Security Program and

Policies
Principles and Practices

by Sari Stern Greene

Chapter 14: Regulatory Compliance for the Healthcare Sector

Objectives

 Explain healthcare-related information security

regulatory compliance requirements
 Understand the components of a
HIPAA/HITECH-compliant information security
program
 Prepare for a regulatory audit
 Know how to respond to an ePHI security
incident
 Write HIPAA-related policies and procedures

Copyright 2014 Pearson Education, Inc. 2

Introduction
 Title II of HIPAA- Health Insurance Portability and Accountability
Act mandated the creation of rules to address how electronic
healthcare transactions are transmitted and stored.
 The resulting HIPAA Security Rule establishes a standard for the

security of electronic protected health information, or ePHI.

 The following legislation has modified and expanded the scope and

requirements of the Security Rule

 2009 Health Information Technology for economic and Clinical Health Act
(HITECH Act)
 2009 Breach Notification Rule
 2013 Modification to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules under HITECH Act and the Genetic
Information Nondiscrimination Act; Other Modifications to HIPAA Rules
(known as the Omnibus Rule)

Copyright 2014 Pearson Education, Inc. 3

The HIPAA Security Rule
The HIPAA Security Rule focuses on safeguarding
ePHI:
 Any individually identifiable health information (IIHI) that
is stored, processed, or transmitted electronically or
digitally
 Applies to covered entities (CEs) and business
associates
 CEs include healthcare providers
( doctors,hospitals,clinic), health plans(insurance-
medicare,mediclaim), healthcare clearinghouses( non
standard info to standard format), and certain business
associates ( accounting, managing)

Copyright 2014 Pearson Education, Inc. 4

What Is the Objective of the
HIPAA Security Rule?
Main goal of HIPAA Security Rule is to protect
the
 Confidentiality
 Integrity
 Availability
of all electronic protected health information,
maintained, stored and transferred by the
CEs

Copyright 2014 Pearson Education, Inc. 5

What Is the Objective of the
HIPAA Security Rule? Cont.
The standards are intentionally nonspecific and
scalable.
Covered entities choose the appropriate
technology and controls for their own unique
environment, taking into consideration
 Their size and capabilities
 Their technical infrastructure
 The cost of the security measures
 The probability of risk

Copyright 2014 Pearson Education, Inc. 6

Enforcement and Compliance

 DHHS( Dept. of Health and Human service) Office and

Civil Right (OCR) Authority is responsible for
investigating violations and enforcing the Security Rule
 Fines for noncompliance are up to $1,500,000 per

violation per year

 Criminal charges can be brought with penalties of

 Up to $50,000 and 1 year in prison for knowing

violations
 Up to $100,000 and 5 years in prison for violations
committed under false pretense
 Up to $250,000 and 10 years in prison for offenses
committed for commercial or personal gain

Copyright 2014 Pearson Education, Inc. 7

How Is the HIPAA Security Rule
Organized?
Security rules are organized into 5 categories :
 administrative safeguards, physical safeguards, technical safeguards,
organizational requirements, and documentation requirements .

Administrative Safeguards:
The documented policies and procedures for
 Managing operations
 Conduct and access of workforce to ePHI
 Selection, development, and use of security controls
Physical Safeguards:
 Requirements for protecting ePHI from unauthorized physical
access

Copyright 2014 Pearson Education, Inc. 8

How Is the HIPAA Security Rule
Organized? Cont.
Technical Safeguards:
 The use of technology to control access to ePHI

Organizational Requirements:
 Includes standards for business associate contracts and

requirements for group health plans

Documentation Requirements:
 Includes policies and procedures regarding

documentation and records and their retention and

availability

Copyright 2014 Pearson Education, Inc. 9

Implementation Specifications

 Many of the standards contain

implementation specifications
 Specifications can be
 Required – org. must implement/comply – like a
standard
 Addressable
 It does not mean optional or that it can be ignored
 Org. must assess and decide weather it is reasonable to
implement- include a document stating the reason

Copyright 2014 Pearson Education, Inc. 10

What Are Administrative Safeguards?

Incorporates nine standards focusing on internal

organization, policies, procedures, and maintenance of
security measures that protect patient health information
The Security Management Process includes:
 Conducting a risk assessment
 Implementing a risk management program – 2 steps
 analysis and management;
 analysis: identifying all threats to ePHI, likelihood of occurrence, impact ,level
of risk ,
 Mangmt: develop plans, implement security controls, review and maintain
 Developing and implementing a sanction policy for security
violations; applies to employees, contractors, and vendors
 Developing and deploying an information system activity review

Copyright 2014 Pearson Education, Inc. 11

What Are Administrative Safeguards?
Cont.
Assigned Security Responsibility:
 Appoint a responsible security official to oversee
compliance
Workforce Security:
 Difference between employee and workforce

 This standard focuses on the relationship between people

and ePHI.
 Implement procedures for authorization and supervision of

workforce members
 Establish a workforce clearance procedure for hiring and
assigning tasks
 Establish termination procedures

Copyright 2014 Pearson Education, Inc. 12

What Are Administrative Safeguards? Cont.
Information Access Management:
 The goal of the Information Access Management standard is to require

that CEs have formal policies and procedures for granting access to
ePHI.
 Isolate healthcare clearinghouse functions – addressable function

 Implement policies and procedures to authorize access

 hardware level, operating system level, application level, and

transaction level.
 Implement policies and procedures to establish access
 Options here include identity-based access (by name), role-based

access (by job or function), and group-based access (by

membership).
 Required functions

Copyright 2014 Pearson Education, Inc. 13

What Are Administrative Safeguards?
Cont.
Security Awareness and Training:
 Establish a security awareness program to

remind users of potential threats

 Provide training on recognizing malicious

software (malware)
 Provide training on login monitoring

procedures
 Provide training on password management

Copyright 2014 Pearson Education, Inc. 14

What Are Administrative
Safeguards? Cont.
Security Incident Procedures:
 Security incident reporting is the foundation of a

successful response and recovery process.

 Addresses reporting of and responding to

security incidents -A security incident reporting

program has three components:
 Training users to recognize incidents
 Implementing a reporting system
 Follow through with investigations and report back to
the user

Copyright 2014 Pearson Education, Inc. 15

What Are Administrative
Safeguards? Cont.
Contingency Plans:
 Conduct an application and data criticality

analysis
 Establish and implement a data backup plan

 Establish and implement a disaster recovery plan

 required

 Establish an emergency mode operation plan

 Test and revise procedures –

 addressable

Copyright 2014 Pearson Education, Inc. 16

What Are Administrative
Safeguards? Cont.
Evaluation:
 All covered entities must develop criteria and metrics for
evaluating their own compliance
 The evaluation can be conducted internally if the organization has staff appropriately trained
for the task. Optionally, third parties can be hired to conduct the assessment and report their
findings.
 There is not a formal certification or accreditation process for
HIPAA compliance. There is no organization or person who
can put an “official” stamp of approval on the compliance
program. The process is one of self-certification.
Business Associate Contracts and Other Agreements:
 Business associates and third parties must also comply

 Based on written contract or other form of agreement

Copyright 2014 Pearson Education, Inc. 17

Copyright 2014 Pearson Education, Inc. 18
What Are Physical Safeguards?
Facility Access Controls include:
 Facility is defined as the physical premises and the

interior and exterior of a building.

 Create a facility security plan; prevent unauthorized

access, tampering, and theft

 Implement access control and validation procedures

 Keep maintenance records, including modifications

to doors, locks, and so on

 Establish contingency operations

Copyright 2014 Pearson Education, Inc. 19

What Are Physical Safeguards?
Cont.
Workstation Use:
 Covers proper use of workstations,

particularly laptops

Workstation Security:
 Covers restricting workstation access to

authorized users

Copyright 2014 Pearson Education, Inc. 20

What Are Physical Safeguards?
Cont.
Device and Media Controls:
 Implement disposal policies and procedures

 Implement reuse policies and procedures

 Maintain accountability for hardware and

electronic media
 Develop data backup and storage procedures

Copyright 2014 Pearson Education, Inc. 21

What Are Technical Safeguards?

Access Control:
 Require unique user identification

 Establish emergency access procedures

 Implement automatic logoff procedures that

terminate a session after a period of inactivity

 Encrypt and decrypt information at rest

Copyright 2014 Pearson Education, Inc. 22

What Are Technical Safeguards?
Cont.
Audit Controls:
 Organizations must monitor system activity

Integrity Controls:
 To protect ePHI from improper alteration or
destruction
 Includes antivirus and antispyware, firewalls,
and e-mail scanning

Copyright 2014 Pearson Education, Inc. 23

What Are Technical Safeguards?
Cont.
Person or Entity Authentication:
 Requires unique user identification, such as

password, PIN, biometric ID, and so on

Transmission Security:
 Implement integrity controls

 Implement encryption

Copyright 2014 Pearson Education, Inc. 24

What Are the Organizational
Requirements?
Business Associates Contracts:
 business associate is a person or entity, other than a member of the

workforce of a CE, who performs functions or activities on behalf of,

or provides certain services to, a CE that involve access by the
business associate to PHI. A business associate also is a
subcontractor that creates, receives, maintains, or transmits PHI on
behalf of another business associate.
 HIPAA rule requires that the CE and business associate must sign

contract.
 Contracts must meet specific requirements to ensure the

confidentiality, integrity, and availability of ePHI

 Covered entities, business associates, and their agents must protect

ePHI and report security incidents or risk termination

Copyright 2014 Pearson Education, Inc. 25

What Are the Policies and
Procedures Standards?
Policies and Procedures to ensure that:
 Standards and implementation specifications

are met
 Actual activities of the covered entity are

reflected
 A CE may change its policies and procedures

at any time, provided the changes are

documented and implemented in accordance
with the Documentation standard.
Copyright 2014 Pearson Education, Inc. 26
What Are the Policies and
Procedures Standards? Cont.
Documentation:
 There are three required implementation

specifications: time limit, availability, and

updates.
 Retain documentation for 6 years

 Make documentation available to necessary

personnel
 Update documentation as necessary to reflect

changes that may affect the security of ePHI

Copyright 2014 Pearson Education, Inc. 27
The HITECH Act and the
Omnibus Rule
 The HITECH (Health information technology for economic
and clinical health) Act is part of the American Recovery and
Reinvestment Act of 2009
 Amended the Public Health Service Act (PHSA) with a focus on
improving healthcare quality, safety, and efficiency through the
promotion of health information technology
 Widened the scope of privacy and security protections available
under HIPAA
 The Modifications to the HIPAA Privacy, Security,
Enforcement, and Breach Notification Rules under the
HITECH Act and the Genetic Information Nondiscrimination
Act; Other Modifications to the HIPAA Rules (known as the
Omnibus Rule) was published January 25, 2013

Copyright 2014 Pearson Education, Inc. 28

What Changed for Business
Associates?
 Original description
 A person or organization that performs certain functions or activities that
involve the use or disclosure of PHI on behalf of, or provides services to,
a CE
 Revised description
 A person or entity that creates, receives, maintains, transmits, or
accesses PHI to perform certain functions or activities on behalf of a CE
 Subcontractors of business associates that create, receive,
maintain, transmit, or access PHI are considered business
associates
 Civil penalties for violations were increased
 Criminal penalties were not changed but criminal charges can be
brought against anyone who wrongly discloses PHI, not just CEs

Copyright 2014 Pearson Education, Inc. 29

What Are the Breach Notification
Requirements?
 HITECH established several notification requirements
for CEs and business associates
 Safe Harbor Provision -  specifies that certain conduct will
be deemed not to violate a given rule. Applies to encrypted
data.
 Breach Notification Requirements
 CEs must notify individuals in case of a breach even if the breach
occurred through a business associate
 The notification must be done within 60 days of the discovery of the
breach
 If the breach affects more than 500 individuals in a state or
jurisdiction, a notice to “prominent media outlets” must be done
 DHHS must be notified of all breaches

Copyright 2014 Pearson Education, Inc. 30

Summary

 HIPAA Security Rule was designed to ensure

that ePHI is safe from breaches of
confidentiality, integrity, and availability
 The regulations mirror what is now
considered basic security best practices
 Both providers and patients benefit

Copyright 2014 Pearson Education, Inc. 31