The Health Information Technology for Economic and Clinical Health (HITECH) Act extended the requirement for direct compliance with Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules to business associates of covered entities. The HITECH Act's encouragement of enhanced health information exchange undoubtedly will increase the number of entities that handle protected health information and because they handle PHI, are subject to the HIPAA Security Rule.
Until 2009, only a HIPAA-covered entity was directly responsible for proving HIPAA compliance to the Department of Health & Human Services (HHS), or was liable for penalties in the event of a data breach. The HITECH Act changed all that. Now all organizations entrusted with PHI are directly responsible for protection, breach notification and breach penalties.
As stated in the Modifications to the HIPAA Privacy, Security and Enforcement Rules Under the HITECH Act, which were published on July 14, 2010:
Section 13401 of the HITECH Act … provides that the Security Rule's administrative, physical and technical safeguards requirements … as well as its policies and procedures and documentation requirements … shall apply to business associates in the same manner as these requirements apply to covered entities, and that business associates shall be civilly and criminally liable for penalties for violations of these provisions.
Before the HITECH Act, covered entities were required to ensure that the business associates they entrusted with electronic PHI complied with the HIPAA privacy and security rules. This has not changed. However, with the spotlight more clearly focused on HIPAA business associates, these organizations must make doubly sure they comply with the intent and letter of the two rules.
In short, covered entities were already responsible for compliance, but now it's more likely that someone will notice.
Identifying, analyzing risk under the HIPAA Security Rule
The HIPAA Security Rule requires that covered entities and business associates implement full security programs. These include a formal assessment of security risk and the implementation of controls commensurate with that risk.
The security rule does not prescribe most controls, but suggests them instead. Most organizations nevertheless should look at addressable security-rule implementation specifications as requirements unless the controls are impractical to implement or do not address an actual risk.
The security rule also requires all covered entities and business associates to appoint a person or group responsible for a health information security program to protect PHI. This includes a program to analyze and manage risk.
Risk analysis, as defined by the HIPAA Security Rule, requires a formal, repeatable methodology that assesses the content, sensitivity and volume of information; the threats to the confidentiality, integrity and availability of PHI; and the effectiveness of the security controls the organization has implemented already. If the magnitude of risk is acceptable, the controls are adequate. If not, the organization has to select and implement new controls. This risk management method should be repeated regularly, with administrators understanding threats, evaluating controls and addressing weaknesses to comply with the HIPAA Security Rule.
Controlling access to electronic PHI
One of the main requirements of the HIPAA Security Rule is that organizations must ensure that only authorized users have access to electronic PHI. At a minimum, this means authenticating users with unique IDs. However, any good security program requires a thorough, auditable process for requesting and approving access, as well as a regular review of user privileges.
Obviously, access controls will vary based on the technology used to store the information. Databases, Web applications, file systems and desktop applications all have their own mechanisms. The vast majority of commercial products provide authentication that's strong enough and flexible role or group authorization to enable organizations to reasonably secure their information.
The HIPAA Security Rule requires covered entities and business associates to implement full security programs. These include a formal assessment of security risk.
The secret to securing information is more about process than it is about technology. Bear in mind that the model for segregating data, granting access, logging access, reviewing use and reviewing access rights should be the same regardless of the underlying technology.
Identity and access management (IAM) systems can help organizations meet all HIPAA Security Rule access-control requirements. Smaller organizations, however, could find the price tag too high, and even larger organizations might find the cost of integrating these technologies daunting. In any event, stringent controls (whether implemented entirely through manual procedures or facilitated by IAM technology) are a critical component of securing health care data.
Protecting electronic PHI, in place and in motion
HHS has identified encryption and destruction as acceptable methods for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals. (A further explanation can be found in the first half of this tip, How to interpret and apply federal PHI security guidance.)
Although HHS does not require organizations to encrypt electronic PHI, the security and legal benefits of encryption are compelling. First, organizations that encrypt data according to the HHS guidelines are not liable if an unauthorized party gains access to the data. This avoids not only the penalties associated with breaches, but also the expensive process of notifying affected parties. Second, encryption can act as a strong access control mechanism that can protect data when it's most vulnerable -- namely, when it's transmitted and when it's stored on portable devices.
The HHS guidance for employing encryption appears in the data breach interim final rule. The rule refers to four documents from the National Institute of Standards and Technology (NIST).
- The first, the Guide to Storage Encryption Technologies for End User Devices, describes the strengths and weaknesses of various file and file-system encryption methods. This document is useful in describing data storage problems and the ways various mechanisms work to protect data.
- The final three -- the Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, the Guide to Internet Protocol Security (IPsec) Virtual Private Networks, and the Guide to SSL VPNs -- describe how to use VPNs and encrypted channels to protect data being transmitted.
Manage partners, ease HIPAA Security Rule compliance
Any security program designed to protect information and comply with such regulations as HIPAA should include a program to assess, contract with and manage the partners with which an organization shares data. Partner management is essentially a security program in miniature. It requires risk assessment, selection of controls, governance in the form of contracts, monitoring, identity and access management, encryption, and periodic evaluation of controls' effectiveness.
HIPAA rules require organizations to assess their partners' practices and obtain contractual guarantees that the information entrusted to them will be protected according to the privacy and security rules. With the HITECH Act, the chain of assessments and contracts has gotten longer: Covered entities require contracts from service providers, service providers require contracts from their partners, and so on.
There are three keys to effective partner management:
- Share only the information that partners need to provide their service: Eliminate identity fields if possible, for example.
- Regularly assess partners' risk and security practices.
- Establish contracts with partners and review them regularly.
Protect connections, ensure health information security
An important part of securing health information is making sure that the systems involved in storing, processing and exchanging information are protected at the network layer. Network segregation and careful filtering and monitoring of traffic can help significantly in safeguarding against many common types of attacks.
There are three controls that every organization should consider when it assesses and improves its health information network security:
- Segregate critical health information systems from the rest of the network.
- Employ strong wireless network security measures for all networks in the enterprise.
- Lock down and monitor all connections to service providers and the Internet.
There are many more network-based techniques that can enhance systems and data security, but these three steps provide a good basis for additional improvements.
Overall, the HITECH Act has increased organizations' incentives to reduce paper and streamline health information exchange. This increase in information flow comes with expanded security risks and regulatory scrutiny. The most effective way for organizations to meet regulatory requirements and avoid a health care data breach is to design a security program that assesses risk accurately and implements controls that prevent breaches. A well-designed security program not only will safeguard organizations' health information, but also will help them pass audits, satisfy partners and protect against costly penalties and notification processes.
Richard E. Mackey, vice president of Sudbury, Mass.-based SystemExperts Corp., is an authority on enterprise security architecture and compliance. Let us know what you think about the story; email [email protected].