HIPAA Regulatory Alert

CMS issues first of seven security guidance papers

Paper provides security rule overview

The Centers for Medicare & Medicaid Services (CMS) has issued the first in a projected series of seven papers to provide guidance for covered entities. Security 101 is an overview of the HIPAA security rule requirements and implementation and a preview of the remaining six papers.

The Security Series papers are designed to give HIPAA-covered entities insight into the security rule and assistance with implementation of the security standards, CMS said. "While there is no one approach that will guarantee successful implementation of all the security standards, this series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions."

All HIPAA-covered entities must comply with the security rule. Compliance deadlines are April 20, 2005, except for small health plans, which have until April 20, 2006.

In explaining the rationale for the security rule, CMS noted that before HIPAA, there was no generally accepted set of security standards or general requirements for protecting health information. At the same time, new technologies were evolving, and the health care industry was beginning to move away from paper processes and rely more heavily on the use of computers to pay claims, answer eligibility questions, provide health information, and conduct many other administrative and clinically based functions.

The security rule differs from the privacy rule in that the privacy rule sets standards for, among other things, who may have access to protected health information, while the security rule sets the standards for ensuring that only those who should have access to electronic protected health information actually will have access. CMS said that with the passing of deadlines for both the privacy and electronic transactions and code set standards, many covered entities now are turning their attention to the security requirements.

An "implementation specification" in the security rule is a detailed instruction for implementing a particular standard. Each set of safeguards is comprised of a number of standards that, in turn, generally are comprised of a number of implementation specifications that are either required or addressable.

For required implementation specifications, covered entities must implement policies and/or procedures that meet what the implementation specification requires. For those that are addressable, covered entities must assess whether they are reasonable and appropriate safeguards in the entity’s environment. That involves analyzing the specification in reference to the likelihood of protecting the entity’s electronic protected health information from reasonably anticipated threats and hazards. Covered entities that choose not to implement an addressable specification must document the reasons and implement an equivalent alternative measure if that measure would be reasonable and appropriate. CMS said decisions on which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including the entity’s risk analysis, security analysis, and financial analysis.

At a minimum, the process for complying with the security rule should involve assessing current security, risks, and gaps; developing an implementation plan; implementing solutions; documenting decisions; and reassessing periodically, the agency said. The security requirements were designed to be technology-neutral and scalable from the very largest of health plans to the very smallest of provider practices. CMS said covered entities will find that compliance with the security rule will require an evaluation of what security measures currently are in place, an accurate and thorough risk analysis, and a series of documented solutions from a number of complex factors unique to each organization.

"HHS recognizes that each covered entity is unique and varies in size and resources, and that there is no totally secure system," it added. "Therefore, the security standards were designed to provide guidelines to all types of covered entities, while affording them flexibility regarding how to implement the standards. Covered entities may use appropriate security measures that enable them to reasonably implement a standard. In deciding which security measures to use, a covered entity should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. For example, covered entities will be expected to balance the risks of inappropriate use or disclosure of electronic protected health information against the impact of various protective measures. This means that smaller and less sophisticated practices may not be able to implement security in the same manner and at the same cost as large, complex entities. However, cost alone is not an acceptable reason to not implement a procedure or measure."

Security standards are divided into administrative, physical, and technical safeguards. Generally, administrative safeguards are the administrative functions that should be implemented to meet security standards, including assignment or delegation of security responsibility to an individual and security training requirements. Physical safeguards are those mechanisms required to protect electronic systems and equipment and the data they hold from threats, environmental hazards, and unauthorized intrusion, including restricting access to electronic protected health information and retaining off-site computer backups. Technical safeguards primarily are the automated processes used to protect data and control access to data, including using authentication controls to verify that the person signing onto a computer is authorized to access the electronic protected health information or encrypting and decrypting data as they are being stored and/or transmitted.

Other papers in the series will cover administrative safeguards, physical safeguards, technical safeguards, organizational policies and procedures, and documentation requirements.

(For information and copies of Security Series papers, go on-line to www.cms.hhs.gov/hipaa/hipaa2.)