Building in the Safeguards

Understanding HIPAA Security Rules for Business Associates, Part 3
Sections 164.308-316

The Health Insurance Portability and Accountability Act (HIPAA), which took effect in 2000, affects much more than doctors and hospitals. Businesses and not-for-profit organizations are sometimes surprised to learn that data they handle is considered protected health information (PHI, or ePHI for electronic data), and therefore they must also comply with HIPAA and the HIPAA Security Rule of 2003, which governs electronic data. This three-part Weaver series was created to help you understand whether you are affected and, if so, how to comply with the rules and protect your business, your clients or business partners, and their patients.

To make sure patient data is only shared or accessed by those who have permission, HIPAA lays out a series of safeguards — specific actions and processes to protect electronic protected health information (ePHI). Covered entities (CEs) and business associates (BAs) should implement these administrative, physical and technical safeguards to strengthen their protection, build standardized security measures and secure ePHI.

This document dives into HIPAA sections outlining these safeguards:

• Administrative Safeguards (164.308)
• Physical Safeguards (164.310)
• Technical Safeguards (164.312)
• Organizational Requirements (164.314)
• Documentation (164.316)

The sections below lay out specifically how organizations must implement each standard, whether required or addressable. When a specification is required, you must ensure it is in place and implemented. For addressable specifications, you must assess whether the specification is reasonable and appropriate to implement in your environment. (See Parts 1 and 2 for more information on the difference between the two.)

Note that bolded words throughout refer to specific requirements and terminology in the HIPAA Security Standard.

Administrative Safeguards: The Guardrails That Keep You in Compliance
(Section 164.308)

PHI and ePHI can’t be protected appropriately without first implementing the governance aspect of the HIPAA Security Rule, which are called administrative safeguards. Once these safeguards are established, your organization will understand what risks to PHI might exist, who is responsible for managing those risks, how PHI might be accessed, how to involve all employees in protecting PHI, and how to develop a contingency plan to keep PHI accessible when it’s needed most.

Finally, your organization must make sure that your vendors and other companies you do business with — business associates (BAs) — also enact these safeguards for any PHI they might access or store. If you are a BA that works with organizations subject to HIPAA, you can expect to be asked for assurances that you are meeting these requirements.

Summary of Administrative Safeguards

Administrative Safeguards Explained

Security Management Process

HIPAA requires organizations to implement policies and procedures to prevent, detect, contain and correct security violations. The Security Management Process outlines how to accomplish that goal, and it includes several components:

• Risk management establishes a process to implement security measures that reduce risks and vulnerabilities. Risk management includes conducting a risk analysis (sometimes called a risk assessment) to examine potential risks and vulnerabilities related to ePHI.
• Sanction policies apply actions or penalties against employees or contractors who fail to comply with security policies and procedures.
• An Information Systems Activity Review implements regular procedures to review IT activity across the organization.

Section 308 of HIPAA describes how to implement an effective Security Management Process.

Assigned Security Responsibility

If your organization is subject to HIPAA, even as a Business Associate, you must identify the security official(s) who is (are) responsible for developing and implementing security-related policies and procedures. These officials must also periodically review the security policies and procedures, confirm that security controls are operating effectively and oversee assessments of your data environment.

Workforce Security & Information Access Management

Workforce security and information access management both focus on how organizations ensure that all members of the workforce have appropriate access to ePHI, and that inappropriate access is restricted or removed.

Even though all of the of the specifications for Workforce Security are classified as addressable, they are still vital to your successful implementation of HIPAA Administrative Safeguards. The standard includes Authorization and/or Supervision and Workforce Clearance Procedures, which govern procedures to authorize and supervise staff who work with ePHI and to confirm their access is appropriate. It also outlines Termination Procedures for removing access to ePHI when staff leave or change responsibilities.

Information Access Management encompasses similar requirements, but with a focus on physical access to devices and programs. If the organization you manage is a health care clearinghouse that is part of a larger organization, then you are required to isolate the Health Care Clearinghouse Functions, which means implementing policies and procedures that protect ePHI from unauthorized access by the parent organization. Access Authorization and Access Establishment and Modification requirements govern how you must grant and modify access to ePHI through specific workstations and/or computer programs.

Security Awareness Training

As the name suggests, Security Awareness Training sets requirements for informing and guiding everyone associated with your organization through the different aspects of healthcare data security and, more specifically, each person’s specific responsibility to protect ePHI. The training should include at least these components:

• Security reminders to provide periodic security updates that promote security awareness in the organization
• Protection from Malicious Software establishing various protection measures that protect your organization and its ePHI from external and internal threats via software and hardware
• Log-in Monitoring that establishes procedures for monitoring network log-in attempts, then reporting discrepancies and deviations from normal activity, to help identify potentially fraudulent attempts
• Password Management — a crucial tool — establishes password requirements, such as length, complexity, and updating, helping you ensure that user credentials are based on current best practices

All of these components, appropriately implemented and taught, will not only fulfill the HIPAA requirements, but also reduce your security risk and enable your staff to protect the organization’s data and resources.

Security Incident Procedures

With its focus on security policy and procedures, HIPAA has only one specification related to security incidents, and it is required. You must implement the Response and Reporting Safeguard to identify, respond to, and mitigate the harmful effects of data security incidents. Responding appropriately will require you to develop detailed plans in advance for who responds to security incidents, who is informed and the processes they will follow.

Contingency Plan

The Contingency Plan specification outlines policies and procedures you should have in place for responding to emergencies involving systems that contain ePHI. You must develop and implement a business continuity plan and a disaster recovery plan to ensure that operations can continue and data remains protected during unforeseen interruptions.

Three plans are required: First, the data backup plan establishes procedures to create and maintain retrievable exact copies of ePHI. Next, the disaster recovery plan establishes procedures to restore any lost data. Finally, an emergency mode operation plan should enable critical business processes to continue for the protection of ePHI.

There are also two addressable specifications: implementing testing and revision procedures and performing an application and data criticality analysis. These two specifications can be tailored to your IT environment and characteristics such as organization size, number of ePHI records, and total annual transactions. Before designing these plans, you will probably require some analysis and discussion to understand whether or not your organization needs them.

Evaluation

The evaluation requirements state that BAs and CEs must perform periodic evaluations when environmental or operational changes affect the security of ePHI. Evaluations can involve a number of different assessments, such as network segmentation tests, vulnerability assessments, vendor assessments, due diligence reviews and regular audits. Performing different evaluations like these throughout the year will help you protect your organization and stay in compliance with applicable standards.

Business Associate Contracts and Other Arrangements

According to HIPAA, any arrangements a CE makes to allow to create, receive, maintain or transmit ePHI must include satisfactory assurances, in accordance with Section 164.314(a), that the BA will appropriately safeguard the information. These assurances usually take the form of a Business Associate Agreement (BAA). A CE is not required to obtain these assurances from subcontractors to their BA vendors.

These requirements are found in the section called “Written Contract or Other Arrangement,” which states that business contracts must meet the requirements defined in 164.314(a). The Department of Health and Human Services (HHS) has a model Business Associate Agreement you can use to develop tailored agreements that meet your specific needs. The model from HHS is meant to be modified for each organization and vendor arrangement.

Physical Safeguards: Security You Can Touch (Section 164.310)

Access to workspaces, data centers, storage locations and other areas where PHI/ePHI might be stored must be secured. Physical safeguards are designed to protect and deter adverse events and protect ePHI. Stationing security guards around a building’s parameter, installing security cameras, creating a contingency plan for natural disasters, and enforcing badge access readers are effective at the organization level. Adding other protection measures, such as requiring visitors to sign in upon arrival at the facility and always be escorted, will help keep unauthorized eyes off PHI within the building. Lastly, disposing of or erasing PHI properly, whether it is digital or hard copy, can help avoid accidental data leakage to unauthorized parties.

What Are the Physical Safeguards?

Facility Access Controls

The purpose of this standard is to implement policies that limit physical access to electronic information systems (and the facilities where they are housed) to authorized individuals.

Contingency Operations is an addressable implementation specification that calls for establishing procedures to allow facility access if an emergency occurs, with a focus on restoring lost data. Outside of an emergency situation, a Facility Security Plan should prevent unauthorized physical access, tampering and theft of an organization’s facilities and equipment. Each facility housing ePHI should have procedures to validate the access of any person entering the facility under the Access Control and Validation Procedures specification. Access to software programs for testing and revision should also be appropriately restricted. Finally, policy and procedures should be established to document any repairs or modifications to security-related components of a facility (e.g., badge scanners, cameras and locks) under the Maintenance Records specification.

For BAs, these items may sound familiar and may be covered under existing disaster recovery and security procedures. BAs must develop plans of action in case facilities that house ePHI become inoperable. Can you recover and restore the lost data? How quickly after an incident can access to the facility and functionality be restored? The facilities that house ePHI should be subjected to additional scrutiny and security, especially focused on preventing unauthorized access. All of these requirements are designed to ensure that only appropriate users have access to BA facilities housing ePHI.

Workstation Use

You must implement policy and procedures to establish the physical characteristics and functions of workstations that can access ePHI. The procedures must describe in detail how each function should be performed. An appropriate procedure would include a description of a workstation, the types of jobs to be performed there, and how those tasks should be performed.

Care should be taken to ensure unauthorized devices cannot access ePHI. As more people work from home, organizations should ensure their catalog of devices with access to ePHI is complete and accurate. Further, periodic audits over the use of devices may be necessary to confirm that devices are being used in accordance with policy.

Workstation Security

After each workstation has been identified, described, and its uses delineated, you must implement physical safeguards to prevent unauthorized access to workstations with access to ePHI. For example, you should implement a policy to prevent portable workstations from being left in public locations.

Many organizations already have similar content in IT policies, but when handling ePHI, extra attention is warranted for making sure each workstation is always secure. This can require various approaches, such as storage standards, prohibiting laptop storage in easily accessible areas (e.g., a car), and mandating that users lock workstations when they are not actively in use.

Device and Media Controls

This standard addresses how to receive and remove or dispose of hardware and electronic media that contain ePHI. It also requires policies to cover movement of devices containing ePHI into, out of, and within a facility.

Appropriate Disposal of ePHI, or any hardware or media upon which it is stored, should be defined by an appropriate policy (e.g., proper erasure of hard drives before disposal). If a device is to be reused, ePHI should first be removed under the Media Re-Use specification. If equipment is to be moved within a facility, the Accountability specification dictates that the movement of hardware and electronic media, along with the person responsible for the movement, should be recorded. Before moving media or devices containing ePHI, someone must create a retrievable, exact copy of ePHI per the Data Backup and Storage specification.

For some organizations, this may require some additional investment. When disposing of outdated technology, it is important to ensure no ePHI can be recovered from the device. A common method to satisfy this requirement is to use disposal services for technology that once held ePHI. When re-using technology rather than disposing of it, first ensure the device is completely wiped of ePHI before being reissued. A strong policy must be implemented to ensure devices are appropriately prepared for re-use.

Accountability means your company needs to have firm control of its devices and know exactly where information is stored. Today, ePHI may be stored on portable devices (such as tablets or flash drives) prone to being lost or stolen. Policies must be in place to enable organizations to track device ownership and storage locations. Tracking each device housing ePHI throughout its lifecycle is critical. Backing up ePHI is also crucial for an organization. Data may be lost in many different ways — from improper storage to simply being lost. You must develop in-depth policies and procedures to ensure data is backed up when necessary, especially when critical equipment is being moved or disposed of.

Technical Safeguards: System Security (Section 164.312)

Implementing HIPAA technical safeguards strengthens your security posture by providing a standard for technical actions to manage the security of ePHI. The section describes five standards, with some having implementation specifications. The table below provides a brief overview of the standards and associated implementation specifications mentioned in section 312.

Technical Safeguards Explained

Access Control

As the name suggests, this standard mandates that access be controlled so only authorized users and software programs have access to information systems that collect, process, and store ePHI. Unauthorized users should be systematically prohibited from accessing these information systems.

Organizations must assign each person a Unique User Identifier to aid in user tracking. Each user that accesses an information system should log in with their unique identifier. When standard access is unavailable or insufficient, emergency access may be granted. An Emergency Access Procedure is required to document how to access ePHI during an emergency (e.g., in a power outage when primary access mechanisms are unavailable). To limit the possibility of unauthorized access when personnel are not actively using the system, an Automatic Logoff should be implemented. Each session on an information system that maintains ePHI should automatically terminate after a predetermined period of inactivity. Finally, all ePHI should have a mechanism for Encryption and Decryption, ensuring security and confidentiality of ePHI from unauthorized disclosure, even if a system is compromised.

Audit Controls

Activity on information systems that contain or use ePHI needs to be recorded for use in future audits. Mechanisms must be implemented on each information system to ensure that activity is appropriately recorded and examined. Activity records must be stored and available for reference as needed.

Having audit information readily available can save time, headaches and money. Planning ahead allows you to automate this audit trail, rather than trying to recreate it after the fact.

Integrity

Integrity in ePHI refers to making sure that information is not improperly altered or destroyed. A mechanism should be implemented to prevent unauthorized alteration or destruction of data. All ePHI should maintain its original quality and state, unless altered by authorized means.

There are a variety of threats to ePHI integrity, from innocent mistakes to a malicious actor. Beyond threats of noncompliance, this can have significant impact on a BA’s ability to provide proper services to a CE client. Just think of the inconvenience you would experience if medical records from physician were suddenly incorrect. Now imagine if your company lost all, or most, of the original copies of clients’ records. This could lead to various harms, including patients missing the care they need. Assuring that ePHI you manage stays accurate is crucial for all companies who provide services that involve ePHI.

Person or Entity Authentication

This standard is simple — procedures should be in place to ensure a person or entity attempting to access ePHI is the one claimed. This may be accomplished by requiring something only known to the authorized individual, such as a password or PIN number, or something owned, such as a code from a multi-factor authentication token.

Businesses likely already have authentication mechanisms in place. Implementing policies to update existing single-factor authentication procedures to multi-factor authentication can only benefit your security posture. With the added layer, an employee now needs a username, password, and an additional item, such as a one-time use code, to access ePHI.

Transmission Security

The final standard under section 312 provides security when transmitting ePHI over a network. Security measures should be in place to assure that unauthorized access to ePHI is guarded against when in transit. This section has two implementation specifications.

Integrity Controls, like the Integrity standard, protects ePHI from unauthorized modification during electronic transmission, and detects any attempt to modify the data. This is usually accomplished through Encryption, which transforms data into an unreadable format, requiring a security key to be decoded or decrypted. Data should also be encrypted at rest (when being stored on a server), rather than saved in a readable format. Encryption helps ensure that only authorized users and applications can read and use ePHI. Should bad actors gain access to your systems, they only have access to a string of random letters and numbers. Without encryption keys, the data accessed is practically useless.

Organizational Requirements (Section 164.314)

Not all HIPAA requirements involve technology. The organizational requirements in Section 164.314 relate to contracts with business associates and disclosure of ePHI to health plan sponsors. The table below provides a brief overview of the standards and associated implementation specifications mentioned in section 314.

Organizational Requirements Explained

Business Associate Contracts or Other Arrangements

The first part of section 164.314 covers any contracts between a CE and a BA, describing certain terms that each contract should contain:

• The BA will comply with all applicable requirements detailed under HIPAA
• If the BA has a subcontractor that interacts with ePHI on the BA’s behalf, that subcontractor must comply with HIPAA requirements as well
• If a contractor or subcontractor becomes aware of a security incident or breach of unsecured ePHI, it must report that incident to the CE

If a CE has a contract that meets the requirement of § 164.504(e)(3) (i.e. both the CE and BA are governmental entities), then they comply with this section. In short, a CE can comply with this standard by signing a memorandum of understanding, or by having laws in place that contain similar language to contracts with all BAs.

Finally, if a contract or arrangement between a BA and a subcontractor is required under § 164.308(b) (4), the other parts of this standard still apply. If an arrangement is required for any reason, such as by law, it is treated like any other contract and must contain the appropriate language.

Requirements for Group Health Plans

The final part of section 314 covers the standards for providing a plan sponsor with ePHI. Unless the ePHI is disclosed to the group health plan under § 164.504(f)(1)(ii) or (iii) or under § 164.508, a group health plan must ensure the plan sponsor will reasonably protect any ePHI. These two sections cover a variety of circumstances, such as administering group health plans, in which a CE can disclose summary ePHI to a plan sponsor without the necessary steps to ensure the safeguarding of information.

The implementation requirements specifically detail that the plan documents of a group health plan should require the plan sponsor to establish the following:

Documentation Requirements (Section 164.316)

Maintaining the required documentation of your policies and procedures is critical to HIPAA compliance, and that includes recording changes to these documents as they evolve. How do you prove you have standards and controls developed and implemented? That you have standards addressing the administrative, physical, and technical safeguards?

Standard Documentation, defined in Section 164.316, specifically requires CEs and BAs to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements. A CE or BA may change its policies and procedures at any time, provided that the changes are documented and implemented in accordance with the other components of the security rule.

Standard Documentation

First, you must maintain the policies and procedures implemented in either written or electronic form. Second, if an action, activity or assessment is required, you must also document that it was completed, by whom and when. This documentation can be a related document where you manually record changes, via an intranet site with version control, or within the original document as a record of modifications with dates.

You must maintain these policy and procedure documents for at least six years from the date it was created or modified. In other words, if a policy was created in 2016 and modified in 2018, the initial version must be kept until 2022 and the updated version must be kept until 2024. After six years, you may dispose of them.

While these documents are being retained, they must also be updated periodically and made available to those responsible for implementing safeguards that pertain to them. Remember to update HIPAA policies and procedures whenever there is a change to any system that may affect the security of ePHI.

Protecting Patient Data to Protect Your Business

Even though HIPAA has been in force for more than 20 years, it can still catch organizations by surprise, especially those that have recently expanded their reach and now touch PHI. Fortunately, flexibility is built into the regulation in the form of addressable requirements, and much of what HIPAA requires is just good data security. If you are new to HIPAA compliance, the first step should be to familiarize yourself with the basic requirements summarized in this three-part series.

Could Your Organization Use HIPAA Help?

Your first HIPAA Security Assessment can be difficult and time consuming. We want to help make it easier for you. Weaver’s IT Advisory professionals have the experience to help guide this process and address common pitfalls involved in HIPAA compliance, especially for Business Associates and others who may access PHI for the first time.

For more information on how HIPAA regulations may apply to your organization, contact us. We are here to help.

Authored by Hunter Sundbeck, David Friedenberg and Alexis Kennedy.

©2024

This is Part 3 of Weaver’s 3-part series on HIPAA Security Rule compliance:

• Who Needs a HIPAA Security Assessment? You May Be Surprised: Rules Touch Many Non-Medical Businesses
• The Who and How of HIPAA: Understanding Terms, Scope and Applicability