Choose one of the types of security threats to health information you have reviewed in your work in this module and find an example from the real world where that type of threat has resulted in a security breach. In a three page paper, using APA format, summarize the type of threat, the breach that occurred and what you would recommend as part of a Security Plan to have prevented, detected and mitigated that breach.

Types of Security Threats

• Human
• Natural
• Environmental
• Both human and natural/environmental threats can also be categorized as:
  • Internal threats
  • External threats

HIPAA Security Rule

In order to participate in functions of healthcare organizations relating to the Health Insurance Portability and Accountability Act (HIPAA), HIM professionals must have an understanding of the HIPAA Security Rule, in addition to their usually more in depth involvement with the Privacy Rule of HIPAA. The final Security Rule was published in the Federal Register on February 20, 2003. Covered entities (CEs) were expected to be in compliance with the rule by April 20 2005, while small health plans’ compliance date was April 20, 2006. A CE is any entity (organization, facility, agency, etc.) that transmits or stores electronic protected health information (ePHI). The standards of the HIPAA Security Rule covers: administrative, physical, and technical safeguards. Following from these standards one needs to understand how organizations can meet the standard’s requirements and expectations related to policies, procedures, and documentation. Components of an organizational plan for compliance with the Security Rule includes security mechanisms that can be employed to facilitate compliance with the rule such as, data and system security mechanisms as well as means to assess internal and external security threats, protect against those threats and disaster planning.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of computers to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. For example, in order to provide more efficient access to critical health information, some covered entities are using web-based applications and other “portals” that give physicians, nurses, medical staff as well as administrative employees more access to electronic health information. Providers are also using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies creates an increase in potential security risks.

As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greater use of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomes even more critical. The security standards in HIPAA were developed for two primary purposes. First, and foremost, the implementation of appropriate security safeguards protects certain electronic health care information that may be at risk. Second, protecting an individual’s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry – an important goal of HIPAA.

Additional Resources

“Managing the Integrity of Patient Identity in Health Information Exchange”

Personal Health Record (PHR) Model Privacy Notice

U.S. Department of Health & Human Services on case examples and resolutions of issues of compliance with the HIPAA Privacy and Security Rules

The following PowerPoint presentations will guide your note taking as you explore the key concepts related to the HIPAA Security Rule.

Fundamentals of Laws for HI and IM, Chapter 10

The HIPAA Security Rule

Rebecca B. Reynolds, EdD, MHA, RHIA, CHPS, FAHIMA; Melanie S. Brodnik, PhD, RHIA, FAHIMA

Learning Objectives

• Describe the purposes of the HIPAA Security Rule
• Summarize the components of the Security Rule
• Recognize security components for risk management

Key Terms

• Addressable specification
• American Recovery and Reinvestment Act of 2009 (ARRA)
• Automatic log-off
• Business associates (BAs)
• Chief security officer
• Confidentiality
• Covered entities (CE)
• Electronic protected health information (ePHI)
• Encryption
• Health Insurance Portability and Accountability Act (HIPAA) of 1996
• Health Information Technology for Economic and Clinical Health (HITECH)
• Integrity
• Person or entity authentication
• Physical safeguards
• Required specification
• Scalability
• Security officer
• Technical safeguards
• Technology neutral

The Health Insurance Portability and Accountability Act (HIPAA), signed into law April 21, 1996, requires the use of standards for electronic transactions containing healthcare data and information as a way to improve the efficiency and effectiveness of the healthcare system. Title II of the law was designed to protect not only the privacy of healthcare data and information but also the security of the data and information. Security refers to protecting information from loss, unauthorized access, or misuse, and also keeping it confidential. This chapter introduces the HIPAA Security Rule, which closely aligns with the Privacy Rule. Although the rules complement each other, the Privacy Rule governs the privacy of protected health information (PHI) regardless of the medium in which the information resides, whereas the Security Rule governs PHI that is transmitted by or maintained in some form of electronic media (that is, electronic protected health information, or ePHI). ePHI is all “individually identifiable health information: held or transmitted by a covered entity (CE) or business associate (BA), in any form or media, whether electronic, paper, or oral” (HHS 2014). The Privacy Rule calls this information “PHI”. The chapter begins with a discussion of the purposes of the rule, its source of law, scope, and to whom the law applies. The chapter suggests a process for complying with the rule and outlines the five key components of the rule. Where appropriate, the chapter also discusses changes to the Security Rule as a result of the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act was passed to promote the adoption and meaningful use of health information technology. Subtitle D addresses privacy and security and strengthens the civil265and criminal enforcement of the HIPAA rules. It concludes with a discussion of the role of a security officer, how the rule is enforced, and the penalties for noncompliance with the rule.

Purposes of the HIPAA Security Rule

The security standards in HIPAA were developed for two primary purposes: to implement appropriate security safeguards and protect electronic healthcare information that may be at risk, and to protect an individual’s health information while permitting appropriate access and use of that information. The standards ultimately promote the use of electronic health information in the industry, which is an important goal of HIPAA (HHS 2007a). The HIPAA Security Rule requires covered entities (CEs) to ensure the integrity and confidentiality of information, to protect against any reasonably anticipated threats or risks to the security and integrity of information, and to protect against unauthorized uses or disclosures of information. As a reminder, CEs are the individuals and organizations that must comply with HIPAA, as discussed later in the section, Applicability. The Security Rule defines integrity as data or information that has not been altered or destroyed in an unauthorized manner, and it defines confidentiality as data or information that is not made available or disclosed to unauthorized persons or processes (45 CFR 164.304). Ultimately, the Security Rule seeks to ensure that CEs implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission, while also ensuring that data or information is accessible and usable on demand by authorized individuals.

Source of Law

As discussed in chapter 10, HIPAA (of which security is only one piece) was enacted by Congress in 1996 and became federal statutory law. The Department of Health and Human Services (HHS) published the final Security Rule in the Federal Register, Health Insurance Reform, Security Standards, Final Rule (45 CFR Parts 160, 162, 164(a), and 164(c)) on February 20, 2003 (HHS 2003). The rule established security standards to protect ePHI. CEs were expected to be in compliance with the rule by April 20, 2005, and small health plans by April 20, 2006. Changes to the HIPAA Privacy and Security Rules were passed in February 2009 as part of the HITECH Act of the ARRA Act of 2009 (ARRA 2009). The HITECH Act was designed to promote widespread adoption of electronic health records (EHRs) and electronic health information exchanges (HIEs) to improve patient care and reduce healthcare costs. To achieve these goals, HITECH identified requirements to strengthen the privacy and security protections under HIPAA to ensure patients and healthcare providers that their electronic health information is kept private and secure. In July 2010 and May 2011, HHS published proposed rules to implement some of the HITECH provisions and modify other HIPAA requirements (HHS 2010a). The 2010 proposed rule went into effect with publication of the January 2013 final rule titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” The 2011 proposed rule is still pending (AHIMA 2013a).

Until 2009, the Centers for Medicare and Medicaid Services (CMS) were responsible for oversight and enforcement of the Security Rule, whereas the Office of Civil Rights (OCR) within HHS oversaw and enforced the Privacy Rule. In the latter half of 2009, authority for oversight and enforcement of the HIPAA Privacy and Security Rules was consolidated under the OCR (HHS 2009a). CMS continues to have authority for enforcement of administrative simplification regulations other than privacy and security (preventing healthcare fraud and abuse, and medical liability reform).

266

Scope and Anatomy of the Security Rule

HIPAA consists of five titles. The Security Rule is one of five administrative simplification provisions in the law (privacy, security, transaction code sets, unique national provider identifiers, and enforcement). The scope of the Security Rule is to protect individually identifiable health information that is transmitted by or maintained in any form of electronic media. The Security Rule defines electronic media to mean electronic storage media including memory devices in computer hard drives and any removable or transportable digital memory medium, such as magnetic-type storage or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media, such as the intranet, extranet, leased lines, dial-up lines, private networks, and physical, removable, transportable electronic storage media (45 CFR 160.103).

Congress published the first set of security standards for public comment in 1998. At that time, many of the public comments concluded that the rules were too prescriptive and not flexible enough. As a result, the final rule includes standards defined in general terms, focusing on what should be done rather than how it should be done. Efforts were made to make the rule technology neutral (this means that specific technologies are not prescribed in the rules which allows the use of the latest and appropriate technology) and flexible so that CEs could choose the security measures that best meet their technological capabilities and operational needs to comply with the standards. The flexibility and scalability (the concept that based on the size of the CE, the threshold of compliance varies) of the standards make it possible for any CE, regardless of size, to comply with the Rule.

The Security Rule comprises five general rules and a number of standards that encompass 1. general requirements; 2. flexibility of approach; 3. standards related to administrative, physical, and technical safeguards; organizational requirements; policies, procedures, and documentation requirements; 4. implementation specifications; and 5. maintenance of security measures (see figure 12.1), all of which will be discussed later in the chapter.

History and Comparison with Existing Laws

Until HIPAA was enacted, there were no generally accepted security standards for protecting health information. There were, however, a number of state and federal initiatives that addressed privacy, as discussed in chapter 10. With increased reliance on the use of information technology to electronically capture, store, retrieve, transmit, and exchange health information, Congress recognized the need for national security standards, resulting in the HIPAA Security Rule. The Privacy and Security Rules work in tandem to protect health information. The Privacy Rule set standards for how PHI should be controlled by establishing uses and disclosures that are authorized or required and what rights patients have in regard to their health information.

The Security Rule was written to protect ePHI and to guide how electronic health information can be accessed appropriately. There are two primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule:

• Electronic versus paper versus oral: The Privacy Rule applies to all forms of PHI, whether electronic, written, or oral. In contrast, the narrower Security Rule covers only PHI that is in electronic form. It does not cover paper or verbal PHI.
• “Safeguard” requirement in Privacy Rule: The Privacy Rule contains provisions that require CEs to adopt administrative, physical, and technical safeguards for PHI. Although Security Rule267

Source: Adapted from Scholl et al. 2008.

compliance was required in 2005 at the earliest, actions taken by CEs to implement the Privacy Rule may have addressed some security requirements. However, the Security Rule provides far more comprehensive and detailed security requirements (HHS 2007a, 4).

For example, to address the growing concern for the use of devices and tools that enable access to or use of ePHI outside the CE’s physical purview, HHS issued a HIPAA Security Guidance report on remote access (HHS 2006a). The report lists risks of off-site use or access and possible risk management strategies for identified risks. It also contains potential security strategies for conducting business activities through 1. portable media/devices (such as USB flash drives) that store ePHI; and 2. off-site access or transport of ePHI via laptops, mobile devices, home computers, and other personal equipment. The report also encourages rigor in policy and procedure development for off-site use or access to ePHI (HHS 2006a).

Applicability

The Security Rule applies to individuals or organizations identified as CEs and, with the recent enactment of the HITECH provisions, business associates (BAs) and the subcontractors of BAs. The Security Rule applies to the following covered entities (CEs):268

• Covered healthcare providers: Any provider of medical or other healthcare services or supplies that transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard
• Health plans: Any individual or group plan that provides or pays the cost of healthcare (for example, a health insurance issuer or Medicare and Medicaid programs)
• Healthcare clearinghouses: Public or private entities that process another entity’s healthcare transactions from a standard format to a nonstandard format or vice versa

HITECH holds BAs to the same standards as CEs in regard to protection of health information. BAs are identified as such by the types of functions they carry out, not by contract only.

These changes are a result of HITECH which requires BAs to comply with the Security Rule provisions mandating administrative, physical, and technical safeguards, in addition to adherence to the terms of their BA agreements. They must also adhere to Privacy Rule requirements, which were discussed in chapter 10. The definition of a BA has been revised to include subcontractors of BAs, who must also follow the Security Rule or be held liable for violations. BAs must execute BA agreements with their subcontractors as well (HHS 2010a). In addition, the definition of a BA has been expanded to include entities that manage the exchange of PHI through networks, including patient locator services, e-prescribing gateways, others that provide data transmission services of PHI to a CE and require routine access to such information, or vendors that contract with CEs to offer personal health records to patients as part of the CEs’ EHRs (HHS 2010a). Thus, the Security Rule now applies to a broader range of individuals and organizations (CEs, BAs, and BA subcontractors) in an effort to further protect the privacy and confidentiality of ePHI.

Ensuring Security Compliance

Security is not a one-time project but an ongoing process that requires constant analysis as the business practices of the CE and BA change, technologies advance, and new systems are implemented.

HHS has a seven-step guide to implementing a security management process:

1. Lead your culture, select your team and learn
2. Document your processes, findings and actions
3. Review existing security of ePHI (Perform Security Risk Analysis)
4. Develop an action plan
5. Manage and mitigate risks
6. Attest for Meaningful Use security-related objectives
7. Monitor, audit and update security on an ongoing basis (ONC 2015).

CEs and BAs must decide which security measures to implement, using a risk analysis to determine circumstances that leave them open to unauthorized access and disclosure of ePHI. An ongoing security analysis will assess what security measures are already in place and what measures are still necessary. Compliance with the Privacy and Security Rules should be included in the organization’s compliance assurance and information governance plans and program. More information about corporate compliance programs is included in chapter 17.

269

Security Component	Examples of Vulnerabilities	Examples of Security Mitigation Strategies
Administrative Safeguards	No security officer is designated. Workforce is not trained or is unaware of privacy and security issues. Periodic security assessment and reassessment are not performed.	Security officer is designated and publicized. Workforce training begins at hire and is conducted on a regular and frequent basis. Security risk analysis is performed periodically and when a change occurs in the practice or the technology.
Physical Safeguards	Facility has insufficient locks and other barriers to patient data access. Computer equipment is easily accessible by the public. Portable devices are not tracked or not locked up when not in use.	Building alarm systems are installed. Offices are locked. Screens are shielded from secondary viewers.
Technical Safeguards	Poor controls allow inappropriate access to EHR. Audit logs are not used enough to monitor users and other EHR activities. No measures are in place to keep electronic patient data from improper changes. No contingency plan exists. Electronic exchanges of patient information are not encrypted or otherwise secured.	Secure user IDs, passwords, and appropriate role-based access are used. Routine audits of access and changes to EHR are conducted. Anti-hacking and anti-malware software is installed. Contingency plans and data backup plans are in place. Data is encrypted.
Organizational Standards	No breach notification and associated policies exist. Business associate (BA) agreements have not been updated in several years.	Regular reviews of agreements are conducted and updates made accordingly
Policies and Procedures	Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed The manager performs ad hoc security measures.	Written policies and procedures are implemented and staff is trained. Security team conducts monthly review of user activities. Routine updates are made to document security measures.

Source: ONC 2015.

A CE or BA should also conduct a financial analysis to determine the cost of compliance, because implementing the Security Rule may be a challenge for a CE and especially for a BA who is new to the rule. Figure 12.2 provides five security components for risk management. In addition, in 2003 the Centers for Medicare and Medicaid Services (CMS) published a series of educational documents called the HIPAA Information Series to assist with the implementation of HIPAA requirements (CMS 2003). Addi