Analysis & Comments On Health and Human Services' Just-Released HIPAA Security Rules
Over five years ago the statutory deadline (February 28, 1998) passed for the Secretary of Health and Human Services (HHS) to issue the HIPAA security rules in final form. Now we have the rules. They were released in prepublication form on February 13, and appeared in the Federal Register on February 20, 2003. After the 60-day period mandated by the Congressional Review Act and 24 months mandated by the HIPAA statute, the security rules will become effective for enforcement purposes in April 2005. The new security rules can be downloaded from the CMS website at www.cms.gov.
The 2005 effective date tells only part of the story. The "mini-security rule" in the HIPAA privacy rules (45 CFR 164.530(c)) goes into effect in less than two months. It requires covered entities and their business associates, as of April 14, 2003, to implement "appropriate administrative, technical and physical safeguards" for protected health information in all forms, non-electronic and electronic. It is likely that the meaning of "appropriate safeguards" under the privacy rules will in part be determined by referring to the general principles (if not all the specific requirements) of the new final security rules. Viewed in this perspective, the first impact of the new security rules is almost immediate.
OVERVIEW Â– A BRIEF COMPARISON TO THE PROPOSED SECURITY RULES
The document released by HHS contains the rules and a long explanatory preamble. For those of you who need to read the entire document, we suggest that you go first to the back, to page 245, and start with the rules themselves (45 typed pages). Then go back to the beginning of the document to read the 244-page preamble. Things will fall into place faster.
The new security rules fulfill HHS's oft-repeated promise to mesh the security rules and the HIPAA privacy rules. The new rules discard much of the proposed security rules' terminology in favor of definitions in common with the privacy rules. For example, the requirements of a "chain of trust" agreement in the proposed security rules are now additional "business associate" contract requirements.
Some changes in terminology were made simply for the sake of consistency with the privacy rules. Others reflect a shift in substance too, such as the change from security "certification" to "evaluation," or the shift from "information access control" to "information access management," a broader concept. Other modifications to terminology introduce a new concept, approach, or new emphasis, such as the rules for "media re-use procedures."
The proposed security rules were organized around four overlapping categories (administrative procedures, physical safeguards, protection for data at rest, and protection for data in transit). Describing these overlaps often produced confusing redundancy, both in the proposed security rules themselves and in analysis of the proposed rules. The new rules retain the core concepts found in the old four categories Â– essentially, the basic building blocks of security Â– but eliminate the four silos. This streamlines the security rules in comparison to what was proposed.
Generally speaking, the final security rules offer less detail and more generic guidance, in the sense of high-level direction, about how covered entities and their business associates should go about implementing security. As HHS says, "we have focused more on what needs to be done and less on how it should be accomplished."
This means that the new rules are less a series of checklists and more a description of principles for each covered entity and business associate to evaluate and apply, based on the entity's specific situation. One benefit to this approach, as a general matter, is less regulatory risk through the enforcement process. Other risks remain however, because of the new rules' demands on covered entities to exercise constant vigilance and apply prudent judgment about security to changing circumstances. These are familiar litigation risk management issues.
The new security rules' scope is narrowed to protected health information (PHI) in electronic form only. Consequently, many details of implementing the security rules may not apply to PHI that is not in electronic form. However, HHS emphasizes that the privacy rules apply to PHI in any form. The reader should remember the "mini-security rule" in the HIPAA privacy rules (45 CFR 164.530(c)), discussed above. It requires that "appropriate" security be applied to all PHI in any event, whether or not the security rules themselves apply.
One area of vast improvement is the final security rules' explicit recognition that the cost of implementing security is a factor in security decisions (and, presumably, in regulatory and judicial judgments about security issues). The entire health care industry benefits from this dose of realism, and small and rural providers especially benefit. Indeed, the new security rules and their preamble repeatedly recognize that the cost of security is a major factor for small offices and facilities and those in rural areas. At the same time, HHS cautions that cost considerations do not justify ineffective security. "[T]here is a clear requirement that adequate security measures be implemented . . . . Cost is not meant to free covered entities from this responsibility."
Despite this caution, the new rules are a marked improvement in meeting the command in the HIPAA statute that cost of security must be factored into the new rules. Combined with discussions of operational scale that are a noticeable improvement from the proposed security rules, the new rules are likely to be far easier for small and rural health care providers to apply. While this approach does not eliminate all enforcement or litigation risk, it improves the regulatory climate substantially.
HHS creates a new Subpart C in Part 164, Volume 45 of the Code of Federal Regulations ("CFR"), where the HIPAA rules are officially published. The bulk of the new security rules are now in the new Subpart C. General provisions remain in Subpart A, and the privacy rule remains in Subpart E. Conforming changes are also made in two existing parts of the HIPAA rules, in Parts 160 and 162 of Volume 45 of the CFR. Parts 160 and 162 are rules (such as definitions) that apply to all the HIPAA rules Â– privacy and transactions, as well as security. These changes will simplify references to the HIPAA rules and make it easier to find specific rules. As we note below, some definitional provisions are removed from the privacy rule and placed in the general provisions of Subpart A, to make them applicable to the new security rule as well as the existing privacy rule.
The preamble states that future rulemaking proceedings will deal with enforcement of security and privacy, and separately with electronic signatures. HHS gives no timetable for either rulemaking.
STRUCTURAL ELEMENTS: STANDARDS AND REQUIRED AND ADDRESSABLE IMPLEMENTATION SPECIFICATIONS
The new rules have "standards" and "implementation specifications." Implementation specifications can be either "required" ("R") or "addressable" ("A"). Appendix A to the rules is a "Security Standards Matrix" that lists each standard and its associated implementation specifications. The matrix shows by an "R" or "A" whether the particular implementation specification is required or addressable, and lists the section of the security rules where the standard and implementation specification are found.
Essentially, a standard explains what must be done, and implementation specifications explain how to do it. If HHS believes that an implementation specification is one of many options, none of which by itself is essential, then it will label the implementation specification "addressable" ("A"). If HHS sees the implementation specification as essential, it will be "required" ("R").
In some case, a standard is sufficiently self-contained so that the means of its implementation are explicit or implicit, and without the need for any implementation specifications. For examples, readers should look at the rules on "assigned security responsibility" (164.308(a)(2)) or "workstation use" (164.310(b)).
The standards are grouped under three headings: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. While there remains inevitable overlap, these categories prove more streamlined than the organization of the proposed security rules.
THINKING ABOUT SECURITY UNDER THE NEW RULES
The standards and implementation specifications are integral to how HHS wants covered entities and their business associates to think about security. The preamble reflects HHS's recognition (gleaned from comments filed about the proposed rule) that many in the health care industry found security perplexing.
HHS instructs that the place to start thinking about security under the new rules is section 164.306. This section is the heart of the new security rules, and tracks the part of the HIPAA statute that governs security standards and safeguards (42 USC 1320d-2). Covered entities must meet four security requirements specified in section 164.306(a):
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance . . . by its workforce.
Section 164.306(b) specifically calls for a flexible approach: "Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart." The rules allow covered entities to factor in cost, size, complexity, technical infrastructure, other capabilities, and the likelihood and seriousness ("criticality") of potential security risks.
Section 164.306(c) specifies that covered entities accomplish all this by reference to the standards and their associated implementation specification, whether required or addressable. If the standard has no implementation specifications, it can and must be implemented as the standard itself specifies. If there are required implementation specifications, then the covered entity must do what the specifications demand.
However, there is significant flexibility in approach because so many of the implementation specifications are addressable, not required. A covered entity must assess whether each addressable specification is reasonable and appropriate for its unique situation. Then it has choices. If the specification is reasonable and appropriate for that covered entity, it "must" be implemented. If it is not reasonable and appropriate, the entity must either implement another equivalent measure that is reasonable and appropriate or, if the standard can be met some other way, choose not to implement the specification or any equivalent specification. The covered entity must document the reasons for its choice.
Risk Assessment and Risk Management.
The preamble explains that: "The administrative, physical, and technical safeguards a covered entity employs must be reasonable and appropriate to accomplish the tasks outlined in paragraphs (1) through (4) of § 164.306(a)." The way a covered entity knows what measures are reasonable and appropriate to achieve each of the listed tasks is through a two-step process that is mandated in the new rules. The first step is to assess the security risks it faces. Then it must implement countermeasures proportional to those risks, and manage its countermeasures to keep up with new or increased risks.
HHS explains the requirement this way in the preamble: "Thus, an entity's risk analysis and risk management measures required by § 164.308(a)(1) must be designed to lead to the implementation of security measures that will comply with § 164.306(a)." Whether particular measures comply with the rules will be determined by their effectiveness in "ensuring" the confidentiality, integrity, and availability of PHI, and in protecting PHI against "any reasonably anticipated threat or hazard." By the way it has written section 164.306 and explained it in the preamble, HHS has set a high standard for security, and narrowed legal arguments about how to interpret the HIPAA statute's language about safeguards.
HHS refers several times to guides published by NIST, the National Institute of Standards and Technology, as an aid in risk assessment and in the security management process( discussed below). The NIST "800 Series" publications are important as practical guides that expand upon HHS's explanations of steps to follow, and criteria to use, in assessing risk and managing security implementation. The guides will also be important references in HHS's enforcement of the security rules and in other litigation over security issues.
The preamble's discussion of risk assessment and risk management will assist covered entities in understanding what they should do to achieve an appropriate level of security, how to make decisions about doing it, and how to document it. Documentation under the new rules will be a critical element in justifying a covered entity's approach to its security needs and the countermeasures it selects to meet them.
However, the new security rules only set out a process for decision-making. They do not make the decisions nor prescribe any particular technology. Indeed, the preamble is determinedly and explicitly technology-neutral. This is true for issues covering everything from how to protect workstations to whether or not encryption is appropriate in any given situation. Some examples are worth noting because they have been the subject of so much discussion since the proposed security rules appeared:
- The preamble explains which kinds of fax processes are "electronic" and which are not. The rationale for the explanation, we predict, will continue to be a source of controversy and bemusement. Generally speaking, paper-to-paper (old-style) faxes are not electronic, and computer faxes are electronic.
- Voice (i.e., good old) telephone is not electronic.
- The rule disavows a distinction between data that moves internally within or externally to an organization. This is likely to lead many covered entities to assess the risks associated with their internal networks in a new light.
- The much-criticized proposal that workstations have required automatic log-off is a thing of the past. Workstation protection is now much more flexible in concept.
Security Management Process.
The new rules require covered entities and business associates to manage security processes assiduously. There is new emphasis, for example, on an entity's ability to detect an intrusion (such as a hacker attack) and respond quickly and effectively with countermeasures. This is known as "incident response." This and similar security management requirements will likely lead to integration of security processes and technology that are not yet common in health care. The expense of these precautions may well fall sooner and more heavily on larger health care organizations, because that is a natural result of the new rules' emphasis on scalability.
Training is one aspect of security management, and the new rules state that security training must be given to a covered entity's entire workforce, not just that part of the workforce that comes in contact with PHI. As with all aspects of the security management process, training must keep up with the times Â– with changes in threats and countermeasures.
No Safe Harbor.
The new security rules offer no safe harbor to covered entities, business associates, or the people who make security decisions for them. Rather, whether security countermeasures are good enough to "ensure" the confidentiality, integrity, and availability of PHI, and protect it from "any" hazard one could reasonably anticipate, is likely to be judged retroactively. Results and the documentation of decisions will both be important.
These considerations apply both to HHS's regulatory enforcement of security and privacy, and to covered entities' and business associates' management of litigation risk. Because the rules are based on the judgments involved in risk assessment and risk management, and on the effective implementation of the security management process, there is inherent exposure to legal liability. It cannot be eliminated, and the new rules do not attempt to do so.
SECURITY ASPECTS OF BUSINESS ASSOCIATE CONTRACTS
One of the requirements of the proposed rules was a "chain of trust partner agreement." This was the agreement by which two parties would agree to exchange electronic data and to protect it in the course of transmission. Its goal would be to ensure security at all points in the transmission, and it would have been required for all electronic transmissions of protected health information.
The privacy rules have a different requirement, the "business associate contract." This is an agreement that a covered entity is required to obtain from contractors Â– called business associates Â– who assist the covered entity with payment or operations, and who have access to the covered entity's protected health information. Under the privacy rules, a business associate contract is not universally required for exchanges of health information Â– for example, a provider needs one to disclose health information to a clearinghouse, but not to a health plan, because the clearinghouse is viewed as assisting the provider with payment, but the health plan is acting independently. Similarly, disclosures to providers for treatment do not require business associate contracts.
Observers have been interested to see how the final security rules would coordinate these differing requirements. They do it by abandoning the chain of trust partner agreement as a legal requirement. Instead, they require covered entities to have agreements with business associates who create, receive, maintain or transmit electronic protected health information on the covered entity's behalf. These agreements must contain assurances from the business associate that it will appropriately safeguard the information.
The security rules set forth the required assurances. They are a subset of the provisions required by the privacy rule, focused on electronic information. The business associate contract must require the business associate to:
- Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's electronic protected health information;
- Ensure that its agents and subcontractors to whom it provides the information do the same;
- Report to the covered entity any security incident of which it becomes aware.
The contract must also authorize termination if the covered entity determines that the business associate has violated a material term.
The security rules adopt the privacy rules' definition of "business associate." They also echo the privacy rules' exceptions to the contract requirement for disclosures to providers for treatment, exchanges of information between government entities, and exchanges between group health plans and their sponsors. Interestingly, however, the security rules do not dispense with business associate contracts for covered entities participating in an organized health care arrangement, as the privacy rules do.
Likewise, the standard of liability is the same as under the privacy rules Â– a covered entity would not be liable for breaches by its business associate unless it knew of a pattern of activity or practice in violation of the agreement, and failed to take appropriate measures. Otherwise, covered entities who transmit data electronically will not be responsible for the recipient's security implementation.
The requirement that the business associate report any security incident of which it becomes aware to the covered entity makes it likely that covered entities will know about most, if not all, incidents. (The new security rules discard the term security "breach.") Further, security protocols require close coordination, so it is unlikely that covered entities and business associates will be able to maintain the business process or technical process separation that the new security rules seem to envision. We will need experience under the new rules before these apparent contradictions can be evaluated.
In every case in which the security rules would require a business associate contract, the privacy rules would too. Accordingly, the requirements of the security rules will most likely be implemented as additional provisions to the standard contract for business associates who deal with a covered entity's electronic protected health information.
Unlike the proposed chain of trust partner agreement, the business associate contract does not relate to the security of the data transmission itself, but rather to the security of data in the hands of the business associate. Moreover, many electronic transmissions of health information will not be subject to the business associate rule at all, such as transmissions between providers and health plans for payment. Neither the privacy rules nor the security rules now have any requirement for a contract between participants in transmissions such as these.
However, both the privacy rules in a general way, and the security rules more specifically, will require covered entities to ensure the security of electronic data transmissions, whether or not the recipient is a business associate. And participants in electronic data interchange will still need to agree on communications and security protocols, so trading partner agreements are likely to continue to be recommended practice. Prudence will argue for security risk analysis and ongoing risk management in the negotiation and implementation of these agreements.
SECURITY RULES FOR AFFILIATED ENTITIES, HYBRID ENTITIES, AND GROUP HEALTH PLANS
There are new provisions intended to align the security rules with the approach taken by the privacy rules to affiliated entities, hybrid entities and group health plans.
Under the privacy rules, covered entities under common ownership or control may designate themselves an "affiliated covered entity." An affiliated covered entity is treated as a single covered entity under HIPAA. This has a number of consequences, one of which is that the affiliated entity as a whole is responsible for HIPAA compliance by its participants.
Hybrid entities are entities that have covered and non-covered functions, and that elect to designate their covered functions (and, optionally, related business functions) as "health care components." If they do this, they need comply with the privacy rule only within their designated health care components. However, they must restrict the disclosure of protected health information to non-covered components as they would to third parties. If they do disclose health information to non-covered components, they must ensure that the non-covered components do not use or disclose the information in a manner that would violate the regulations.
The security rules remove the provisions relating to affiliated covered entities and hybrid entities from the privacy rules, place them in the general administrative simplification provisions, and make them applicable both to the security rules and the privacy rules. In effect, the responsibilities of affiliated covered entities and hybrid entities for the maintenance of electronic health information under the security rules now track their responsibilities with respect to the use and disclosure of health information under the privacy rules.
Group health plans raise different issues. Here the concern of the privacy rules is to ensure that plan sponsors (typically employers) do not have access to the plan's health information for employment-related purposes. Accordingly, the privacy rules restrict a plan sponsor's access to health information from the group health plan. Generally, the sponsor may have access only to aggregate information, and to information about who has enrolled or disenrolled in the plan.
However, if the sponsor has administrative responsibilities, it may also have access to information it needs to administer the plan. The plan document must contain provisions that restrict the plan sponsor's use of the information to this purpose, and require adequate separation between the sponsor's operations as plan sponsor and as employer. These provisions resemble those of a business associate contract, but they are in the form of amendments to the plan documents.
The security rules now require that, if the plan sponsor has access to electronic health information (beyond summary plan information and enrollment information), the plan document must have provisions, similar to those already required by the privacy rules, requiring the employer as plan sponsor to implement reasonable and appropriate measures to secure electronic health information, and to implement the adequate separation requirement; to require the same of its subcontractors; and to report all security incidents to the group health plan.
Wherever these provisions are required to be in plan documents, the related provisions under the privacy rules will also be necessary. Accordingly, we expect that group health plans that share electronic health information with their plan sponsors may want to combine them into a single amendment.
IMPACT OF NEW SECURITY RULES ON RESEARCH
The new security rules alleviate some concerns that the research community had with the chain of trust concept in the old proposed rule. Under that concept, any research (or other) database holding PHI would have needed the same high level of security as at the hospital, doctor's office, or other place where the PHI originated.
In contrast, the preamble explains that the final security rules (and all their restrictions) apply only to researchers who are part of a covered entity, or who are within the health care component of a hybrid covered entity (essentially the same thing). As the preamble states: "Researchers who are not part of the covered entity's workforce and are not themselves covered entities are not subject to the standards." This is consistent with a later statement in the preamble that, "this final rule does not require noncovered [sic] entities to comply with the security standards."
We do not want to leave the impression from this summary that security or privacy concerns abate completely when PHI is disclosed (even pursuant to an authorization) to researchers who are not covered entities or not employed at covered entities. However, we do believe that the new security rules offer some welcome relief from the rigidity of the chain of trust concept as originally explained in the proposed security rule.
This is an overview of the new HIPAA security rules. There are many changes to definitions and concepts, and new definitions and requirements, that we do not mention because of space limitations. We expect to publish further advisories about HIPAA security as events unfold.
FOR FURTHER INFORMATION, PLEASE CONTACT THE AUTHORS:
Richard D. Marks, (202) 508-6611, firstname.lastname@example.org
Paul T. Smith, (415) 276-6532, email@example.com
Thomas E. Jeffry Jr., (213) 633-6882, firstname.lastname@example.org
Rebecca L. Williams, (206) 628-7769, email@example.com