February 5, 2013. Today, we cover the modifications to Security Standards: General Rules, and Administrative Safeguards in the HIPAA Security Rule, as modified by the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Security Standards: General Rules. The five General Rules govern how the administrative, physical, and technical safeguards are implemented by covered entities, and, as modified, by business associates. They are, where Final Rule modified wording is underlined:
(a) General Requirements: Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule [as modified].
(4) Ensure compliance with the HIPAA Security Rule by its workforce.
(b) Flexibility of Approach: (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementations specifications as specified in the HIPAA Security Rule.
(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
(c) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), and 164.316 (Policies and procedures and documentation requirements) with respect to all electronic protected health information.
(d) Implementation Specifications. In the HIPAA Security Rule–
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word Required appears in parentheses after the the title of the implementation specification. If an implementation specification is addressable, the word Addressable appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316, includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
(3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316, includes addressable implementation specifications, a covered entity or business associate must–
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and
(ii) As applicable to the covered entity or business associate–
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate–
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
(e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under the HIPAA Security Rule as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update as needed documentation of such security measures in response to environmental or operational changes affecting the security of the ePHI [i.e., in accordance with 45 CFR 164.316(b)(2)(iii) of the required Updates implementation specification of the Documentation standard].
As shown by the underlinings, the General Rule modifications require compliance by business associates by September 23, 2013. Compliance for covered entities began on April 20, 2005, except for small health plans, which had an extra year to comply. Except for a rewording of (e) Maintenance, the substance of the General Rules was not modified except for applicability to business associates.
Administrative Safeguard Modifications (a). There are eight standards in (a). As discussed in yesterday’s post, the introductory text was modified to include business associates: “A covered entity or business associate must, in accordance with 164.306 [Security Standards: General Rules, as modified].” We show only the modifications below for each of the eight standards, with modifications underlined.
(1)(i) Standard: Security Management Process
(ii) Implementation specifications
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
(2) Standard: Assigned Security Responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule for the covered entity or business associate.
(3)(i) Standard: Workforce Security
(ii) Implementation specifications
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in the preceding addressable implementation specification, Workforce clearance procedure [paragraph (a)(3)(ii)(B)].
(4)(i) Standard: Information access management
(ii) Implementation specifications
(C) Access establishment and modification (Addressable). Implement polices and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
(5) Standard: Security Awareness and Training–No modification
(6)(i) Standard: Security Incident Procedures
(ii) Implementation specification–Response and reporting (Required). Identify and respond to suspected or know security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
(7) Standard: Contingency plan–No modification
(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the HIIPAA Security Rule.
With one exception, the modifications in Administrative Safeguards (a) are to extend applicability to business associates, and in a few instances, as underlined, to clarify that an entity meant covered entity. The exception relates to “or other arrangement with” in the Termination procedures implementation specification of the Workforce Security Standard (a)(3)(i). The Final Rule states: “The final rule adopts the proposed modifications to 164.308. We proposed a technical change to (a)(3)(ii)(C) regarding security termination procedures for workforce members…in recognition of the fact that not all workforce members are employees (e.g., some may be volunteers) of a covered entity or business associate.” [78 Federal Register 5590]
Tomorrow, we examine modifications relating to Administrative Safeguards (b): Business associate contracts and other arrangements.