March, 2006
Small Health Plans Must Comply With HIPAA Security Rules by April 20, 2006
WHAT: The HIPAA Security Rule applies to all electronic protected health information (ePHI) created, received, maintained or transmitted by a covered entity. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Covered entities must evaluate risks and vulnerabilities in their environments and implement policies and procedures to address those risks and vulnerabilities.
Background – The Security Rule is comprised of five major sections:
-
Administrative safeguards
-
Physical safeguards
-
Technical safeguards
-
Organizational requirements
-
Policies and procedures and documentation requirements
Each section has multiple standards and implementation specifications. Many of these may have been addressed by covered entities in complying with HIPAA’s privacy requirements. It is critical that a covered entity be able to demonstrate compliance.
WHO: Almost all health plans are required to comply with the HIPAA Security Rule. The only exception to the Security Rule is for health plans that are self-administered by the employer who established and maintains the plan and have less than 50 participants. Participant includes individuals eligible to participate regardless of whether the individual elects coverage.
WHEN: April 20, 2006 for small plans ($5 million or less in annual premiums or claims paid). Large plans (more than $5 million in annual premiums or claims paid) were required to comply by April 20, 2005.
HOW: Critical to complying with the Security Rule is the development of a Security Management Process (the first Administrative safeguard standard). This standard includes:
-
Risk analysis
-
Risk management
-
Sanction policy and
-
Information system activity review
The government has indicated that “this standard and its component implementation specifications form the foundation upon which an entity’s necessary security activities are built” (Federal Register/Vol. 68, No. 34; page 8346).
There is no specific prescribed risk analysis or risk management methodology. The Security Rule recognizes that a one size fits all approach doesn’t work. Rather, each covered entity must develop a risk management approach that is tailored to their specific environment.
A starting point would be to focus on the general rules related to the Security Rule which include:
-
Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted by the covered entity
-
Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI
-
Protect against any reasonably anticipated impermissible uses or disclosures of ePHI and
-
Ensure compliance by the covered entity’s workforce.
Examining each of these requirements would require identifying
-
how ePHI is created, maintained or transmitted (e.g, hard drives, floppy disks, CDs, internet/intranet transmission, single location or multiple locations)
-
potential threats or hazards (e.g., natural – floods, earthquakes, etc.: human – inadvertent data entry/deletion actions, hackers etc.; and environmental – power failures etc.)
-
system vulnerabilities (e.g., system flaws that could be exploited by ex-employees, hackers, customers, criminals, general public etc.)
After documenting the current environment, potential next steps include:
-
assess how current security processes address any identified risks e.g., access controls, encryption, automatic logoff and audit controls
-
determine the likelihood that an identified threat will actually occur as well as the potential impact and plan accordingly
-
develop and implement actions needed to manage any identified risks
-
train the workforce (develop polices and procedures, conduct periodic training session) and
-
periodically review and maintain security efforts
It is important to reiterate that many security measures may have been addressed in the covered entity’s HIPAA privacy efforts and that existing organizational security processes and procedures may encompass many of the components of the Security Rule. However, a covered entity must be able to demonstrate that the 22 Security standards were addressed, what actions were taken with respect to each standard and the rationale for the actions.
The HOW section of this ErisaALERT focuses only on developing a basic foundational strategy as a starting point to comply with the Security Rule; other actions may also be needed including updating plan documents and Business Associate agreements, policies and procedures as well as additional workforce training.
Note: This material is for the sole purpose of providing general information and does not under any circumstances constitute legal advice and should not be used as a substitute for legal advice. You should seek the advice of counsel when applying the requirements to your plans.
For more information on this ErisaALERT, contact us by phone at 610-524-5351 and ask for Mary Andersen or 973-994-7539 and ask for Theresa Borzelli.
Copyright©2006, ERISAdiagnostics, Inc. www.erisadiagnostics.com
ErisaALERT 2006-3