Massachusetts Massachusetts Massachusetts
Bulkley, Richardson and Gellinas
Home About the Firm Practice Areas Directions Attorneys News Community Contact Us Employment

Other Bulletins

Spring 2005
Health Law Bulletin

HIPAA Security Regulations: Compliance Date Nears
By Elizabeth H. Sillin, Esq.

The Health Insurance Portability and Accountability Act ("HIPAA") Security Regulations go into effect on April 20, 2005. Health care providers that are "covered entities" under the related, but distinct, Privacy Regulations already in effect must now comply with the Security Regulations. The Security Regulations apply to protected health information ("PHI") that is either maintained or communicated electronically ("EPHI"). PHI stored on a computer in any way, or on a personal digital assistant, or communicated by e-mail, internally or externally, is considered EPHI. (EPHI does not include paper to paper faxes, videoconferencing or voice mail).

The Security Regulations require a covered entity to:

  • Ensure the confidentiality, integrity and availability of all EPHI that the provider creates, receives, maintains or transmits;
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such EPHI;
  • Protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the Security Regulations; and
  • Ensure compliance with the Security Regulations by the provider’s workforce.

1. First Steps

The first step for compliance with the Security Regulations is to conduct a risk analysis. The risk analysis will guide a compliance program. In a risk analysis, the provider should identify vulnerabilities in all of its information technology systems, including, without limitation, all operating systems, software, hardware and vendor services. For example, laptops taken off the premises can be easily stolen or lost. Internal systems can be threatened by the infiltration of viruses received in electronic mail. Systems may not have appropriate login access. A private location in the office may not be available in order to restrict access to or prevent improper viewing of EPHI. After identifying vulnerabilities of its system, the provider should identify threats to its systems, such as those imposed by thieves, viruses, hackers, fires or floods, and consider the likelihood of such threats. Finally, the provider should identify controls that can be put in place that will mitigate such threats, such as passwords, firewalls, screensavers or backup services.

As an additional first step, the provider must appoint a security officer to coordinate and oversee compliance with the Security Regulations.

2. Policies and Procedures – Compliance Obligations

After completing the risk analysis and appointing a security officer, the provider must address implementation specifications for the protection of the security of EPHI. Those measures fall into three general areas: administrative safeguards, physical safeguards and technical safeguards. About one-half the implementation specifications listed for the safeguards are "required," meaning that the provider must comply with them as written. The other half are "addressable," which means that if the provider determines that implementing the standards as written is not reasonable and appropriate, the provider must document the reasons in writing and alternative measures must be implemented if such alternative measures are reasonable and appropriate.

a. Administrative Safeguards

Administrative safeguards include requirements that covered entities take effective steps to i) minimize those risks and vulnerabilities discovered in the risk analysis; ii) develop policies to limit workforce access to EPHI to the minimum necessary; iii) train staff about security policies; iv) develop procedures for dealing with "security incidents" involving wrongful access, use or disclosure of EPHI; v) develop sanction policies for workforce members who violate the implemented policies and procedures; and vi) terminate access to EPHI when employees are terminated. Business associate agreements now require additional language to ensure that business associates will properly protect and safeguard EPHI and that "security incidents" will be reported to the covered entity.

b. Physical Safeguards

The provider must also address the physical safeguard implementation specifications, which are policies and procedures to protect EPHI from natural and environmental hazards and unauthorized intrusions. The Security Regulations require facility access policies and procedures, including a disaster plan, a security plan, access control and validation procedures; workstation use policies and procedures; workstation security policies and procedures; and device and media policies and procedures that determine, among other things, how EPHI will be disposed of and stored.

c. Technical Safeguards

Finally, the Security Regulations require covered entities to develop technical safeguards. In order to comply, the provider may need input from information technology staff or technological consultants or vendors in order to put in place technological processes to protect the provider’s EPHI. For example, if an administrative safeguard policy states who may have access to certain EPHI, the related technical safeguard requires the provider, through the use of appropriate technology, to develop mechanisms to actually restrict access as indicated. Other technical safeguards requirements are that the covered entity give each employee a unique identification for access to information, develop a procedure to access EPHI during emergencies and develop and implement a mechanism to record and examine activity in any systems that contain EPHI.

d. Documentation

Covered entities must document both the polices and procedures developed to comply with the Security Regulation and each decision to not develop policies regarding any "addressable" safeguards. From a legal standpoint, documentation of the decision-making process will be important to establish compliance. As with the Privacy Regulations, enforcement will be complaint-driven. The Centers for Medicare and Medicaid Services, the federal agency that will be enforcing the Security Regulations, has indicated that when it receives a complaint regarding poor security of EPHI, the agency’s response will be influenced by documented evidence that a covered entity has made an effort to comply with the regulations. The agency is authorized to impose civil fines or criminal penalties for non-compliance.

3. Conclusion

Compliance with the Security Regulations requires performance of a thorough risk analysis, appointment of a security officer, amendment of business associate agreements, development of a number of policies and procedures and ongoing monitoring of policies and procedures developed.

Please feel free to contact a member of BR&G’s Health Law Practice Group with questions about the Security Regulations.

Elizabeth H. Sillin is an associate practicing in the Health Law Practice Group and the Estate Planning and Administration Department.

News & Articles
The Largest Firm in Western Massachusetts
About the Firm | Practice Areas | Directions | Attorneys | News | Community | Contact Us | Employment
LexisNexis: Martindale-Hubbell
Advertising. In accordance with rules established by the Supreme Judicial Court of Massachusetts. This web site must be labeled "advertising." It is designed to provide general information for clients and friends of the firm and should not be construed as legal advice, or legal opinion on any specific facts or circumstances.This web site is designed for general information only. The information presented at this site should not be construed to be formal legal advice nor the formation of a lawyer/client relationship. [ Site Map ] [ Bookmark Us ]