Article
Brochure
Insight Hub
Executive Resource
Ext. Publication
VideoThe Who and How of HIPAA: Understanding Terms, Scope and Applicability
Never miss a thing.
Sign up to receive our insights newsletter.
Understanding HIPAA Security Rules for Business Associates, Part 2
Parts 164.302, .304 and .306
The Health Insurance Portability and Accountability Act (HIPAA), which took effect in 2000, affects more than doctors and hospitals. Businesses and not-for-profit organizations are sometimes surprised to learn that data they handle is considered protected health information (PHI, or ePHI for electronic data), and therefore they must also comply with HIPAA and the HIPAA Security Rule of 2003, which governs electronic data. This three-part Weaver series was created to help you understand whether you are affected and, if so, how to comply with the rules and protect your business, your clients or business partners, and their patients.
Part 164.302 – Applicability
The HIPAA Privacy Rule was published in 45 Code of Federal Regulations (CFR), Parts 160 (legislative authority) and 164 (applicability and requirements). This series looks specifically at Part 164, Subpart C, Security Standards for the Protection of Electronic Protected Health Information.
Section 164.302, “Applicability,” states that the regulation applies to all covered entities (CE) — meaning providers, insurers and insurance clearinghouses — and their “business associates” (BA). Subpart C also defines ePHI as the electronic, or digital, version of protected health information (PHI) such as healthcare claims, demographic information, medical history, etc. One data point alone may not be enough to identify an individual; however, if you have more than one data point, or attribute, the combined data may allow someone to become “identifiable” and therefore it all becomes PHI. (See Part 1 of this series for more information about what makes data into PHI or ePHI.)
Who Must Comply with HIPAA?
| Covered Entity | Business Associate |
|---|---|
|
|
To understand HIPAA compliance, you must also understand which parts of the Security Standard are required and which are addressable. Required means exactly what it says: a CE or BA must ensure this standard, process, or safeguard is in place and implemented. If a specification is considered addressable, a CE or BA must assess whether it applies to your organization and is reasonable and appropriate to implement. Either way, you must explain your decision in writing as part of your organization’s HIPAA compliance documentation.
Of the 45 specifications, 22 are addressable while 23 are required (see Table 3, Summary of Requirements, below). These specifications include requirements to have training materials, make documentation widely available, and retain this documentation for at least six years from the last modification. In other words, each version of the documentation must be retained for at least six years before it can be discarded.
164.304 – Definitions
This section doesn’t include any specifications or requirements; instead, it lays the foundation by defining the terms used in the security standard. These definitions come directly from the regulation.
Table 1: Terms & Definitions
| Term | Definition |
|---|---|
| Access | The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. |
| Administrative Safeguards | Administrative actions, policies, and procedures used to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE’s or BA’s workforce in relation to the protection of that information. |
| Authentication | The corroboration that a person is the one claimed. |
| Availability | The property that data or information is accessible and useable upon demand by an authorized person. |
| Confidentiality | The property that data or information is not made available or disclosed to unauthorized persons or processes. |
| Encryption | The use of algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. |
| Facility | The physical premises and the interior and exterior of a building. |
| Information System | An interconnected set of information resources under the same direct management control that shares common functionality. |
| Integrity | The property that data or information has not been altered or destroyed in an unauthorized manner. |
| Malicious Software | Software designed to damage or disrupt a system (i.e., a virus or malware). |
| Password | Confidential authentication information composed of a string of characters. |
| Physical Safeguards | Physical measures, policies and procedures to protect a CE’s or BA’s ePHI and related buildings and equipment from natural and environmental hazards or unauthorized intrusion. |
| Security Measures | Encompasses all the administrative, physical and technical safeguards in an information system. |
| Security Incident | The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. |
| Technical Safeguards | The technology and the policy and procedures for its use that protect ePHI and control access to it. |
| User | A person or entity with authorized access. |
| Workstation | An electronic computing device, or any other device that performs similar functions, and electronic media stored in its immediate environment. |
164.306 – Security Standards & General Rules
Covered Entities and Business Associates must ensure the confidentiality, integrity and availability of ePHI that is created, received, maintained, or transmitted. That means your organization must make sure this information is locked down tight. Your security measures must protect against reasonably anticipated threats, hazards, uses or disclosures of ePHI in order to stay in compliance with HIPAA. The language used by the regulation in this section is ambiguous by design so that organizations aren’t restricted to a rigid approach and have freedom to modify their current security measures as conditions change.
This flexibility allows you to modify, as needed, your current environment and gauge risks at an appropriate level. These are some key factors that affect what kind of security measures are needed:
Table 2: Factors Affecting HIPAA Security Measures
|
Size and Complexity |
Organizational Capabilities |
Technical Infrastructure |
|
Hardware and Software Capabilities |
Costs of Security Measures |
Probability and Criticality of Potential Risks to ePHI |
To begin, your organization must review all of the HIPAA specifications to determine which are required and which are addressable. Specifications that are required must be implemented in order for your organization to be in compliance with the Security Rule. Those that are addressable, however, offer some flexibility that allow the organization to implement as written, implement an alternative security measure that mitigates similar risk, or — if you can provide a sound explanation as to why they are unnecessary or inappropriate — not implement. Regardless of required or addressable, a determination of how each specification is handled must be documented. This table summarizes both kinds of specifications:
Table 3: Summary of Requirements
(Required and Addressable)
| Required | Addressable | |||
|---|---|---|---|---|
| Section Title | Section Reference (§164.XXX) | Section Title | Section Reference (§164.XXX) | |
| Risk Analysis | 308(a)(1) | Authorization and/or Supervision | 308(a)(3) | |
| Risk Management | 308(a)(1) | Workforce Clearance Procedures | 308(a)(3) | |
| Information System Activity Review | 308(a)(2) | Termination Procedures | 308(a)(3) | |
| Assigned Security Responsibility | 308(a)(2) | Access Authorization | 308(a)(4) | |
| Isolating Healthcare Clearinghouse Functions | 308(a)(4) | Access Establishment and Modifications | 308(a)(4) | |
| Response and Reporting | 308(a)(6) | Security Reminders | 308(a)(5) | |
| Data Backup Plan | 308(a)(7) | Protection from Malicious Software | 308(a)(5) | |
| Disaster Recovery Plan | 308(a)(7) | Log-in Monitoring | 308(a)(5) | |
| Emergency Mode Operation Plan | 308(a)(7) | Password Management | 308(a)(5) | |
| Evaluation | 308(a)(8) | Testing and Revision Procedure | 308(a)(7) | |
| Written Contract or Other Arrangement | 308(b)(1) | Applications and Data Criticality Analysis | 308(a)(7) | |
| Workstation Use | 310(b) | Contingency Operations | 310(a)(1) | |
| Workstation Security | 310(c) | Facility Security Plan | 310(a)(1) | |
| Device & Media Disposal | 310(d)(1) | Access Control and Validation Procedures | 310(a)(1) | |
| Media Re-Use | 310(d)(1) | Maintenance Records | 310(a)(1) | |
| Unique User Identification | 312(a)(1) | Device & Media Accountability | 310(d)(1) | |
| Emergency Access Procedure | 312(a)(1) | Device Data Backup & Storage | 310(d)(1) | |
| Audit Controls | 312(b) | Automatic Logoff | 312(a)(1) | |
| Person or Entity Authentication | 312(d) | Encryption and Decryption | 312(a)(1) | |
| Policies & Procedures | 316(a) | Mechanism to Authenticate EPHI | 312(c)(1) | |
| Documentation Time Limit | 316(b) | Transmission Integrity Controls | 312(e)(1) | |
| Documentation Availability | 316(b) | Transmission Encryption | 312(e)(1) | |
| Documentation Updates | 316(b) | |||
Required Specifications
One example of a required specification is that the organization must conduct a risk analysis (also called a “risk assessment”). This analysis must be accurate, thorough and assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the CE or BA.
Most traditional risk assessments include these criteria, but your organization should ensure that all healthcare data is included in the assessment. The assessment must be conducted every year, or whenever major changes to the data environment occur. The risk analysis is foundational. If you can meet this requirement, it will help you address all the others.
Addressable Specifications
An example of an addressable specification is “authorization and supervision,” which means implementing procedures to authorize and supervise staff who work with ePHI or in locations where ePHI might be accessed.
This specification can take on various forms, which is why it’s addressable rather than required. One way to accomplish this supervision would be to assign a manager to each staff member or group that has access to ePHI, and make that manager responsible for compliance. If the information is accessed from a location, rather than a portable device, one individual can be the location supervisor and have various technical measures in place to monitor devices in their location.
If this isn’t something your organization can realistically perform, you would need to provide a reasonable explanation to substitute the criteria. Just because something isn’t “required” doesn’t mean it can be ignored.
Could Your Organization Use HIPAA Help?
Your first HIPAA Security Assessment can be difficult and time consuming. We want to help make it easier for you. Weaver’s IT Advisory professionals have the experience to help guide this process and address common pitfalls involved in HIPAA compliance, especially for Business Associates and others who may access PHI for the first time.
For more information on how HIPAA regulations may apply to your organization, contact us. We are here to help.
Authored by Hunter Sundbeck, David Friedenberg and Alexis Kennedy.
©2023
This is Part 2 of Weaver’s 3-part series on HIPAA Security Rule compliance:
- Who Needs a HIPAA Security Assessment? You May Be Surprised: Rules Touch Many Non-Medical Businesses
- Building in the Safeguards