What is the HIPAA Security Rule and Why is it Important?
Q: What is the HIPAA Security Rule and Why is it Important?
A: The HIPAA Security Rule, contained within Title II of the Health Insurance Portability and Accountability Act, consists of comprehensive mandates for ensuring the safety and security of Protected Health Information (PHI). More specifically, according to the Department of Health and Human Services (www.hhs.gov) the HIPAA Security Rule “…establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity”.
It was a giant leap for the healthcare industry – to say the least – as the federal government put forth much needed legislation regarding the safety and security of Protected Health Information (PHI), and any subset information thereof. HIPAA is here to stay – there’s no debating that – so it’s time healthcare organizations understood important facets of the most well-known aspect of the Health Insurance Portability and Accountability Act – the HIPAA Security Rule.
What’s fundamentally important to note about the HIPAA Security Rule are the following 15 measures:
- Documentation, more specifically, HIPAA policies and procedures, are incredibly important for ensuring compliance.
- Numerous initiatives have to be developed and put in place for helping ensure compliance with the HIPAA Security Rule.
- A HIPAA Security Officer – and supporting staff – is a mandate – and a must-have – for ensuring continued compliance oversight.
- Both the HIPAA Security Rule and Privacy Rule consist of dozens of “Standards” and “Implementation Specifications” – provisions that ultimately require numerous policies and procedures to be in place for compliance.
- The concept of “addressable” versus “required” has received great attention over the years, but that’s all changed as most – if not all – Covered Entities (CE) and Business Associates (BA) now generally agree that all HIPAA Security Rule provisions should be looked upon as “required”.
- Various amendments, modifications, along with the passage of other legislative laws, have made the HIPAA Security Rule now more important than ever from a regulatory compliance perspective.
- Business Associates now have much larger roles and responsibilities when it comes to HIPAA compliance, due in large part to the Final Omnibus Ruling of January, 2013.
- Increased cyber security threats and attacks demand a concerted effort by healthcare organizations for ensuring the safety and security of Protected Health Information (PHI).
- The U.S. Department of Health and Human Services Office of Civil Rights has announced an aggressive expansion of audits against the HIPAA Security Rule for both Covered Entities (CE) and Business Associates (BA).
- Security awareness training and undertaking an annual risk assessment are two (2) very important components of the HIPAA Security Rule, but are unfortunately often overlooked by Covered Entities (CE) and Business Associates (BA).
- Heavy fines and penalties are being levied against Covered Entities (CE) and Business Associates (BA) for non-compliance with the Health Insurance Portability and Accountability Act (HIPAA).
- The HIPAA Security Rule is now an important element in regards to many of today’s compliance audits and assessments, such as the SSAE 18 SOC 1 and AT 101 SOC 2 framework, along with HITRUST compliance.
- In today’s growing world of outsourcing, monitoring all relevant third-parties for ensuring the safety and security of Protected Health Information (PHI) is now more important than ever, and also a high priority for HIPAA compliance.
- The HIPAA Security Rule is considered somewhat subjective and vague, lacking a clear set of prescriptive mandates, which can cause challenges for healthcare organizations trying to become compliant.
- HIPAA is about acronyms, and one that’s used often is HITECH, which stands for The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. It’s therefore important to understand exactly what HITECH is and why it matters.
15 Things You Need to Know about HIPAA
As for the specifics regarding the aforementioned items, let’s look at each one of them in greater detail for helping healthcare organizations gain a better understanding of the HIPAA Security Rule and other important aspects of the Health Insurance Portability and Accountability Act.
1. The Importance of HIPAA Policies and Procedures
HIPAA policies and procedures are without question one of the largest – and initially, most often overlooked – aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Both the HIPAA Security Rule and Privacy Rule contain literally dozens of mandated “standards” and “implementation specifications” requiring HIPAA specific policies, procedures, and other related processes. What’s worse, the notion of spending hundreds of hours in authoring such policy documentation results in many healthcare providers simply ignoring this mandate, which is not recommended at all, especially with growing HHS OCR audits each year.
The time and effort needed for authoring and developing one’s own set of HIPAA policies and procedures – then customizing to the organization’s exact needs – is an incredibly daunting and challenging task, and not recommended.
Learn about our industry leading HIPAA compliance toolkits today, along with our proven HIPAA compliance and consulting services.
But remember something very important – the ability to pass any number of compliance audits, ranging from an actual HIPAA examination to SOC 1 and SOC 2 audits, and other compliance mandates – is highly dependent upon having documented policies and procedures in place. Along with developing the initial set of mandated HIPAA policies and procedures, both Covered Entities (CE) and Business Associates (BA) need to ensure they’re updated on a regular basis as processes and procedures routinely change. Organizations are not static – rather – dynamically driven entities that often make immediate changes for any number of reasons, hence, critical information security documentation must reflect such changes.
The solution is actually quite simple and easy – download the industry leading HIPAA security and privacy policies and procedures today from the healthcare experts at flank.org. Getting compliant is now easier than ever, and extremely cost-effective, thanks to the professionally developed HIPAA documentation that’s available for instant download from FLANK. Please see Appendix A to view all the required HIPAA policies and procedures that need to be in place for the HIPAA Security Rule.
2. Major Initiatives to Deploy
While we just discussed the importance of HIPAA policies and procedures, remember that policies are just that – broad statements that need to be actually implemented for ensuring the procedures are undertaken by the respective organization. For example, what value is a HIPAA policy and procedures document on access control if little or no initiatives are undertaken for enforcing the policy of who can access Protected Health Information (PHI)? Not much at all, and it’s why Covered Entities (CE) and Business Associates (BA) need to be taking big steps in actually implementing all necessary initiatives for ensuring the policies and procedures are actually being followed. As for two (2) of the biggest initiatives to deploy, think risk analysis and security awareness training. Download the Cybersecurity and Information Security Awareness Training Program – HIPAA/Healthcare today.
More specifically, healthcare companies need to implement a comprehensive risk management program that results in annual risk assessments being performed, while also putting in place security awareness training for all employees and workforce members. With the many tools offered by FLANK at flank.org, these tasks just became that much easier and more manageable. Download the Risk Management & Risk Assessment Program - HIPAA/Healthcare today.
3. HIPAA Security Officer and Supporting Personnel
Compliance with HIPAA also means assigning roles and responsibilities to various personnel in accordance with the following Security Rule mandate:
HIPAA §164.308(a)(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
Along with identifying a “security official” for various aspects of HIPAA compliance, it’s also critical to assign responsibilities to other individuals as HIPAA compliance cannot be accomplished by a single individual, no matter now competent they may be. Policies have to be developed, procedures need to be followed, processes and practices need to be undertaken – this all requires a team effort by select individuals – internal employees who clearly understand the mandates –and ramifications – of HIPAA compliance.
Most organizations already have some type of compliance division or officer(s) in place, so this should be a natural progression for such individuals. Lastly, look at the role of a “security official” as somebody with broad oversight over the entire HIPAA compliance platform for an organization, and also somebody with the authority for making necessary changes for ensuring HIPAA compliance.
4. Understanding “Standards” and “Implementation Specifications”
If you spend some time reading through both the HIPAA Security Rule and HIPAA Privacy Rule, you’ll no doubt come across the dozens of “standards” and “implementation specifications” – mandates for which both Covered Entities and Business Associates need to adhere to. What are these “mandates”, they’re broad-based initiatives calling for documented information security and operational policies, procedures, and processes to be in place for HIPAA compliance. Furthermore, becoming compliant with all of the “standards” and “implementation specifications” takes much more then wishful thinking, it requires a dedicated effort – along with industry leading HIPAA policies and procedures templates – for getting the job done.
More specifically, expect to spend considerable time authoring policies and procedures for HIPAA compliance, or simply download the industry leading toolkits and templates today from flank.org. The time and commitment involved for such an undertaking – if you don’t have the proper templates in place – is simply staggering, to say the least. Save precious man-hours by downloading our templates today and putting in place all mandated policies, procedures, and processes for HIPAA compliance.
5. The Notion of “Addressable” versus “Required” for HIPAA Security Rule Compliance
When specific provisions within the HIPAA Security Rule were first published years ago, the concept of “Addressable” versus “Required” could be found throughout the actual Security Rule language. In short, such provisions for compliance could either be “addressable” or “required”, and as naturally assumed, much more flexibility was given to items deemed “addressable”. However, fast forward into today’s hostile world of ever-growing cyber security threats and challenges, and the notion of “addressable” versus “required” has become an afterthought, and why? Simple. All the “addressable” items are now nothing more than essential security 101 best practices that everyone should be using anyway. Are you aware that the use of encryption is an “addressable” item? If you’re implementing true, comprehensive security best practices in today’s world, then you’ll most definitely meet all of the “addressable” items anyway.
6. The Final Omnibus Ruling | what it Means for Business Associates
It’s also important to note that the HIPAA Security Rule has been “enhanced” over the years in that numerous rulings and pronouncements have created more awareness and accountability for both Covered Entities and Business Associates. Probably one of the most significant of these measures was the Final Omnibus Ruling of January, 2013 which created much more transparency and visibility into the world of HIPAA compliance. With the January, 2013 pronouncement, Business Associates were to be held more accountable and liable for various HIPAA provisions, while changes were made to the overall ideology of what constitutes a breach, along with additional significant items.
The Final Omnibus Rulings were a game changer for HIPAA compliance – no question about it – as it highlighted the need (once again) for ensuring the safety and security of Protected Health Information (PHI). It effectively gave HIPAA – finally – some serious regulatory bite and enforcement, something that was truly lacking ever since the bill was signed into law by President Clinton years ago. And again, add to the fact that HHS | OCR audits are now increasing, HIPAA compliance is alive and well, and very real. It’s important to be aware of the following 8 mandates that came about as a result of the Final Omnibus Ruling of January, 2013:
- Provides patients with additional rights by allowing them to essentially request their electronic medical records in actual “electronic” form.
- Puts in place new limits and restrictions on how information can actually be used and disclosed for marketing and fundraising purposes, while also prohibiting the sale of an individuals' PHI without their permission.
- Penalties for noncompliance are now based on the inherent level of negligence, with a maximum penalty of $1.5 million per violation.
- The breach notification final rule was also amended with a stipulation to actually determine the breach's overall "risk of compromise" instead of the actual harm itself to PHI. More specifically, the notion of “comprise”, as opposed to “harm”, was considered a more objective and real-world test. Because of this change, a breach notification is therefore necessary in all situations except those in which Covered Entities (CE) and Business Associates (BA) demonstrate a low probability that Protected Health Information (PHI) has actually been compromised.
- Both Covered Entities (CE) and Business Associates (BA) must implement a comprehensive risk analysis – which is essentially an annual risk assessment process, which can be incredibly time-consuming and laborious, to say the least.
- Changes were also made regarding what "incidents" are to be considered "exceptions" to the definition of an actual "breach." It’s important to note that prior to the Final Omnibus Ruling, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Now, under the final rule, breaches of limited data sets — regardless of what the content is — are to be handled like all other breaches of PHI.
- Providers and Covered Entities (CE) still have a safe harbor whereby an unauthorized disclosure only rises to the level of a breach — and triggering notification requirements via the HITECH Act — if the PHI disclosed is "unsecured." Please remember that unsecured PHI is essentially PHI that is not rendered unusable or unreadable to unauthorized individuals through the use of technology or methodology specified by the Department of Health and Human Resources (HHS). (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.htm)
- Policies and Procedures, for both Covered Entities (CE) and Business Associates (BA) have received considerable attention under the Final Omnibus Ruling in that they must now be much more comprehensive, in-depth, current, and up-to-date regarding the new HIPAA changes. This alone can be an incredibly taxing undertaking, therefore it’s important to source high-quality HIPAA policies and procedures, such as those offered by FLANK at flank.org.
7. Cyber Security Threats and PHI
The world we all live in now is quite different from just a few short years ago, much of it due largely to the changes in technology. The pen and paper in the healthcare industry has been rapidly replaced by numerous new digital initiatives, and it’s brought about great levels of efficiency and cost-savings, no question about it. Yet such measures, as good as they may be, come with huge responsibilities for ensuring the safety and security of Protected Health Information (PHI). If you look at the Security Rule mandates under HIPAA, specifically 164.308 to 164.316, you’ll quickly notice numerous information security mandates for ensuring the protection of PHI, and these were written years ago.
So fast-forward to the current cyber security climate we all live in and one can quickly see the importance HIPAA places on the broader subject of information security. Just look at the breaches that continue to make headlines – and forget about HIPAA for just a moment – credit cards are being stolen by the millions, banking and financial data is being hacked more and more – it’s unreal, and unprecedented. Thieves are coming after PHI because it’s incredibly powerful information that can be used for any number of illegal activities, and they know this.
Ever heard of the phrase “one and done”? It means that once your personal information is compromised – such as PHI or other personal information – you could be forever in danger because there’s no getting a new birth date or social security number. Being vigilant and protecting PHI is so incredibly important – no question about it – so it’s time to get serious about today’s information security threats.
8. HHS Office of Civil Rights (OCR) HIPAA Audits are Coming | Are you Ready?
The United States Department of Health and Human Services (HHS) has made no secrets about its plans for aggressively expanding annual HIPAA compliance audits on North American Covered Entities (CE) and Business Associates (BA). With data breaches of Protected Health Information (PHI) at an all-time high, the seriousness of HIPAA compliance is now front and center with everyone in the healthcare industry, and that includes the federal government!
Just imagine federal regulators showing up and canvassing through all your documentation, all because you’ve been chosen from a randomly generated process for validating compliance with the Health Insurance Portability and Accountability Act (HIPAA). Take note of the following specifics we’ve found regarding the HHS OCR audit program:
- In 2011, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) effectively established the HIPAA pilot audit program for assessing policies, procedures, processes, and internal controls by Covered Entities (CE) in regards to the safety and overall security of Protected Health Information (PHI).
- HHS OCR thus announced an aggressive growth plan in annual HIPAA audits that would also include Business Associates (BA).
9. Security Awareness Training & Risk Assessment
Two of the biggest – and most important – mandates for ensuring compliance with the HIPAA Security Rule provisions are (1) implementing a comprehensive security awareness training program, and (2) undertaking an annual risk assessment process. Both are not only vital for HIPAA compliance, but constitute best practices for today’s complex, cyber-driven world we all live in. What’s more, these requirements are major initiatives for HIPAA compliance – efforts that go well beyond simple policies and procedures – they demand that Covered Entities (CE) and Business Associates (BA) actually have comprehensive programs in place.
Think about it, what’s really one of the best – and most cost-effective – solutions for ensuring the safety and security of Protected Health Information (PHI) – its training employees on essential security issues, threats, and best practices! From easy-to-use PowerPoint presentations to low-priced video subscription models, it’s now more cost-effective than ever to obtain really good, high-quality security awareness training materials. Sure, it’s a mandate for HIPAA under the Security Rule, but it’s also a best practice that every business should be employing, regardless of regulatory compliance mandates. From a few employees to a few thousand – or more – there’s an abundance of high-quality, low-cost solutions available online for instant purchase. For smaller size organizations, simply presenting a security awareness training program via a PowerPoint presentation should be just fine, or perhaps even a training manual authored in-house. For large healthcare companies, try searching for a fee-based subscription model based on the number of employees.
Learn about our industry leading HIPAA compliance toolkits today, along with our proven HIPAA compliance and consulting services.
10. Civil Penalties
Regarding civil penalties for HIPAA non-compliance, The American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009 by President Obama effectively established a tiered civil penalty structure for HIPAA violations, consisting of the following:
Violation: Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA.
Penalties: Minimum: $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation). Maximum: $50,000 per violation, with an annual maximum of $1.5 million.
Violation: HIPAA violation due to reasonable cause and not due to willful neglect.
Penalties: Minimum: $1,000 per violation, with an annual maximum of $100,000 for repeat violations. Maximum: $50,000 per violation, with an annual maximum of $1.5 million.
Violation: HIPAA violation due to willful neglect but violation is corrected within the required time period.
Penalties: Minimum: $10,000 per violation, with an annual maximum of $250,000 for repeat violations. Maximum: $50,000 per violation, with an annual maximum of $1.5 million.
Violation: HIPAA violation is due to willful neglect and is not corrected.
Penalties: Minimum: $50,000 per violation, with an annual maximum of $1.5 million. Maximum: $50,000 per violation, with an annual maximum of $1.5 million.
However, it’s important to note that the U.S. Secretary of the Department of Health and Human Services (HHS) still has broad discretion and power in determining the actual penalty amount based on the nature and extent of the violation and the overall harm resulting from the violation. Furthermore, the HHS Secretary is actually prohibited from imposing civil penalties, with the exception in cases of willful neglect, if the violation is corrected within 30 days.
11. Criminal Penalties
The United States Department of Justice (DOJ) in 2005 actually clarified who specifically can be held criminally liable for purposes of HIPAA violations. In essence, Covered entities (CE), Business Associates (BA), and specified individuals and parties that "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations can face a fine of up to $50,000, and also imprisonment for up to one (1) year. More specifically, such offenses committed under false pretenses allow such penalties to be increased to a $100,000 fine, with up to five years imprisonment.
Moreover, such offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years. Let’s just say this – enormous civil fines can be imposed, along with severe criminal penalties – so becoming compliant with the Health Insurance Portability and Accountability Act is a must for both Covered Entities (CE) and Business Associates (BA), no question about it.
12. It is a World Full of Regulatory Compliance
From the Health Insurance Portability and Accountability Act (HIPAA) to Sarbanes-Oxley, Payment Card Industry Data Security Standards (PCI DSS) compliance, along with SOC 1, SOC 2, FISMA, DFARS NIST 800-171, and other notable regulations, the world is awash in regulatory compliance. What’s more, many organizations find themselves entertaining multiple compliance mandates, resulting in significant operational costs for annual compliance.
It’s therefore important to assess one’s overall control environment in terms of policies, procedures, and processes for determining overlap and similarities regarding respective compliance edicts as this can save hundreds of hours and thousands of dollars on HIPAA compliance. Many organizations undertaking multiple compliance mandates often find they have a marginal to meaningful amount of policy and procedural documentation already in place, which is highly beneficial.
Think about it, why spend critical operational man-hours needlessly developing compliance documentation if it’s already in place? The key is communicating with select personnel within your organization for establishing synergies and efficiencies regarding documentation for all such compliance mandates. Remember that policy and procedural development is often the most intensive, time-consuming, and mundane aspect of any regulatory compliance mandate, especially HIPAA.
13. Monitoring Third Parties with PHI Data is Crucial
In today’s world of business, “outsourcing” is everywhere, and the healthcare industry is no different. From processing of medical claims, mailing out of explanation of benefits (EOB), to data backups, and even providing critical network services – just to name a select few functions – Covered Entities (CE) and Business Associates (BA) are awash in outsourcing activities. It’s the way of the world, but it also means making efforts for ensuring third-party organizations are doing all they can for helping protect critical information, specifically that of Protected Health Information (PHI), if they’re in possession of such data.
The solution is rather straightforward – put in place a comprehensive, easy-to-use and implement third-party monitoring program, one that essentially does “bed checks” for all relevant outsourcing entities regarding their information security and overall operational environment in terms of policies, procedures, and internal controls. Breaches of PHI can happen, and often with third-parties providing material services to Covered Entities (CE) and Business Associates (BA).
There are a number of viable solutions to employ, such as asking for annual compliance reports, having third-parties complete relevant security questionnaires, or possibly even auditing themselves – though time-consuming and expensive – for ensuring all necessary organizational controls are in place. Download the Third-Party Due-Diligence & Vendor Management Program - HIPAA/Healthcare today.
14. The Security Rule Challenges – It’s in the Language
One of the biggest challenges – and complaints – regarding the HIPAA Security Rule, and rightfully so, is its lack of clarity or set of prescribed mandates. Sure, it provides a detailed set of mandates for various areas within the broader subject of information security, but even those mandates are considered general, vague, and open to wide interpretation by all. This has caused great debate within the HIPAA world, as the actual Security Rule Safeguards were written years ago, often leaving one’s professional judgment as to the best guess for what its true intent is in terms of implementation.
For example, topics such as encryption and monitoring of systems within the HIPAA Security Rule are considered highly generalized in terms of information security, thus leaving the door open to interpretation for what’s considered acceptable. Proponents of HIPAA say the flexibility in the language is necessary for the vastly different healthcare organization, yet critics decry it as an outdated list of security mandates. Both seem to have valid arguments.
15. Understanding the HITECH of HIPAA
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009 by President Barack Obama for purposes of promoting the adoption and meaningful use of health information technology. Additionally, subtitle D of the HITECH Act, which has gained much attention, addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through various provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
What’s really important to note about HITECH is it gave HIPAA much-needed regulatory compliance power – a dog with much more of a bite than a bark – which was not the case for many years. Add to the mix the Final Omnibus Ruling of January, 2013 – which reinforced the HITECH provisions – you now have very powerful federal legislation.
Concluding Thoughts on the HIPAA Security Rule and HIPAA Compliance
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is often seen as a complex, challenging, and incredibly demanding mandate. And it can be, if looked at through the wrong lens, but with proper policy documentation and other material obtained at the front-end, HIPAA compliance becomes very attainable, and cost-effective. Both the Security Rule and Privacy Rule requirements seem incredibly daunting at first, but diligent planning and execution make the entire process completely manageable from beginning to end.
Documentation is the key ingredient for HIPAA success – policies, procedures, forms, checklists, and all the other supporting material – for which healthcare organizations can download today at flank.org. Without it, HIPAA compliance is simply not achievable, so the importance of obtaining industry leading policy templates – and other supporting materials – is absolutely vital for compliance with HIPAA. Visit flank.org to learn more about our leading HIPAA compliance toolkits, available for instant download today.
Also remember that compliance with HIPAA is a moving target – there’s no such thing as “one and done” – as Covered Entities (CE) and Business Associates (BA) have to constantly monitor, improve upon, and make changes within one’s daily operational environment for ensuring what we call “continuous compliance” at FLANK. No organization is immune to data breaches of Protected Health Information (PHI), as even the best information security and operational policies, procedures, processes, hardware and software solutions have limits.
Even with that said, it’s still vitally important for healthcare organizations to be doing all they can in today’s complex, digitally driven world for protecting PHI. Remember, compliance with HIPAA is a culture change, one that mandates numerous provisions and initiatives for ensuring the safety and security of PHI, so it all begins with a true intent on becoming HIPAA compliant.