Part 2 of the this series discussed the Administrative Safeguards of the HIPAA Security Rule ("SR" or "Rule"). This post will review the SR's Technical Safeguards ("TS").This is where the real fun starts.
There is good news and bad news with respect to the TS. The good news is that many (but not all) of the requirements encompassed by the TS will be implemented using commercial-off-the-shelf (COTS) software and hardware. The bad news is that these requirements are highly technical and therefore a fair amount of time is required just to understand what it is you are being asked to do. If you are still reading this post then the other bad news is that you are likely the one that has been charged with making it happen. Read on, this post was written with you in mind.
One way to think about the difference between the TS and the AS is that the latter has to do with the "what" and the former with the "how." There is still an analytical process to go through when implementing the TS but in addition to that, you are actually "doing the stuff" required to ensure that ePHI is protected from a technical perspective. That said, do not be surprised if there appears to be some overlap between the AS and the TS, there a few bright lines mixed in with varying shades of gray.
An organization might be tempted (most will be tempted) to simply turn the SR implementation over to IT staff. The CIO may even feel like implementation of the SR can be turned over to a technical manager. Resist the temptation to do this. How the SR is implemented could make the difference between having to notify HHS, the media, and all individual patients impacted during a breach, or simply doing a "post mortem" as to why the breach occurred.
Remember that section 13402 of the HITECH Act only requires notification in the case of breach with respect to unsecured PHI. If the PHI has been secured as per recent HHS guidance (see HHS' Interim Final Rule on Breach Notification) then no notification is required because the information breached would be "unreadable, unusable or indecipherable."
HIPAA compliance is now a boardroom issue. Both strategic and tactical decisions must be made during the SR implementation cycle. I would not want to be the chief compliance officer (CPO) or general counsel that elected to take a simplistic approach and now has to explain to the CEO why the organization has a public relations disaster on its hands.
The Technical Safeguards
The approach taken to discuss the TS borrows heavily from the following NIST document: Implementing the HIPAA Security Rule, which demonstrates that "we're from the government and we're here to help" may not be such an oxymoron after all. A number of government agencies are required to comply with HIPAA and NIST's objective in this document was to assist them in this process.
As mentioned in the September issue of the HITECH/HIPAA Compliance Newsletter there are numerous high quality resources available on the Internet that should be leveraged. In many cases the wheel has already been invented, what is left to do is to put the pieces of the puzzle together in a manner that works for your organization.
There are five standards that make up the TS. They are contained in section 164.312. The standards are presented and then a link is provided where additional information information regarding the respective standard can be found. The objective here is to provide additional commentary and "visualization" without losing sight of the forest for the trees.
1. Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
2. Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
3. Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
4. Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
5. Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
If you would like to get a feel for the complexity and the level of rigor required to implement these standards then I would encourage all readers (i.e. especially if you happen to be a "CXO") to click "Read More..." on each individual standard.
Remember that the TS is just a subset of the SR, and not the largest one at that. In short, I just wanted to take another opportunity to highlight the point (as if I haven't beat this horse to death) that this is NOT the old HIPAA you have come to know and love. This is a brand new ball game with different umpires and different rules of engagement.
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
