1 Bender on Privacy and Data Protection § 7.06 (2020)
1 Bender on Privacy and Data Protection § 7.06[1] (2020)
45 C.F.R., Part 164, Subpart C imposes security standards. In contrast to the Privacy Rule, which governs all phi, the Security Rule applies only to
electronic phi (hereinafter, “ephi”) of a covered entity. It recognizes three types of security: administrative,
1 physical,
2 and technical
3 safeguards in an information system.
4 Under this subpart, covered entities and business associates must (1) ensure the confidentiality, integrity, and availability of all ephi they create, maintain, or transmit; (2) protect against reasonably anticipated threats or hazards to the security or integrity of same; (3) protect against reasonably anticipated uses or disclosure of same that are not permitted or required by the HIPAA rules privacy provisions; and (4) ensure compliance with the security provisions by its workforce. In doing so, each entity may use the security that reasonably implements the standards and implementation specifications of Subpart C, based on:
- the entity’s size, complexity, and capabilities;
- its technical infrastructure;
- cost; and
- the probability and criticality of potential risks to ephi.5
The security rules also impose “implementation specifications,”
6 each of is either “required”
7 or “addressable.”
8 Appendix A to Subpart C of Part 164 comprises a chart summarizing the implementation specifications for each aspect of the administrative, physical, and technical safeguards, with Security Rule section numbers for each.
1 Bender on Privacy and Data Protection § 7.06[2] (2020)
There are eight aspects of administrative safeguards for covered entities:
9- the security management process;
- assigned security responsibility;
- workforce security;
- information access management;
- security awareness and training;
- security incident procedures;
- contingency plan; and
- evaluation.
The security management process has four implementation specifications (all required):
- risk analysis;
- risk management;
- sanction policy; and
- information system activity.
Assigned security responsibility has no implementation specifications.
Workforce security has three implementation specifications (all addressable):
- authorization and/or supervision;
- workforce clearance procedure; and
- termination procedures.
Information access management has three specifications:
- isolating health care clearinghouse functions (required);
- access authorization (addressable); and
- access establishment and modification (addressable).
Security awareness and training has four implementation specifications (all addressable):
- security reminders;
- protection form malicious software;
- log-in monitoring; and
- password management.
Security incident procedures has only one implementation specification: response and reporting (required).
Contingency plan has five implementation specifications:
- data backup plan (required);
- disaster recovery plan (required);
- emergency mode operation plan (required);
- testing and revision procedures (addressable); and
- applications and data criticality analysis (addressable).
Evaluations has no implementation specifications.
A covered entity may permit a business associate (except for a subcontractor) to create, receive, maintain, or transmit ephi only if the covered entity receives satisfactory assurances as specified below that the business associate will appropriately safeguard the information.
10 The sole implementation specification here is that these assurances be documented “through a written contract or other arrangement with the business associate … .”
A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit ephi only if the permitting business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.
11 The sole implementation specification here is that these assurances be documented “through a written contract or other arrangement with the business associate … .”
1 Bender on Privacy and Data Protection § 7.06[3] (2020)
The physical safeguards are the same for covered entities as for business associates. There are four aspects of physical safeguards: facility access controls; workstation use; workstation security; and device and media controls.
Facility access controls has four implementation specifications, all addressable:
- contingency operations;
- facility security plans;
- access control and validation procedures; and
- maintenance records.
Workstation use and workstation security have no implementation specifications.
Device and media controls has four implementation specifications:
- disposal (required);
- media re-use (required)
- accountability (addressable); and
- data backup and storage (addressable).
1 Bender on Privacy and Data Protection § 7.06[4] (2020)
There are five aspects of technical safeguards: access control; audit controls; integrity; person or entity authentication; and transmission security.
Access control has four implementation specifications:
- unique user identification (required);
- emergency access procedure (required);
- automatic logoff (addressable); and
- encryption and decryption (addressable).
Audit controls, and person or entity authentication, have no implementation specifications.
Integrity has one implementation specification: mechanism to authenticate ephi (addressable).
Transmission security has two implementation specifications, both addressable:
- integrity controls; and
- encryption.
1 Bender on Privacy and Data Protection § 7.06[5] (2020)
Section 164.314 deals with organizational requirements for associate contracts and other arrangements, and for group health plans. For a contract between a business associate and either a covered entity or a subcontractor, a required implementation specification requires that the business associate (or subcontractor) comply with the applicable requirements of the HIPAA Security Rule; ensure that any subcontractors agree to comply with those requirements through a contract or other arrangement; and report to the covered entity any security incident of which it becomes aware. A group health plan must generally require that the plan sponsor reasonably and appropriately safeguard ephi. The single implementation specification (required) requires that the plan documents implement administrative, physical, and technical safeguards for ephi; ensure that there is adequate separation between the plan and its sponsor; ensure that any agent to which it gives ephi agrees to reasonable and appropriate security measures; and report to the plan any security incident of which it becomes aware.
Section 164.316 treats policies, procedures, and documentation. This requires that the entity institute reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule, and maintain them in written form. The documentation standard has three implementation specifications, all required: retention of required documentation for six years from the later of creation or date when last in effect; availability of documentation to persons responsible for implementing the procedures to which the documentation pertains; and periodic review and update of documentation.
Footnotes — § 7.06:
1 “Administrative safeguards” are “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.”
Id.
2 “Physical safeguards” are “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
45 C.F.R. 164.304.
3 “Technical safeguards” are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Id.
6 An implementation specification is “specific requirements or instructions for implementing a standard.”
45 C.F.R. § 164.103.
7 A required implementation specification must be implemented.
8 For an addressable implementation specification the entity must (i) assess whether it is reasonable and appropriate to its environment based on its likely contribution to protecting ephi and, if so, implement it, and if not, document why not and implement an equivalent measure if reasonable and appropriate.