On December 24, 2020 the Senate passed new legislation H.R.7898 – “To amend the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” The House of Representatives passed the legislation on December 9th, 2020, so at the moment the bill has been presented to the President. Whether or not the bill become law, HIPAA Covered Entities have always had a method to demonstrate that they meet healthcare Industry Standards for Privacy and Security. These include an internal audit, or retention of a HIPAA expert which experience in the HITECH Act to perform a review and provide an independent opinion.
The bill proposes to modify 42 USC 17931: Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions with the a provision that recognized security practices may be considered when determining penalties:
“RECOGNIZED SECURITY PRACTICES.—The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).” [emphasis added]
As for specific Standards, the NIST 2(c)(15) is noted in the new legislation, but interestingly, the framework of the HIPAA Omnibus Rule of 2013 and the HITECH Act already provide for use of NIST Standards. However, in terms of making rather technical specifications operational, one should look to the Administrative Safeguards, Physical Safeguards, and Technical Safeguards as well as policies and procedures (see below).
Generally, we recommend an internal, proactive audit for HIPAA Covered Entities to ensure that they meet minimum levels prescribed by HIPAA and HITECH. None of the new legislation mitigates the need for compliance with HIPAA and the HITECH Act, merely, it provides a provision for a safe harbor if a defendant Covered Entity can prove that it met the Standards when there is a breach.
Federal and state Standards, including the HIPAA Privacy Rule and the HIPAA Security Rule inform as to how healthcare providers should implement methods to secure patients’ confidential medical information.
45 CFR Part 160 and Part 164, Subparts A and C provides, “Security Standards for the Protection of Electronic Protected Health Information.” This is known as the Security Rule, and adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Meaningful Use provisions of the ARRA HITECH Act of 2009 require HIPAA Privacy and Security Safeguards including Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Documented Organizational Policies and Procedures as an integral step to achieving “Meaningful Use” and therefore receiving federal stimulus dollars.
When hospitals became “meaningful users” of electronic health records, they are required to implement adequate and reasonable administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct and training of the covered entity’s workforce and Business Associates.
- The HIPAA Privacy Rule mandates that a patient’s personally identifiable information is considered Protected Health Information (PHI) and that it is confidential and may not be disclosed without authorization.
- Any HIPAA Covered Entity (CE)  is subject to HIPAA.
- The HIPAA Rules generally require that CEs enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.
- Subcontractors that use or disclose PHI on behalf of a CE are. Business Associate (BA)  and a CE should ensure that a Business Associate Agreement (BAA) is in place  as required by the standard in 164.308(b)(1).
Administrative Safeguards include Risk Analysis, Risk Management, Authorization and Supervision of the workforce, Access Authorization, Log-in Monitoring and Security Awareness and Training[i] as defined in § 164.308(a)(5). Administrative Safeguards also require Business Associate (“BA”) Contracts for any entity that creates, views, receives, maintains, or transmits protected health information.
- Security Management process (for example, see § 164.308(a)(1) for the Standard, which requires a risk analysis, risk management, sanction policy, information system review activity review)
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
[i] The HIPAA Security Rule requires covered entities to implement a security awareness and training program for all members of its workforce. This includes implementing (i) periodic security updates, (ii) procedures for guarding against, detecting, and reporting malicious software, (iii) procedures for monitoring log-in attempts and reporting discrepancies, and (iv) procedures for creating, changing and safeguarding passwords. The HIPAA Security Rule requires covered entities to assess whether each of these implementations is a reasonable and appropriate safeguard and, if not, document why it would not be reasonable and appropriate to implement and implement an equivalent alternative measure if reasonable and appropriate. (See 45 CFR 164.308(a)(5).)
The HIPAA Security Rule requires covered entities to implement policies and procedures to address security incidents. This includes (i) identifying and responding to suspected or known security incidents, (ii) mitigating, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and (iii) documenting security incidents and their outcomes. (See 45 CFR 164.308(a)(6).)
The HIPAA Security Rule requires covered entities to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. This includes (i) establishing and implementing procedures to create and maintain retrievable exact copies of electronic protected health information, (ii) establishing (and implementing as needed) procedures to restore any loss of data, (iii) establishing (and implementing as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode, (iv) implementing procedures for periodic testing and revision of contingency plans, and (v) assessing the relative criticality of specific applications and data in support of other contingency plan components. The HIPAA Security Rule requires covered entities to assess whether (iv) and (v) are reasonable and appropriate safeguards and, if not, document why they would not be reasonable and appropriate to implement and implement equivalent alternative measures if reasonable and appropriate. (See 45 CFR 164.308(a)(7).)
The HIPAA Security Rule requires covered entities to perform a periodic technical and nontechnical evaluation, based initially upon the standards of the HIPAA Security Rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of the HIPAA Security Rule. (See 45 CFR 164.308(a)(8).)
Physical Safeguards are defined in § 164.310(a)(1) as “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
- Facility access controls
- Workstation use
- Workstation security
- Device and media controls
Technical Safeguards – The HIPAA Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
- Access control
- Audit controls
- Person or entity authentication
- Transmission security
Organizational Requirements – The Business Associate Contracts and Other Arrangements standard found at §164.308(b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (ePHI). The standard, at § 164.314(a)(1), provides the specific criteria required for written contractor other arrangements between a covered entity and its business associates.
Documentation of policies and procedures
CEs must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. See 45 CFR 164.502(b) and 164.514(d)
A violation of the HIPAA Privacy or Security Rule occurs in instances where unsecured PHI was acquired, used, or disclosed in a manner not permitted by the rule. Under the HITECH-HIPAA Omnibus Final Rule, published on January 25, 2013, an entity is required to presume the violation to be a breach unless one of three exceptions apply—the information can be rendered as unusable, unreadable, or indecipherable—or a completed risk assessment demonstrates low probability that the PHI has been compromised. PHI that cannot be rendered as unusable, unreadable, or indecipherable to unauthorized persons through either encryption or destruction is considered to be unsecured.