Requirements to implement HIPAA safeguards appear more often in the text of the Healthcare Insurance Portability and Accountability Act than is often acknowledged. While many sources are aware of the Administrative, Physical, and Technical Safeguards of the Security Rule, less specific requirements relating to HIPAA safeguards also appear in the Privacy Rule.
Compared to specific requirements of the Administrative, Physical, and Technical safeguards, most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of Covered Entities and Business Associates that have to comply with them. While this flexibility means it can be easier for certain organizations to comply with the HIPAA safeguards – and protect the privacy of PHI – other organizations may find the lack of guidance confusing.
To demonstrate the difference between the safeguards of the Security Rule and the safeguards of the Privacy Rule, we´ve provided a synopsis of the Security Rule Administrative, Physical, and Technical Safeguards to compare against the safeguards mentioned in the Privacy Rule Administrative Requirements. There is also a section relating to the Organization Requirements of the Privacy and Security Rules – both of which include further HIPAA safeguards.
HIPAA Security Rule Safeguards
The HIPAA Security Rule is dominated by the Administrative, Physical, and Technical Safeguards – the remainder of the Rule being assigned to General Rules, Organization Rules (discussed below) Documentation Requirements, and Compliance Dates. The General Rules provide an oversight of the what the HIPAA safeguards set out to achieve and claim to allow flexibility in the implementation of the safeguards by designating some of the implementation specifications as “addressable”.
Addressable implementation specifications are not as flexible as they may appear. Effectively, addressable specifications must be implemented unless they are “not reasonable or appropriate in the environment” or an alternative safeguard provides at least as much protection to ePHI as the addressable specification. In most circumstances, Covered Entities and Business Associates have no option but to implement addressable specifications in order to provide adequate protection.
HIPAA Administrative Safeguards
More than half of the Security Rule focuses on the HIPAA Administrative Safeguards (45 CFR § 164.308) – defined in the Security Rule as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information”.
To achieve the objectives of the HIPAA Administrative Safeguards, Covered Entities and Business Associates must appoint a Security Officer responsible for developing a security management program that addresses access controls, incident response, and security awareness training. The Security Officer is also responsible for conducting risk assessments and implementing policies and procedures to protect ePHI from threats and vulnerabilities.
HIPAA Physical Safeguards
The physical safeguards are measures, policies, and procedures intended to protect a Covered Entity’s or Business Associate’s buildings, equipment, and information systems from unauthorized intrusion and natural and environmental hazards. Compliance with these HIPAA safeguards not only involve securing buildings and controlling access to buildings, but also validating the identity of anyone with access to equipment and information systems hosting ePHI.
Compared to the Privacy Rule HIPAA Safeguards (below), the Physical Safeguards provide direct guidance on the measures Covered Entities and Business Associates should take to (for example) govern the movement of devices and media containing ePHI, document maintenance records for facilities in which ePHI is stored, back up data before moving equipment, and properly dispose of hardware ePHI is stored on to eliminate the possibility of unauthorized disclosures.
HIPAA Technical Safeguards
The HIPAA technical safeguards relate to the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it. Like the Physical Safeguards, the HIPAA technical Safeguards include fine details on the measures organizations should implement to protect ePHI from unauthorized access including audit controls, user verification, and automatic log-off so ePHI cannot be accessed by unauthorized users when devices are left unattended.
Despite being the shortest of the Security Rule HIPAA Standards, the technical standards make it clear that encryption is considered to be a significant factor in preventing unauthorized uses and disclosures. This point has been reinforced through several subsequent HHS publications – most notably a recent Fact Sheet that answers questions about ransomware and whether or not a ransomware attack is a reportable breach under the HIPAA Breach Notification Rule.
Privacy Rule HIPAA Safeguards
Compared to the HIPAA Security Rule Safeguards, the safeguards mentioned in the Administrative Requirements of the Privacy Rule lack direct guidance. According to 45 CFR § 164.530 a Covered Entity “must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information”. The only implementation specifications offered to support this standard are:
- A Covered Entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
- A Covered Entity must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
The reason the Administrative Requirements lack direct guidance is the inclusion of “other requirements of this subpart”. “This subpart” refers to the Privacy Rule; and as different Covered Entities apply different policies and procedures to comply with the Privacy Rule, it would be impossible to develop “one-size-fits-all” safeguards to protect the privacy of PHI in the same way as required and addressable safeguards protect the confidentiality, integrity, and availability of ePHI.
Organizational Requirements in the Privacy and Security Rules
Both the Privacy Rule and the Security Rule contain Organizational Requirements. The Organizational Requirements of the Privacy Rule (45 CFR § 164.105) apply to Covered Entities that are not whole units (hybrid entities) or that are not single units (affiliated entities), while the Organizational Requirements of the Security Rule (45 CFR § 164.314) relate to Business Associate contracts with subcontractors and relationships between group health plans and plan sponsors.
Additional HIPAA Safeguards for Hybrid Entities
An example of a hybrid entity is a teaching institution that provides healthcare facilities for staff, students, and the public. The institution is a hybrid entity because the provision of healthcare for staff is a non-portable benefit (and therefore exempt from HIPAA), the provision of healthcare for students is covered by FERPA (which pre-empts HIPAA), and only the provision of healthcare for the public is covered by HIPAA.
Hybrid entities have to implement appropriate HIPAA safeguards to ensure that any PHI collected, used, and maintained by the public healthcare component of its operations is not disclosed to the other components of its operations. This includes disclosures of PHI by healthcare professionals working for a hybrid entity when the healthcare professionals assist with medical procedures for staff, students, and the public.
Additional HIPAA Safeguards for Affiliated Entities
Affiliated Entities are legally separate Covered Entities under the same ownership or control that designate themselves a single Affiliated Covered Entity for the purposes of HIPAA compliance. Being affiliated enables Covered Entities within the group to disclose ePHI to each other without the need for individual Business Associate Agreements, which increases integration and efficiency. Affiliated Entities can also use common documentation and share the same Privacy and Security Officers.
The additional HIPAA safeguards in the Organizational Requirements prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, several hospitals within a healthcare system under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, ePHI cannot be disclosed to the parent organization.
Business Associate Contracts with Subcontractors
Most Covered Entities and Business Associates are familiar with the requirement to enter into a Business Associate Agreement before ePHI is disclosed by a Covered Entity to a Business Associate, but it is not so widely known that a Business Associate has to enter into a Business Associate Contract before disclosing ePHI with a subcontractor or another of the Covered Entity´s Business Associates acting as a subcontractor for the primary Business Associate.
Originally, Business Associates had to ensure any subcontractors to whom they disclosed ePHI had appropriate measures in place to comply with the HIPAA Administrative Safeguards of the Security Rule. However, this requirement was changed in the Final Omnibus Rule to “ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information”. Naturally, all assurances must be documented.
Relationships between Group Health Plans and Plan Sponsors
The relationship between group health plans and plans sponsors is similar to that between Covered Entities and Business Associates with the exception that there are some allowable uses and disclosures of ePHI allowed. In all other cases, group health plans must ensure the plan sponsor has implemented the administrative, physical, and technical safeguards required by the Security Rule before disclosing further ePHI to the group sponsor.
It is Important to Comply with All Applicable HIPAA Safeguards
Covered Entities and Business Associates must comply with all applicable HIPAA safeguards. Ignorance of the safeguards – or how to comply with them – is not a justifiable defense if an organization is audited by HHS´ Office for Civil Rights or investigated following a patient complaint or self-reported data breach. In the worst cases, substantial fines can be issued for noncompliance with safeguards organizations should have known about had they exercised due diligence.
The post Guide to HIPAA Safeguards appeared first on HIPAA Journal.