesses such as HMOs, healthcare clearinghouses, specialized document management and processing companies, all of which have necessary access to these records – the need for a higher standard of security for patient health information has gained even greater urgency.

In February of 2003, the Department of Health and Human Services (“HHS”) published the Health Insurance Reform: Security Standards; Final Rule, 45 CFR Parts 160, 162 and 164, 68 Fed. Reg. 8333. These standards provided a broad spectrum of protection regarding Electronic Protected Health Information (EPHI) used by a specific group of Covered Entities, i.e. Health Plans, Healthcare Clearinghouses, or health care providers who transmit any EPHI. In addition, it requires these entities to effectively require those other businesses it associates with (who also transmit EPHI) to comply with the same standards. A compliance date for most covered entities was set on April 21,2005, and for other “small plans,” April 21, 2006. If your business is engaged in these broad categories, time to check your compliance requirements.

Where the HIPAA Privacy Rule dealt with the use of reasonable administrative, physical and technical safeguards to protect privacy, the Security Rule created standards by which the reasonableness of the Privacy Rule’s safeguards are to be measured. [www.wiggin.com/db30/cgi-bin/pubs/Summary%20of%20HIPAA%20Security%20Rule%20October%202004.pdf as seen December 1., 2009] In broad terms, these Security Rule standards dealt with 3 general areas – Administrative, Physical, and Technical – in which the confidentiality, integrity, and availability of electronic protected health information must be maintained.

To add flexibility to the rule, the HIPAA maintains two qualities of compliance safeguards depending on the relevant security standard it is implementing. There are the standards that are required (must be adopted and administered), and there are those that addressable (where covered entities can determine from their own circumstance how best to implement a particular standard.)

Here are the 18 HIPAA Security Rule Standards with brief relevant notes on their application and the compliance safeguard required. An (R) denotes a required compliance and an (A) is an addressable standard.

Administrative Safeguards

• Security Management processes – 164.308(a)(1)(i) Implementation of policies and procedures to prevent, detect, contain, and correct security violations. The    following must have been completed:
   • Risk Analysis (R)
   • Risk Management (R)
   • Sanctions Policy (R) for employees who fail to comply
   • Information System Activity Review (R), including review of logs, reports, access, and security tracking.

• Assigned Security Responsibility – 164.308(a)(2) Identifying the security official who is responsible for the development and implementation of the policies    and procedures required by this subpart for the entity.

• Workforce Security – 164.308(a)(3)(i) Implementing policies and procedures to ensure that all members of the workforce have appropriate access to EPHI,,    and to prevent those workforce members who do not have access from obtaining access to electronic protected health information (EPHI). The following may    need to be done:
   • implementing procedures for the authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed (A)
   • implementing procedures to determine that the Access of an employee to EPHI is appropriate? (A)
   • implementing procedures for terminating access to EPHI when an employee leaves the organization or as required by preceding paragraph (A)

• Access Management – 164.308(a)(4)(i) Policies, procedures, and processes must be developed and implemented for authorizing, establishing, and    modifying access to EPHI.

   • If a clearinghouse that is part of a larger organization, implementing policies and procedures to protect EPHI from the larger organization (R)
   • Access Authorization (A) – policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, or       process
   • Access Establishment and Modification (A) – policies and procedures that are based upon your access authorization policies, established, document,       review, and modify a user’s right of access to a workstation, transaction, program, or process

• Security Awareness and Training – 164.308(a)(5)(i) Implement a security awareness and training program for all members of its workforce (including    management). The following may be required:
   • Security Reminders (A) – periodic information security reminders
   • Protection from Malicious Software (A)
   • Log-in Monitoring (A)
   • Password Management (A)

• Security Incident Procedures – 164.308(a)(6)(i) procedures to identify and respond to suspected or know security incidents; mitigate harmful effects of known    security incidents, and document incidents and their outcomes (R)

• Contingency Plan – 164.308(a)(7)(i) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for    example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI.

   • Data Backup Plan (R) -- establish and implement procedures to create and maintain retrievable exact copies of EPHI
   • Disaster Recovery Plan (R)
   • Emergency Mode Operation Plan (R)
   • Periodic Testing and Revision Procedure (A)
   • Applications and Data Criticality Analysis (A) – assess the relative criticality of specific applications and data in support of other contingency plan       components

• Evaluation (R) – 164.308(a)(8) plan for periodic technical and non technical evaluation, based upon the standards implemented under this rule and in    response to environmental or operational changes affecting the security of EPHI

• Business Associate Contracts and Other Arrangements (R) – 164.308(b)(1) A covered entity may permit a business associate to create, receive, maintain, or    transmit EPHI on the covered entity’s behalf only of the covered entity obtains satisfactory assurances, through established written contract or other    documents, that the business associate appropriately safeguard the information.

Physical Safeguards

• Facility Access Controls – 164.310(a)(1) Implement policies and procedures to limit physical access to its electronic information systems and the facility or    facilities in which they are housed, while ensuring that properly authorized access is allowed.

   • Contingency Operations (A) – procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency       mode operations plan in the event of an emergency
   • Facility Security Plan (A) – safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
   • Access Control and Validation Procedures (A) – control and validate a person’s access to facilities based on their role or function, including visitor control,       and control of access to software programs for testing and revision
   • Maintenance Records (A) – document repairs and modifications to the physical components of a facility, which are related to security

• Workstation Use (R) – 164.310(b) implement policies and procedures that specify the proper functions to be performed, the manner in which those functions    are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI.

• Workstation Security (R) – 164.310(c) implement physical safeguards for all workstations that access EPHI to restrict access to authorized users.

• Device and Media Controls – 164.310(d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that    contain EPHI into and out of a facility, and the movement of these items within the facility.

   • Disposal (R) – address final disposition of EPHI, and/or hardware or electronic media on which it is stored
   • Media Re-use (R) – removal of EPHI from electronic media before the media are available for reuse
   • Accountability (A) – maintain a record of the movements of hardware and electronic media and the person responsible for its movement
   • Data Backup and Storage (A) – create a retrievable, exact copy of EPHI, when needed, before movement of equipment

Technical Safeguards

• Access control – 164.312(a)(1) Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to    those persons or software programs that have been granted access rights as specified in administrative standards.

   • unique name and/or number for identifying and tracking user identity (R)
   • procedures for obtaining necessary EPHI during an emergency (R)
   • procedures that terminate an electronic session after a predetermined time of inactivity (A)
   • a mechanism to encrypt and decrypt EPHI (A)

• Audit controls – 164.312(b) implement Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information    systems that contain or use EPHI.

• Integrity (R) – 164.312(c)(1) Implement policies and procedures to protect EPHI from improper alteration or destruction.
   • implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner? (A)

• Person or entity authentication (R) – 164.312(d) Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one    claimed.

• Transmission security – 164.312(e)(1) Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over    an electronic communications network.

   • Integrity Controls (A)
   • Encryption (A)

Sources and References:

www.hipaa.ihs.gov/documents/IHS_HIPAA_Security_Checklist.doc December 5, 2009
www.wiggin.com/db30/cgi-bin/pubs/Summary%20of%20HIPAA%20Security%20Rule%20October%202004.pdf December 3, 2009
www.securityfocus.com/infocus/1764 December 3, 2009