HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Security / Privacy -- Intersections and Dependencies Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

The HIPAA Security and Privacy Rules --
Intersections and Dependencies

By Steve Weil, CISSP, CISA

Introduction

Many organizations are falling into the trap of assuming that the HIPAA Privacy and Security Rules can be treated as independent regulations. The Privacy Rule, finalized and with a looming deadline of April 14, 2003 is the focus of many organizations while the Security Rule, not yet finalized, is being placed on the "back burner." Many organizations seem to have made a strategic decision to focus on the Security Rule after it's finalized and they finish meeting all the Privacy Rule requirements.

A careful examination of the two rules shows, however, that there are several important intersections between the two and that in order to fully comply with the Privacy Rule, organizations will need to understand and implement a number of the requirements outlined in the proposed Security Rule. This article examines these two areas in an effort to help organizations to streamline their HIPAA compliance efforts.

Intersections

There are several areas where the Privacy and Security Rules requirements overlap or supplement each other. Understanding these intersections will enable organizations to more efficiently and effectively use organizational resources to comply with both rules.There are seven specific intersections:

  1. Appropriate and reasonable safeguards:

    Both rules require covered entities to take appropriate and reasonable measures to safeguard protected health information (PHI). More specifically, both require a covered entity (CE) to assess and define its own needs, select and implement protections appropriate for its own environment, and use a risk assessment process that strikes a balance between risk and remediation cost.

  2. Mapping PHI dataflow:

    To comply with both rules, CEs must understand and map their PHI data flow. In other words, they must know how and where PHI moves throughout their organization. Additionally, they must determine if PHI is being exchanged with outside entities such as business partners. Understanding the data flow is necessary if a CE is to choose and implement appropriate and reasonable PHI safeguards.

  3. Protecting appropriate data:

    The Privacy Rule's concept of a Legal Health Record (LHR), all individually-identifiable data, in any medium, collected and directly used in and/or documenting healthcare or health status, can be used to define the security responsibilities of a CE. The information that is included in the LHR is the data that must be appropriately protected by policies, procedures, and security technology. This means that some organizations will be able to save time and money by focusing efforts on their LHR rather than on all of the organization's data.

  4. Access control:

    The Security Rule states that CEs must use at least one of four types of access control (user based, context based, role based, or encryption) to limit access to PHI; the Privacy Rule clarifies this requirement. As discussed in its comment and response section, the final Privacy Rule states that role based access control is required. This means that CEs must create policies and procedures to identify (1) the types of persons within a CE that need access to PHI and (2) the specific PHI to which they require access. Specialized security technology and controls will be necessary to enforce these policies and procedures.

  5. Third-party agreements:

    Both rules require CEs to establish agreements between themselves and all other entities with whom PHI is shared in order to protect the data they exchange. This is to ensure that PHI is safeguarded at all times, even when it is no longer under the CE's direct control. CEs are also expected to periodically verify that the other entities are complying with the agreements. This principle is defined as a Business Associate Contract in the Privacy Rule and a Chain of Trust Partner Agreement in the Security Rule.

  6. Accountability:

    Both rules require that a specific person or group in a CE be assigned to make certain PHI is appropriately safeguarded. This promotes accountability, ensuring that a specific person or group can be held accountable for PHI use and disclosure rather than an "amorphous" organization. The principle is defined as Designating a Privacy Official in the Privacy Rule and Assigned Security Responsibility in the Security Rule.

  7. Training and awareness:

    Both rules require CEs to provide regular training to make certain all employees understand both the importance of protecting PHI and the means by which they must do so. Well-trained and aware employees are key to ensuring the protection of PHI.
Privacy Rule Requirements Dependent on Security Rule Requirements

The Privacy Rule mandates that a CE safeguard all PHI that it holds, no matter the PHI's form. This includes PHI maintained or communicated on paper, electronically, or orally. In contrast, the proposed Security Rule focuses on what is required to safeguard PHI in electronic form. The Security Rule is based on information security best practices that dictate the policies, procedures and technology that is necessary to safeguard the confidentiality, integrity and availability of electronic PHI.

There are three specific areas where complying with Privacy Rule requirements will necessitate CEs implementing the security practices defined and required in the Security Rule. In these areas, the Privacy Rule principles provide a significant part of the basis for the Security Rule requirements, and the Security Rule requirements enforce the Privacy Rule principles.

First, the Privacy Rule states, "A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart." To comply with this powerful and broad requirement, CEs will need to implement many of the requirements defined in the Security Rule, including taking steps to:

  • Develop and implement a contingency plan so that the CE can effectively respond to disasters and ensure the availability of its PHI.

  • Conduct regular audits of information system activity to ensure that PHI is being used or disclosed only by properly authenticated and authorized persons.

  • Ensure that PHI has not been altered or destroyed in an unauthorized manner.

  • Have a formal process for ending a person's employment or a user's access so that inappropriate access to PHI does not occur.

  • Have consistent control of media containing PHI to ensure that unauthorized use or disclosure does not occur.

  • Ensure that only properly authorized persons are allowed physical entry to a CE.

  • Define the proper functions and location of workstations so that PHI is not inappropriately stored or viewed on a workstation.

  • Develop and implement a well-defined change control process so that information system changes do not result in the inappropriate use or disclosure of PHI.

  • Develop and implement security incident response procedures so that a CE can effectively detect, report, and respond to inappropriate use or disclosure of PHI. This includes procedures for handling security incidents at organizations with which a CE has exchanged PHI.

  • Protect PHI sent across the Internet.

Second, the Privacy Rule states, "When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

To comply with this mandate, CEs will need to develop and implement security policies, procedures and technology based on the Security Rule requirements that (1) enforce appropriate access control and (2) audit the use and disclosure of PHI. Overall, they will need to implement a formal security policy and process that appropriately secures PHI during its entire lifecycle, from creation to disposal. These steps are required to ensure that CEs use or disclose PHI only on a need to know basis; this both safeguards PHI and provides the minimum amount of information necessary for authorized persons to perform their duties.

Third, the Privacy Rule states, "An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested." In the future, it is reasonable to expect an ever-increasing amount of PHI to be stored and released in electronic form. In order to meet this requirement, CEs will need to develop and implement security policies, procedures and technology based on the Security Rule requirements, that track and log the use and disclosure of PHI.

Conclusion

It is likely that the final Security Rule will result in even more intersections and dependencies with the Privacy Rule. As stated in the comment and response section of the Privacy Rule, "There should be no potential for conflict between the safeguards required by the Privacy Rule and the final Security Rule standards, for several reasons... . Second, in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work hand in glove with any relevant requirements in the Privacy Rule..." Clearly, the lack of a final Security Rule does not relieve CEs of their responsibility for complying with the security implications of the Privacy Rule.

Understanding the Security Rule and appropriately implementing its measures will enable CEs to comply with specific requirements of the Privacy Rule. In addition to helping meet key Privacy Rule requirements, starting now on the Security Rule will give CEs a "head start" on Security Rule compliance and result in them following security best practices that their customers and business partners increasingly expect them to have.

Don't wait -- the time to start understanding and complying with the Security Rule is now.

Steven Weil, CISSP, CISA, is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning and security assessments. He can be reached at sweil@sla.com.

Go to TOP