Navigating the Regulatory Environment for Doctors Part 5 – HIPAA Security and Breach Notification
In our last post we started our discussion of HIPAA, the federal law governing patient privacy, with a look at HIPAA’s Privacy Rule. HIPAA is intended to impose nationwide standards on doctors in protecting patient privacy and pre-empts, or supersedes, any conflicting state laws. Therefore, Arizona’s patient privacy laws largely defer to federal law on the issue.[1]
Now that we have examined the scope of the Privacy Rule, this post will look at how doctors are supposed to protect patient information by examining HIPAA’s Security Rule and Breach Notification Rule. Our final post in this series will look at the enforcement mechanisms in HIPAA and the potential penalties for failing to comply with its requirements.
The Security Rule
The Security Rule addresses the protections and safeguards you must implement to protect your electronically-stored patient information. The rule mandates that health care providers must maintain reasonable and appropriate administrative, technical, and physical safeguards to protect patient health information, particularly in electronic format (“e-PHI”). In general, the Security Rule requires that every covered entity must:
- Ensure the confidentiality, integrity, and availability of all e-PHI it creates, receives, maintains or transmits;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by its workforce.[2]
These requirements are ongoing, and health care providers must continue to review and modify their safeguards as the risk environment changes and evolves.[3]
Risk Assessment
The process begins with a risk analysis to evaluate the vulnerability and security needs for your e-PHI. In this mandatory assessment you are required to assess the likelihood and impact of potential risks to your e-PHI.[4] The factors you must consider include:
- The size, complexity, and capabilities of your practice;
- Its technical, hardware, and software infrastructure;
- The costs of security measures; and,
- The likelihood and possible impact of potential risks to e-PHI.[5]
Implementation
Using your risk analysis as a guide, you are required implement appropriate safeguards for your practice and document the security measures you adopt.[6] There are three specific categories of safeguards, and your practice must meet the Security Rule’s standards in each category: (1) Administrative Safeguards, (2) Physical Safeguards, and (3) Technical Safeguards.
Administrative Safeguards are the workplace policies and procedures designed to protect the integrity of your e-PHI. Specifically, you must designate a security official tasked with developing and implementing workplace security measures and you must limit employees’ access e-PHI to the minimum necessary to accomplish their duties and institute training regarding e-PHI policies and procedures for all employees.[7]
Physical Safeguards, as the term suggests, are the physical barriers that must be implemented to protect e-PHI. The Security Rule requires that you limit physical access to your facilities while also ensuring that authorized access is permitted, and that you institute policies and procedures related to the proper use of and access to workstations and electronic media.[8]
Technical Safeguards are the electronic and digital security measures that must be implemented to preserve the integrity of your e-PHI. The Security Rule mandates that you must implement technical controls in four areas: access, auditing, data integrity and transmission security.[9]
Required and Addressable Standards
Health care providers are required to comply with every standard set forth by the Security Rule. Within each standard, implementation specifications are separated into those that are “addressable” and those that are “required.” As the term suggests, the required specifications are mandatory. However, the addressable specifications are not optional – the term simply means that if the addressable specification is not appropriate for your practice, you are permitted to adopt a reasonable and appropriate alternative that achieves the same purpose.[10]
The Breach Notification Rule
The Breach Notification Rule[11] is a logical extension of the Security Rule. As the name suggests, this rule requires covered entities to provide notification to persons and patients whose PHI is compromised as a result of a breach. HIPAA mandates that an impermissible use or disclosure of PHI under the Privacy Rule is presumed to be a breach, unless you are able to demonstrate through a risk assessment that there is a low probability PHI has been compromised. The risk assessment must evaluate the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
In the event of a breach, you are required to notify the affected individuals without unreasonable delay, but in any case no later than sixty days after the discovery of the breach.[12] You must provide this notice either by first-class mail or by email if the affected individual previously elected to receive notice electronically. Though you are ultimately responsible for providing notice to affected individuals, you are permitted to delegate the task of providing notice to a business associate. You are also required to notify the Secretary of Health and Human Services by submitting an electronic form on the HHS website.
Safeguarding your patients’ e-PHI is critical to maintaining your compliance with HIPAA regulations. If you have any questions regarding your HIPAA compliance, contact an experienced healthcare attorney.
[4] 45 C.F.R. § 164.306(b)(iv)
[6] 45 C.F.R. § 164.308(a)(1)(ii)(B)
[7] 45 C.F.R. § 164.308(a)(4)(i); 45 C.F.R. § 164.308(a)(3) & (4)