HIPAA and HITECH Act Serve as Cybersecurity Standards for Healthcare

Federal and state Standards, including the HIPAA Privacy Rule and the HIPAA Security Rule inform as to how healthcare providers should implement methods to secure patients’ confidential medical information.

45 CFR Part 160 and Part 164, Subparts A and C provides, “Security Standards for the Protection of Electronic Protected Health Information.” This is known as the Security Rule, and adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Meaningful Use provisions of the ARRA HITECH Act of 2009 require HIPAA Privacy and Security Safeguards including Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Documented Organizational Policies and Procedures as an integral step to achieving “Meaningful Use” and therefore receiving federal stimulus dollars.

When hospitals became “meaningful users” of electronic health records, they are required to implement adequate and reasonable administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct and training of the covered entity’s workforce and Business Associates.

  1. The HIPAA Privacy Rule mandates that a patient’s personally identifiable information is considered Protected Health Information (PHI) and that it is confidential and may not be disclosed without authorization.
    1. Any HIPAA Covered Entity (CE) is subject to HIPAA.
    2. The HIPAA Rules generally require that CEs enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.
  2. Subcontractors that use or disclose PHI on behalf of a CE are. Business Associate (BA) and a CE should ensure that a Business Associate Agreement (BAA) is in place as required by the standard in 164.308(b)(1).

Administrative Safeguards include Risk Analysis, Risk Management, Authorization and Supervision of the workforce, Access Authorization, Log-in Monitoring and Security Awareness and Training as defined in § 164.308(a)(5).  Administrative Safeguards also require Business Associate (“BA”) Contracts for any entity that creates, views, receives, maintains, or transmits protected health information.

Standards include:

  1. Security Management process (for example, see § 164.308(a)(1) for the Standard, which requires a risk analysis, risk management, sanction policy, information system review activity review)
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

The HIPAA Security Rule requires covered entities to implement a security awareness and training program for all members of its workforce.  This includes implementing (i) periodic security updates, (ii) procedures for guarding against, detecting, and reporting malicious software, (iii) procedures for monitoring log-in attempts and reporting discrepancies, and (iv) procedures for creating, changing and safeguarding passwords.  The HIPAA Security Rule requires covered entities to assess whether each of these implementations is a reasonable and appropriate safeguard and, if not, document why it would not be reasonable and appropriate to implement and implement an equivalent alternative measure if reasonable and appropriate. (See 45 CFR 164.308(a)(5).)

The HIPAA Security Rule requires covered entities to implement policies and procedures to address security incidents.  This includes (i) identifying and responding to suspected or known security incidents, (ii) mitigating, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and (iii) documenting security incidents and their outcomes.  (See 45 CFR 164.308(a)(6).)

The HIPAA Security Rule requires covered entities to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.  This includes (i) establishing and implementing procedures to create and maintain retrievable exact copies of electronic protected health information, (ii) establishing (and implementing as needed) procedures to restore any loss of data, (iii) establishing (and implementing as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode, (iv) implementing procedures for periodic testing and revision of contingency plans, and (v) assessing the relative criticality of specific applications and data in support of other contingency plan components.  The HIPAA Security Rule requires covered entities to assess whether (iv) and (v) are reasonable and appropriate safeguards and, if not, document why they would not be reasonable and appropriate to implement and implement equivalent alternative measures if reasonable and appropriate.  (See 45 CFR 164.308(a)(7).)

The HIPAA Security Rule requires covered entities to perform a periodic technical and nontechnical evaluation, based initially upon the standards of the HIPAA Security Rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of the HIPAA Security Rule.  (See 45 CFR 164.308(a)(8).)

Physical Safeguards are defined in § 164.310(a)(1) as “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” 

Standards include:

  1. Facility access controls
  2. Workstation use
  3. Workstation security
  4. Device and media controls

Technical Safeguards – The HIPAA Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Standards include:

  1. Access control
  2. Audit controls
  3. Integrity
  4. Person or entity authentication
  5. Transmission security

Organizational Requirements – The Business Associate Contracts and Other Arrangements standard found at §164.308(b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (ePHI). The standard, at § 164.314(a)(1), provides the specific criteria required for written contractor other arrangements between a covered entity and its business associates.

Standards include:

Documentation of policies and procedures

CEs must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. See 45 CFR 164.502(b) and 164.514(d)

A violation of the HIPAA Privacy or Security Rule occurs in instances where unsecured PHI was acquired, used, or disclosed in a manner not permitted by the rule. Under the HITECH-HIPAA Omnibus Final Rule, published on January 25, 2013, an entity is required to presume the violation to be a breach unless one of three exceptions apply—the information can be rendered as unusable, unreadable, or indecipherable—or a completed risk assessment demonstrates low probability that the PHI has been compromised. PHI that cannot be rendered as unusable, unreadable, or indecipherable to unauthorized persons through either encryption or destruction is considered to be unsecured.

Related Posts

HIPAA Expert Witness

Michael F. Arrigo

Michael is Managing Partner & CEO of No World Borders, a leading healthcare management and IT consulting firm. He serves as an expert witness in Federal and State Court and was recently ruled as an expert by a 9th Circuit Federal Judge. He serves as a patent expert witness on intellectual property disputes, both as a Technical Expert and a Damages expert. He leads a team that provides Cybersecurity best practices for healthcare clients, ICD-10 Consulting, Meaningful Use of Electronic Health Records. He advises legal teams as an expert witness in HIPAA Privacy and Security, medical coding and billing and usual and customary cost of care, the Affordable Care Act and benefits enrollment, white collar crime, False Claims Act, Anti-Kickback, Stark Law, Insurance Fraud, payor-provider disputes, and consults to venture capital and private equity firms on mHealth, Cloud Computing in Healthcare, and Software as a Service. He advises self-insured employers on cost of care and regulations. Arrigo was recently retained by the U.S. Department of Justice (DOJ) regarding a significant false claims act investigation. He has provided opinions on over $1 billion in health care claims and due diligence on over $8 billion in healthcare mergers and acquisitions. Education: UC Irvine - Economics and Computer Science, University of Southern California - Business, studies at Stanford Medical School - Biomedical Informatics, studies at Harvard Medical School - Bioethics. Trained in over 10 medical specialties in medical billing and coding. Trained by U.S. Patent and Trademark Office (USPTO) and PTAB Judges on patent statutes, rules and case law (as a non-attorney to better advise clients on Technical and Damages aspects of patent construction and claims). Mr. Arrigo has been quoted in the Wall Street Journal, New York Times, and National Public Radio.

Leave a Reply