HIPAA Security Final Rule

HIPAA Security Final Rule and Meaningful Use

Bob Chaput
HIPAA-HITECH Data Security and Privacy Expert
Meeting Meaningful Use, HIPAA Security Final Rule and HIPAA Security Risk Analysis
The HIPAA Security Final Rule requires every covered entity (CE) and now, due to the HITECH Act, every Business Associate (BA) to conduct a risk analysis (CFR §164.308(a)(1)(ii)(A)) to determine security risks and implement measures “to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level.” Additionally, completing this HIPAA risk analysis is a core requirement of Meaningful Use.
From a very practical perspective, what one ultimately seeks to develop by completing a HIPAA risk analysis is a prioritized list of security risks that need to be addressed with a risk mitigation action based on an informed decision. The classic formula for calculating risk is: Risk = Impact * Likelihood
Regulatory Requirement
The Security Rule9, reinforced by the HITECH Act, requires a CE and a BA, in accordance with the security standards general rules (CFR §164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.”
The security standards include general requirements to:
  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the CE or BA creates, receives, maintains, or transmits
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rule
  • Ensure compliance with this law by its workforce

The standards are flexible in regards to approach:

  • CEs and BAs may use any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications as specified in this law
  • In deciding which security measures to use, a CE or BA must take into account the following factors:
    • The size, complexity, and capabilities of the CE or BA
    • The CE’s or BA’s technical infrastructure, hardware, and software security capabilities
    • The costs of security measures
    • The likelihood and impact of potential risks to electronic protected health information
In applying flexibility, however, the preamble to the Security Rule states, “Cost is not meant to free covered entities from this [adequate security measures] responsibility.”
As required by the HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. The following excerpts provide an overview of this guidance:
The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (ePHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.
We [OCR] begin the series with the risk analysis requirement in §164.308(a)(1)(ii)(A).Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.
Specific Risk Analysis Requirements under the Security Rule
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.
Section 164.308(a)(1)(ii)(A) states:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
Because many small clinics, medical practices or business associates do not have a full-time information technology person not to mention a chief information officer, system and information owners, business and functional managers, information technology (IT) security analysts, etc., the risk analysis should be completed by a combination of outside HIPAA-HITECH Security specialists, practice management staff, the clinical staff and business leaders and managers.

About Bob Chaput
Bob Chaput, MA, CHP, CHSS, MCSE is president of HIPAA HITECH Compliance Advisors and Data Mountain LLC. He is also a contributing expert for HITECH Answers. He speaks and writes extensively on HIPAA and HITECH security matters and is a recognized HIPAA-HITECH data security and privacy expert. He can be contacted at: Bob.Chaput@H3CA.com….