Guidance on Cybersecurity: The HIPAA Security Rule
The frequency and impact of data breaches at hospitals, health insurance companies, and other health care organizations over the past several years has made it clear that the health care industry is a prime target for cyber attacks. Between 2014 and 2016, nearly 90% of health care organizations surveyed in the Annual Benchmark Study on Privacy & Security of Healthcare Data suffered at least one data breach, which cost an average of $2.2 million per breach to resolve. In response to this increasing threat, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) has planned additional compliance audits in 2017 and has announced its intention to increase investigations and enforcement actions related to cyber security incidents. OCR is responsible for enforcing the HIPAA Security Rule, which is intended to protect electronic health information.
The widespread threat of data breaches and increased risk of regulatory enforcement make it critical for health care organizations and their business associates to fully comply with the security standards and guidelines of the Security Rule.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) required the Secretary of HHS to develop regulations to protect the privacy and security of certain health information. In 2003, HHS published the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), which creates a national standard of technical and non-technical safeguards to protect electronic protected health information (“ePHI”), which must be followed by all covered entities. In 2009, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) amended the Security Rule to require covered entities to ensure that their business associates comply with the Security Rule.
Summary of the Security Rule
The Security Rule is comprised of five categories of security safeguards and requirements: (i) Administrative Safeguards, (ii) Physical Safeguards, (iii) Technical Safeguards, (iv) Organizational Requirements, and (v) Policies and Procedures and Documentation Requirements. Each category contains a set of security standards, and in turn each security standard may have one or more “implementation specifications.”
Implementation specifications are detailed instructions for implementing a standard, and they may be either “required” or “addressable.” If the implementation specification is addressable, then the entity must analyze whether it would be reasonable and appropriate to implement the specification based on factors including, but not limited to, its size and complexity, the risk of unauthorized access and disclosure of ePHI, and the cost of implementation. If the entity decides that an addressable specification is not reasonable and appropriate, then it must document its reasoning and, if reasonable and appropriate, adopt an equivalent alternative measure.
An entity subject to the Security Rule should:
- perform a risk assessment;
- develop an implementation plan and document its analysis of addressable specifications;
- implement the security standards; and
- periodically review and update its security measures and documentation.
The first requirement in the Administrative Safeguards category of the Security Rule is that an entity “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ePHI] held by the covered entity.” Conducting a risk analysis allows an entity to accurately identify its security risks and develop a plan to implement the remaining standards of the Security Rule.
HHS has stated that a risk analysis must include an analysis of all forms of ePHI at both single workstations and over network connections, including but not limited to hard drives, CDs, portable storage devices, personal mobile devices, and transmission media. To perform a thorough and accurate risk assessment, an entity must:
- identify and document where its ePHI “is stored, received, maintained, or transmitted”;
- “assess and document the security measures” it takes to protect its ePHI and whether the measures “are configured and used properly”;
- identify and document a list of potential threats and vulnerabilities to its ePHI;
- assess and document probability estimates of potential risks to its ePHI;
- assess and document the “criticality,” or impact, of potential risks to its ePHI; and
- assign “risk levels” for all threats and vulnerabilities it has identified.
- In the event of an audit or investigation, HHS may not consider an organization’s implementation plan or analysis of addressable specifications to be compliant with the Security Rule if the organization has not met the HHS guidelines regarding an “accurate and thorough” risk analysis.
The Administrative Safeguards contain requirements regarding the selection, implementation, and maintenance of security measures to protect ePHI, and the management of an organization’s workforce in relation to the protection of ePHI. The Administrative Safeguards standards and specifications require organizations to implement policies and procedures to:
- “[P]revent, detect, contain and correct security violations,” including performing a risk analysis (discussed above), implementing security measures, creating a policy to sanction members of the workforce who fail to comply, and implementing regular reviews.
- Identify a security official to ensure that the entity complies with the Security Rule.
- Ensure that members of the workforce have the appropriate levels of access to ePHI.
- Manage access to ePHI, including implementing an authorization system and managing access privileges.
- “Implement a security awareness and training program for all members of its workforce (including management).” Organizations must consider implementing periodic security updates, detecting malicious software, monitoring log-in attempts, and managing passwords.
- Identify and respond to security incidents, mitigate the harmful effects, document the outcomes, and meet reporting obligations.
- “Respon[d] to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster.)” Organizations must have a data backup plan, a disaster recovery plan, and an emergency mode operation plan, among other specifications.
- “Perform a periodic technical and non-technical evaluation” of security measures.
- Enter into contracts or other arrangements with business associates that require them to properly safeguard ePHI in accordance with the Security Rule (discussed further below).
The Physical Safeguards contain requirements regarding the protection of electronic information systems, buildings, and equipment. The Physical Safeguards standards and specifications require organizations to implement policies and procedures to:
- “Limit physical access” to information systems and the facilities where they are kept, “while ensuring that properly authorized access is allowed.” Organizations must consider a security plan, validation procedures, maintenance records, and a contingency plan.
- Specify proper uses and procedures for electronic devices, including those used remotely.
- “Implement physical safeguards… to restrict access” to electronic devices that access ePHI.
- “Govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility,” including the destruction of ePHI or the reuse of electronic devices, among other specifications.
The Technical Safeguards contain general requirements regarding technical security tools and solutions but do not require specific technology solutions. The Technical Safeguards standards and specifications require organizations to implement policies and procedures to:
- Maintain electronic information systems that “allow access only to those persons or software programs that have been granted access rights” to ePHI, including unique user identifications and encryption and decryption, among other specifications.
- “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain [ePHI].”
- Protect ePHI from improper alteration or destruction, including using “electronic mechanisms to corroborate that [ePHI] has not been altered or destroyed.”
- Verify the identity of persons seeking access to ePHI, such as by using passwords, card keys, fingerprints, or other things that only the specified person should possess.
- “Guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network,” including ensuring that ePHI is not altered in transit and implementing the use of encryption whenever appropriate.
The Security Rule contains two standards under the Organizational Requirements category.
Business Associate Contracts and Other Arrangements
The Administrative Safeguards require a covered entity to maintain contracts or other arrangements with its business associates, with limited exceptions, and the Organizational Requirements provide the specific criteria for those contracts or arrangements. A Business Associate Contract must provide that a business associate will:
- implement reasonable and appropriate “administrative, physical, and technical safeguards” for the protection of ePHI “that it creates, receives, maintains, or transmits on behalf of the covered entity”;
- ensure that its agents, including subcontractors, will also implement such safeguards;
- “[r]eport to the covered entity any security incident of which it becomes aware”; and
- “[a]uthorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.”
If a covered entity and its business associate are both government entities, then they may comply with this standard through Other Arrangements, such as a memorandum of understanding, which accomplishes the objectives of a Business Associate Contract.
Requirements for Group Health Plans
A group health plan must ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard ePHI “that it creates, receives, maintains, or transmits on behalf of the group health plan.” The standards are similar to Business Associate Contracts, except plan documents must also ensure separation between the group health plan and the plan sponsor.
Policies and Procedures and Documentation Requirements
The final section of the Security Rule addresses specific requirements for all policies, procedures, and documentation required by the Security Rule.
First, covered entities must “[i]mplement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements.” An entity “may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with [the Security Rule].”
Second, covered entities must maintain their policies and procedures, and any actions or assessments required by the Security Rule, “in written (which may be electronic) form.” In addition, entities must:
- keep the documentation “for 6 years from the date of its creation or the date when it was last in effect, whichever is later”;
- “[m]ake the documentation available to those persons responsible for [implementation]”; and
- review and update the documentation periodically “in response to environmental or operational changes affecting the security of [ePHI].”
In implementing the requirements of the Security Rule, organizations must consider the technology standards adopted by the National Institute of Standards and Technology (“NIST”), the federal agency that sets computer security standards for the federal government. In addition, private organizations, such as the Health Information Trust Alliance (“HITRUST”), a private collaboration of health care and technology organizations, have developed standards that are widely considered to be industry standards of due care and diligence and best practices. The reasonableness or appropriateness of an organization’s security measures may depend on such guidelines, particularly with respect to the Technical Safeguards. For example, an organization should aim to implement the generally accepted best practices for encryption, where reasonable and appropriate, or document why other methods of encryption are sufficient for its needs.
However, the Security Rule is not designed to be “one size fits all,” and implementation of the Security Rule depends on the individual factors of each organization, such as its size and the ways in which it uses ePHI (e.g., storage, transmission via email, remote access by employees). The existence of general or standardized guidance is not a substitute for the completion of a risk assessment, the development of an implementation plan, or compliance with the documentation requirements of the Security Rule. All organizations should consider consulting with counsel to determine the most effective and least burdensome approach to managing cybersecurity risks.
The Security Rule is complex and multifaceted, with five categories of safeguards that include over twenty security standards and dozens of implementation specifications. Although many organizations may find that compliance requires a large output of time and resources, compliance has become a pressing concern in recent years due to the increased risk of data breaches in the health care industry, the enormous potential expense associated with such breaches, and the risk of an audit or enforcement action by OCR. The cost of a data breach or an enforcement action for non-compliance can frequently be measured in the millions of dollars. Accordingly, all organizations that are required to comply with the Security Rule should thoroughly examine their level of compliance and carefully complete and document each standard and implementation specification.
For more information concerning the matters discussed in this publication, please contact the authors, Kortni M. Hadley (212-238-8871, email@example.com) or Michael H. Bauscher (212-238-8785, firstname.lastname@example.org), or your regular Carter Ledyard attorney.
 Ponemon Institute, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, p. 1 (May 2016), available at http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data. The cost of resolving a data breach may include a forensic investigation or audit, remediation or reconfiguration of technology infrastructure, notification of patients, providing fraud alert services to patients, legal fees, and fines or settlements with applicable government agencies.
 Codified at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
 “Protected health information” means individually identifiable health information relating to: (1) an individual’s physical or mental health condition; (2) the provision of health care to an individual; or (3) payment for the provision of health care to an individual.
 A “covered entity” is (1) a health plan, (2) health care clearinghouse, or (3) a health care provider that electronically transmits any health information in connection with administrative or financial transactions regulated by HHS.
 A “business associate” is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, the covered entity that involve the use or disclosure of individually identifiable health information. Common examples include claims processing, accounting, legal work, consulting, management services, data aggregation, and accreditation services.
 See HHS, Guidance on Risk Analysis, available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?language=es.
 45 C.F.R. § 164.308(a)(1).
 See HHS, Guidance on Risk Analysis, supra note 6.
 See HHS, Guidance on Risk Analysis, supra note 6.
 45 C.F.R. § 164.308.
 45 C.F.R. § 164.310.
 45 C.F.R. § 164.312.
 45 C.F.R. § 164.314(a).
 45 C.F.R. § 164.314(b).
 45 C.F.R. § 164.316(a).
 45 C.F.R. § 164.316(b).
 See, e.g., NIST, HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, available at https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf.
 See, e.g., HITRUST, Managing Cybersecurity Risk in a HIPAA-Compliant World, available at https://hitrustalliance.net/content/uploads/2016/01/Coalfire_HITRUST_Managing_Cybersecurity_Risk_in_HIPAA_Compliant_World.pdf.
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
© 2018 Carter Ledyard & Milburn LLP.
© Copyright 2017