Attorney Articles | HIPAA Overview of the Security Standards
X

Articles by CAMFT Attorneys

Resources Legal Articles Chronological Article List

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

HIPAA Overview of the Security Standards

By David G. Jensen, JD
CAMFT Staff Attorney
(September/October 2003)

Updated August 2010 by David G. Jensen, JD, CAMFT Staff Attorney

The Security Standards ("Standards") have been enacted by The Department of Health and Human Services to give the health care industry a minimum set of administrative, technical, and physical safeguards for covered entities to implement to help safeguard the confidentiality, integrity, and availability of electronic protected health information ("EPHI"). When fully implemented, the Standards will help protect EPHI from loss, theft, tampering, computer hacking, and employee misconduct, as well as a variety of other threats to the sanctity of such information. A covered entity must comply with the Standards with respect to EPHI that the covered entity creates, stores, and transmits. To get an overview of the Standards, and to ultimately be able to comply with them, you need to understand the following seventeen definitions:

  1. Access means the ability to read, write, modify, or communicate data/information, or otherwise use any system resource.1
  2. Administrative Safeguards are administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect EPHI and to manage the conduct of the covered entity's workforce in relation to the protection of that information.2
  3. Authentication means the corroboration that a person is the one claimed.3
  4. Availability means the property that data or information is accessible and useable upon demand by an authorized person.4
  5. Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.5
  6. Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to such form without the use of a confidential process or key.6
  7. Facility means the physical premises and the interior and exterior of a building.7
  8. Information System means an interconnected set of information resources under the same direct management control that share common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.8
  9. Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.9
  10. Malicious software means software, such as a virus, designed to damage or disrupt a system.10
  11. Password means confidential authentication information composed of a string of characters.11
  12. Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental disasters and unauthorized intrusion.12
  13. Security or Security Measures encompass all of the administrative, physical, and technical safeguards in an information system.13
  14. Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation in an information system.14
  15. Technical safeguards mean the technology and the policy and procedures for its use that protect EPHI and control access to it.15
  16. User means a person or entity with authorized access.16
  17. Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.17

With a working knowledge of these definitions in mind, we can proceed towards acquiring an overview of the Standards.

What information is covered by the Standards?
The Standards cover EPHI, which is protected health information that is maintained or transmitted in electronic form. Examples of EPHI include information stored on a computer disk, magnetic tape, or computer hard drive, as well as information that is transmitted over the Internet. Although the privacy regulations, which is another aspect of HIPAA, require safeguards for all protected health information ("PHI"), the Standards are much more limited in scope. The Standards set the minimum qualifications for safeguarding EPHI, which, again, is PHI that is maintained or transmitted electronically. The Standards do not address the subjects of PHI stored on paper and then sent by fax, or PHI transmitted by phone. Interestingly enough, the Standards are not concerned with EPHI transmitted to you from your patients or from you to your patients because patients are not covered entities for HIPAA's purposes.18

When must I comply with the Standards?
The Standards were published in the Federal Register on February 20, 2003, and they went into effect on April 21, 2003. However, marriage and family therapists who are covered entities have until April 21, 2005 to comply with the Standards.19

What do the Standards require me to do?
The Standards require covered entities to protect the confidentiality, integrity, and availability of EPHI that such entities create, store, maintain, or transmit. Covered entities accomplish this by implementing administrative, physical, and technical safeguards in their practices. In general, the Standards require covered entities to:

  1. Ensure the confidentiality, integrity, and availability of all EPHI that the covered entity creates, receives, maintains, or transmits;
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI that the covered entity creates, receives, maintains, or transmits;
  3. Protect against any reasonably anticipated uses or disclosures of EPHI that are not allowed or required by HIPAA; and,
  4. Ensure compliance with these security standards by its workforce. 20.

For a detailed description of each of the administrative, physical, and technical safeguards, click here to see the Administrative, Physical, and Technical Safeguard Standards Overview chart.

Do I have to comply with all of the Standards?
In a nutshell, covered entities have to either comply with the Standards or some sort of reasonable and appropriate alternative to a particular Standard.21 The Standards are intended to be flexible and scalable, meaning that what a sole-practitioner has to do to comply with them is not the same thing that a hospital would have to do to comply with them.

In determining which security measures to adopt, covered entities must take into account the following four factors:

  1. The relative size, complexity, and capabilities of the covered entity.
  2. The covered entity's technical infrastructure, hardware, and software security capabilities.
  3. The costs of the security measures.
  4. The probability and criticality to potential risks to EPHI.22

Given the flexibility of these factors, it should be evident that how a particular covered entity meets a particular Standard will depend, in large part, on the covered entity's unique characteristics and technical environment. HIPAA does not mandate any particular technology to meet a particular security standard. Consequently, each covered entity can make its own technology decisions by determining what is reasonable and appropriate given its resources and capabilities.

What are implementation specifications?
The implementation specifications detail how a particular Standard may be met. All totaled there are 40 implementation specifications for the Standards, and we will delve into the implementation specifications in the next issue of The Therapist. Some of these implementation specifications are required and some are addressable.23

If an implementation specification is required, then the covered entity must implement it. However, if an implementation specification is addressable, then the covered entity must determine whether the implementation specification is a reasonable and appropriate safeguard for the covered entity to adopt. In other words, the covered entity must determine whether the particular implementation specification will help protect the covered entity's EPHI.

If a covered entity determines that a particular implementation is a reasonable and appropriate safeguard, then such entity simply implements the safeguard into the entity's practice.

However, if a covered entity determines that a particular implementation is not a reasonable and appropriate safeguard, then the covered entity must document why it is not a reasonable and appropriate safeguard and then do one of the following: 1) implement an alternative measure that is reasonable and appropriate, or 2) not implement any alternative measure but only if the security standard can be met without implementing an alternative measure. In the case of option 2, the covered entity must document how the security standard will be met.

Complying with the Standards
Complying with the Standards is two-fold: first, you must understand the minimum administrative, physical, and technical standards that HIPAA requires to be in place to help protect the integrity, confidentiality, and availability of protected health information, and second, assuming you are a covered entity, you must implement such Standards in your practice.

To assist you with your compliance efforts, we have prepared the accompanying Administrative, Physical, and Technical Safeguard Standards Overview ("Overview"). This Overview will give you an idea of what the Standards are all about. Then, in the next issue of The Therapist, we will provide you with an Administrative, Physical, and Technical Safeguard Standards Compliance Worksheet ("Worksheet") to assist you with your compliance efforts. The Overview will give you a description of each of the Standards, and the Worksheet will help you organize your compliance efforts. The information contained in this article is intended to provide guidelines for addressing difficult legal dilemmas. It is not intended to address every situation that could possibly arise, nor is it intended to be a substitute for independent legal advice or consultation. When using such information as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.

1 45 CFR 164.304
2 Supra
3 Supra
4 Supra
5 Supra
6 Supra
7 Supra
8 Supra
9 Supra
10 Supra
11 Supra
12 Supra
13 Supra
14 Supra
15 Supra
16 Supra
17 Supra
18 Federal Register/Vol. 68, No. 34, page 8338
19 42 CFR 164.318
20 42 CFR 164.306(a)(1-4)
21 42 CFR 164.306(b)(1)
22 42 CFR 164.306(b)(2)
23 42 CFR 164.306(d)

The information contained in this article is intended to provide guidelines for addressing difficult legal dilemmas. It is not intended to address every situation that could possibly arise, nor is it intended to be a substitute for independent legal advice or consultation. When using such information as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.

HIPAAInsurance