HIPAAdvisor: Q & A with Steve Fox, Esq.

Protecting the Safety of Individually Identifiable Health Information

QUESTION: The Security Regulation requires covered entities to safeguard the integrity, confidentiality, and availability of individually identifiable health information ("IIHI"). But how can a covered entity be expected to guard against any and all conceivable threats to this information? Does HHS really expect us to protect IIHI from the vast universe of potential security breaches regardless of the likelihood of any one type of occurrence?

ANSWER: Covered entities are not expected to guarantee the safety of IIHI against any and all threats. Compliance with the Security Regulation requires covered entities to implement and maintain reasonable safeguards to protect against reasonably anticipated threats. However, an entity's chosen security initiative may be called into question in the event that the entity is the subject of a compliance
audit.

The Security Regulation requires covered entities to make an assessment of the vulnerabilities and potential risks to the IIHI in their possession and then develop, implement, and maintain appropriate security measures to safeguard the integrity, confidentiality, and availability of that data. These measures must be documented in a security plan and kept current.

The Security Regulation is scalable and technology neutral. The resources and vulnerabilities of any particular covered entity will determine the scope and nature of the security that is implemented. For example, the Regulation's authentication requirement can be met through the utilization of a six-character password or by using biometrics technology. The choice to implement one authentication tool over the other will be based in large part on two factors. First, the likelihood that a security breach will occur - the vulnerability of the IIHI in the entity's possession. Second, an assessment of the damage that could result from such a breach in security - the potential risk to the IIHI in the covered entity's possession. Because entities may be called upon to defend their risk assessment and corresponding security implementation, it would be prudent to undergo periodic risk assessments in order to insure that the entity's security initiative represents a realistic, current, and comprehensive approach to protecting the IIHI in its possession and control.

The Security Regulation has not yet been released in final form, so it is possible that these requirements may be modified in the final version. However, HHS officials have stated publicly that the basic philosophy underlying the final Security Regulation will remain unchanged and that the final regulation will be streamlined to avoid redundancies with other HIPAA rules, as well as to eliminate excessive micromanagement. Most commentators do not believe that major substantive changes to the proposed Security Regulation are likely because of the close interaction and interdependence of security and the final Privacy Rule.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.