Overview of the HIPAA Security Regulations
Summary Of The HIPAA Security Rule
On December 20, 2000, the Department of Health and Human Services ("HHS") issued regulations pursuant to the "Administrative Simplification" provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") governing the privacy of medical information. These regulations (referred to as the "Privacy Rule") provided that employer-sponsored health plans (except self-administered with less than 50 participants), health care providers (i.e., doctors offices, hospitals etc.), health care clearinghouses (referred to as "Covered Entities") must not use or disclose "Protected Health Information" without the express permission of the individual to whom the information pertains or except as otherwise explicitly permitted by the terms of the Privacy Rule or required by law. The term "Protected Health Information" was defined by the Privacy Rule to include individually–identifiable information which is either created or received by a "Covered Entity" or plan sponsor which relates to past present or future physical or mental health conditions, the performance of health care services or payment for health care services that is transmitted or maintained in any form or media. The Privacy Rule became effective on April 14, 2001 and compliance with the Privacy Rule was generally required by April 14, 2003, although "small health plans" (plans which paid less than $5 million in premiums or claims in the prior plan year) had an additional year to comply with the Privacy Rule.
Many plan sponsors believed that after becoming compliant with the Privacy Rules, their health plan had satisfied HIPAA's "administrative simplification" provisions. However, the "administration simplification" provisions of HIPAA also included rules relating to the security of protected health information that is transmitted by or maintained in electronic form ("E-PHI"). As required pursuant to these additional provisions of HIPAA, HHS issued additional regulations regarding the protection of E-PHI by a Covered Entity on February 20, 2003 (referred to herein as the "Security Rule"). The Security Rule became effective on April 20, 2005 (or April 20, 2006 for "small health plans").
The purpose of the Security Rule is to protect E-PHI from unauthorized access, modification and transmission during time E-PHI in possession of a Covered Entity and during transmission. However, if the Covered Entity does not maintain or transmit E-PHI (i.e., only uses protected health information in paper form), the Security Rule does not apply to the Covered Entity. In addition, like the Privacy Rule, the Security Rule also does not apply to self-administered health plans with less than 50 participants.
Furthermore, the Security Rule does not apply to employment records maintained by an employer which are unrelated to the administration of the employer's health plan even if such records contain E-PHI.
The Security Rule provides that Covered Entities that maintain or transmit E-PHI must maintain administrative, physical and technical safeguards to (i) ensure confidentiality, integrity and availability of all E-PHI it creates, receives, maintains or transmits, (ii) protect E-PHI of reasonably anticipated threats or hazards to the security and the integrity of E-PHI, (iii) protect against reasonably anticipated uses/disclosures of E-PHI not permitted under Privacy Rule and (iv) ensure compliance with Security Rule by the Covered Entity's workforce. In order to comply with these requirements, the Covered Entity must meet certain "security standards" as set forth in the Security Rule. In order to meet these security standards, the Covered Entity must comply with certain specified "implementation specifications" set forth in the Security Rule which describes in detail the steps the Covered Entity must take to ensure compliance with each security standard.
Certain security standards have no specific implementation specifications since compliance with these security standards is self-evident such that HHS did not believe any guidance was necessary. For those security standards which do include implementation specifications, these implementation specifications are either deemed to be "required" (i.e., they must be followed) or are deemed to be "addressable." For those implementation specifications which are addressable, the Covered Entity is required to determine if such implementation specifications are reasonable and appropriate or, if not, to determine if there is an alternative measure which is appropriate to comply with the security standard. However, in some cases, the Covered Entity may determine that a certain implementation specification is not appropriate and that no action should be taken if (i) the Covered Entity already has adequate protection in place to address the issue addressed in the implementation specification, (ii) the risk of a violation of the security standard to which the implementation specification relates is low, or (iii) the cost to adopt the implementation specification is too prohibitive under the circumstances.
What Do Employers Need To Do To Comply With The Security Rule?
Once it is determined that the Security Rule applies to the Covered Entity, a "Security Rule Compliance Team" consisting of members from the HR, IT and legal departments should be formed to address the requirements of the Security Rule and a "Security Officer" should be appointed to manage and oversee the efforts of the Security Rule Compliance Team. The Security Rule Compliance Team (which should also include the Security Officer) should then perform an assessment of the risks associated with the confidentiality, integrity and availability of the E-PHI maintained by the "covered entity" and to decide how (and in some cases whether) to implement additional administrative, physical and technical safeguards in light of the security risks identified in the assessment. The provisions of the Security Rule which discuss the security standards and implementation specifications outline the process for performing this risk assessment and provide guidance for applying the safeguards to the risks identified in the assessment (downloand Exhibit A below). In conducting the risk assessment under the Security Rule, the Security Rule Compliance Team should document its analysis of the security standards and the merits of complying with the implementation specifications.
After concluding this risk assessment process, the Security Rule Compliance Team should implement its findings by developing written policies and procedures based on the implementation specifications (or the alternatives which are agreed upon in the risk assessment process) which will ensure compliance with the Security Rule as it relates to the E-PHI maintained and transmitted by the "covered entity." In addition, the Security Rule Compliance Team should develop written policies and procedures to identify breaches of the security of E-PHI and sanctions for members of the workforce of the "covered entity" for violations of the security standards and procedures. The Security Rule Compliance Team should also ensure that members of the workforce of the "covered entity" receive training on the policies and procedures relating to E-PHI which are implemented or as such policies and procedures are modified from time to time.
In the case of self-administered health plans or in other situations where plan sponsors will receive E-PHI in connection with plan administration functions, the plan documents will also have to be amended to include provisions which require the plan sponsor to be subject to the requirements of the Security Rule with respect to the E-PHI which is received and/or transmitted by the plan sponsor. In addition, the Security Rule also requires agreements with third party service providers to the plan ("Business Associates") to be amended to require the Business Associates to comply with the provisions of the Security Rule with respect to E-PHI relating to the plan or its participants which is delivered to or transmitted by the Business Associates in the course of performing their duties on behalf of the plan.
The penalties for failing to comply with the Security Rule are the same as for the Privacy Rule. A Covered Entity which fails to comply with the Security Rule is subject to a monetary penalty of $100 per violation up to $25,000 per year per violation. In addition, criminal penalties of ten (10) years in prison or fines of up to $250,000 may apply to violations of the Security Rule which are intended for commercial or personal gain or to cause "malicious harm." The Department of Health and Human Services Center for Medicare and Medicaid Services ("CMS") is responsible for Security Rule compliance. Although guidance issued by CMS makes it clear that enforcement of the Security Rule will not involve random audits of Covered Entities, health plan sponsors should immediately take all necessary steps to comply with the requirements of the Security Rule to avoid having complaints made by plan participants which could lead to liability under the Security Rule.
If you have any questions regarding the Security Rule, please contact a member of our firm's Employment Practice Group.
This communication is provided as a general informational service to clients and friends of Pedersen & Houpt. It should not be construed as and does not constitute legal advice on any specific matter, nor does this message create an attorney-client relationship. This material may be considered Attorney Advertising in some states. Please note that any prior results discussed in this material do not guarantee similar outcomes.
© 2006 Pedersen & Houpt, all rights reserved.