Ultimate Guide to the HIPAA Security Rule
The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (ePHI). The Security Rule does not apply to PHI transmitted orally or in writing.
The HIPAA Security Rule is based on the Confidentially, Integrity, and Availability (CIA) of the related systems and data which host ePHI. Equilibrium helps our clients become HIPAA compliant through risk assessments, risk treatment and risk management. We also leverage a thorough set of standards and controls based off of ISO 27001 in addition to the HIPAA guidelines. We focus on helping companies become secure and not just compliant. It is typical for internal management and external auditors to disagree on what makes a company compliant and we can help provide clarity through our proven methodology.
Organizations must adhere to the Security Rule's standards and specifications for backing up and safekeeping electronic data among other HIPAA controls. Covered Entities also need to institute a contingency plan to be prepared for an emergency, such as a natural disaster or computer virus attack that results in a major data loss. These are just two examples of the various security controls to reduce risk within HIPAA.
Reasonable and Appropriate
The term "reasonable and appropriate" security comes up often in the HIPAA security rule. This is vague and healthcare organizations often need help interpreting this phrase. Our risk assessments define the "reasonable and appropriate" safeguards.
The Security Rule applies to payers (insurers), providers and business associates equally. This includes organizations that have been contracted by a provider or payer where they would have access to ePHI. If you receive ePHI from a payer, provider or their business associate, you must sign a BAA (Business Associate Agreement). Contractors can be auditing the same as the first parties. All parties mentioned are subject to oversight by the Department of Health and Human Services. Most of this clarity came along with the HIPAA Omnibus rule in 2013.
With the Omnibus rule, contractors can now be directly regulated by the Department of Health and Human Services. Previously, the regulation was accomplished through the first-party payer or provider.
There was also an important HIPAA Breach Rule update. If there is an unauthorized disclosure of information, it is assumed to be a breach unless the covered entity or business associate shows there is a low probability that the PHI has been compromised. This probability is based on a risk assessment and a few other factors.
HIPAA Risk Assessment Factors
If an organization suspects there is a breach of ePHI, they need to perform a risk assessment surrounding the breach. Then, they must make a statement to determine if it’s reasonable to suspect a breach actually occurred. The risk assessment is surrounding a four key factors. These factors include:
1. The general extent of the breach
2. The consideration of the source of the breach
3. If the breach resulted in an actual acquisition or viewing of PHI
4. The extent and effectiveness of mitigation tactics.
This is all part of the organization's incident response process. The assumption starts that there was a breach, unless you can prove otherwise.
For example, if an encrypted laptop or encrypted backup tape or disk was stolen which contains ePHI, the organization must assess if the ePHI can be actually viewed. If the encryption systems are setup properly, there may be a low probability of an actual breach.
3 Groups of HIPAA Controls
The HIPAA security rule is broken down into 3 groups of controls: Administrative, Physical and Technical. The controls in each category are labeled as "required" or "addressable". If a control is marked as "required", it is mandatory. If it is marked as "addressable", it was included to provide organizations with additional flexibility according to their risk assessment.
The specifications boil down to 3 key points of direction: Conduct a risk assessment, implement security measures and review and modify as needed. These concepts are at the core of other privacy and security frameworks, as well. This falls in line with Equilibrium's risk management approach of:
HIPAA Risk Assessment
When you start a risk assessment, your liabilities will be high. Simply knowing your weak points and having plan will reduce your liabilities with HIPAA significantly. As you perform more risk management and implement additional security controls, your liabilities will go down. The goal is to bring your level of liabilities to a "reasonable and appropriate" level which allows you to achieve HIPAA compliance. Reducing your risk beyond this level is up to executive management's direction and the vision of the organization.
The reason why many organizations turn to consultants for help with HIPAA is that regulations from the Department of Health and Human Services are 172 pages of dense and bureaucratic material. It is difficult to digest and understand in context, let alone come up with a plan. Each required or addressable point is vague and open to interpretation. This goes back to the need for a risk assessment with guidance from a seasoned expert.
Inexperienced organizations may work on a gap assessment instead of a risk assessment. The problem with the gap assessment is the found gaps may be compared to the best-of-breed technology solutions on the market with the most advanced features. It doesn't allow for assessment of risk. It turns out the gap assessment provides unreasonable results in order to work toward the balance of HIPAA compliance.
A risk register is an analytical risk management tool commonly used in risk management and regulatory compliance including HIPAA. It acts as a central repository for all risks identified by the organization and, for each risk, includes information such as source, nature, treatment option, existing counter-measures, recommended counter-measures, etc. The use of this tool is not limited to only HIPAA. I can also be used for ISO, PCI DSS, etc. During a risk assessment, Equilibrium reviews at your information assets and works with you to assess the risk of each. This depends on the controls you are asked to implement.
The first step of a risk assessment and toward HIPAA compliance is to analyze your assets and review what controls are implemented surrounding them. These will most likely be the required controls as well as the addressable controls according to HIPAA. After laying out the assets, existing controls and vulnerabilities, this is where most traditional gap assessments stop. A risk assessment takes this review a few steps further. It also includes an analysis of the potential threat that really matter.
Impact x Likelihood = Risk
Then the likelihood and impact are assessed. In order to analyze impact, you must first understand the mission of your organization. This will allow you to determine how much to invest in a safeguard to protect certain assets. This type of review helps to define the "reasonable and appropriate" measures for each organization in order to define compliance with HIPAA.
Equilibrium helps to quantify the risk assessment process so it is defendable if there is a HIPAA audit or a breach of ePHI. We assess the risk level by multiplying the quantitative values of Impact x Likelihood. Each organization must define an acceptable level of risk which is an actual number. You must then begin to investigate risk treatments to bring the high scores down to an acceptable level in HIPAA’s view.
Remember, a risk assessment is not a gap assessment. A gap assessment does not include a discussion on the mission of the organization. Also, often the gap is determined by a third-party assessor which is not appropriate in the goals of HIPAA. Risk assessments also do not relate to what stresses out the security staff or predicting the future. Instead risk assessments are a quantitative review of the environment focused on reasonable and appropriate risk reduction measures.
The risk assessment process along with the risk register also helps to reduce the cost of security measures. There are ways to be creative to minimize cost and also minimize risk to an acceptable level. This requires the input of IT security experts which understand the landscape of security technologies as well as the details of HIPAA.
The Value of Knowing
The value of knowing and visibility is key with HIPAA. The more neglectful an organization, the higher the fines in the event of a breach. Per penalty or occurrence, the documented fees range from $100 to $50,000. If the violation was due to willful neglect without timely correct, the fees would be $50,000 per incident. The penalties are lowered if the threat and vulnerability was unforeseen. The less you know, the higher your penalties are.
The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
HIPAA Breach Penalties
|HIPAA Violation||Minimum Penalty||Maximum Penalty|
|Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA||$100 per violation, with an annual maximum of $25,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to reasonable cause and not due to willful neglect||$1,000 per violation, with an annual maximum of $100,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation due to willful neglect but violation is corrected within the required time period||$10,000 per violation, with an annual maximum of $250,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|HIPAA violation is due to willful neglect and is not corrected||$50,000 per violation, with an annual maximum of $1.5 million||$50,000 per violation, with an annual maximum of $1.5 million|
As part of your risk management program, your risk management committee should meet on a regular basis, such as quarterly. At each meeting, your team should assess if the risk levels are dropping compared to the original risk assessment and risk register spreadsheet. This allows your team to incrementally manage risk, reduce the probability and impact of a breach and reduce the potential for fines if a breach were to occur. Your highest liability is the information you don't now. This area will diminish through your risk management program. From there, you can work on the high risk areas.
Key HIPAA Statistics
Over 61,000 HIPAA breaches were reported to OCR from September 2009 to May 2012.
One study described the effects of HIPAA breaches as diminishing productivity by 81%, diminishing brand and/or reputation by 78%, and a loss of patient goodwill of 75%.
To help protect yourself and your business from HIPAA breaches you must be knowledgeable about the HIPAA Requirements.
More than 700,000 hospitals, emergency medical clinics, dental offices, nursing homes and other health-related entities are required by law to have a specialized IT risk assessment performed to satisfy the requirements of HIPAA.
So, too, are an estimated 2 million other companies that do business with these entities, including IT service providers, shredding companies, documents storage companies, attorneys, accountants, collections agencies, and many others. Many of these companies and organizations are not even aware of this legal requirement.
Leon Rodriguez, former director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, was responsible for enforcing HIPAA and HITECH. When asked where do organizations suffer the most audit failures, Rodriguez commented in the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis.”
Equilibrium can help your organization gain visibility to your risks and start a risk management program to reduce risk to a reasonable threshold. Our team includes experts in governance and experts of information security technology.
Would you like to learn more about HIPAA Compliance? Let's Talk.
Author: Todd Bey
Equilibrium IT Solutions, Inc.