HIPAA Privacy Rule and Security Standards – friends or foes?
by Cheryl S. Camin, Fulbright & Jaworski L.L.P., Dallas, TX
This article is intended to be a brief analysis of how the differences between the Privacy Rule and the Security Standards may result in problems with compliance with both of these requirements. To fully understand these rules and standards, let's back up and cover a little HIPAA history.
We're all familiar with the Privacy Standards, which were passed as part of the Administrative Simplification provisions of HIPAA (a/k/a the Health Insurance Portability and Accountability Act of 1996). In addition, the Security Standards are in full force and effect. The Administrative Simplification provisions of HIPAA were developed to help protect individual's rights to privacy and security in connection with the electronic transmission of their health information. At the same time, HIPAA was intended to increase the efficiency and effectiveness of these electronic transmissions.
All health care providers (from doctors and hospitals to laboratories and pharmacies), employer-sponsored health plans, insurance companies, and health care clearinghouses are considered "covered entities" that are directly impacted by the Privacy Rule and Security Standards. These "covered entities," along with their vendors or "business associates" with whom they share health information, must prepare and establish specific policies, procedures and forms for the purpose of ensuring the protection of health information.
Although compliance with both the Privacy Rule and the Security Standards are equally important, the requirements of the Privacy Rule are much less specific and more flexible than the Security Standards. Why does this matter? Because sometimes it is unclear what is required in order to comply with one or both of these HIPAA rules, especially at the same time. Usually if there is flexibility in the requirement then there is room for interpretation and creative alternatives for compliance.
So how does compliance with the Security Standards differ from the Privacy Rule? The Security Standards are intended to safeguard "electronic protected health information" ("EPHI"), which is a specific subset of the broader "protected health information" ("PHI"), which requires protection under the Privacy Rule. EPHI and PHI include all individually identifiable health information that is transmitted by electronic media or maintained in electronic media, but unlike PHI, EPHI does not include health information that is maintained in paper form or transmitted via verbal communications.
Since the Security Standards pertain specifically to EPHI, it is easier for there to be concrete requirements regulating this tangible information, as opposed to PHI, which covers verbal communications which are harder to control and document are compliant.
The Security Standards include administrative safeguards, physical safeguards and technical safeguards, which are comprised of approximately 18 specific standards and over 40 implementation specifications. These "implementation specifications" are specific requirements or instructions for implementing a Security Standard that are either required or addressable. Both "required" and "addressable" specifications necessitate the development of policies and procedures.
The "required" specifications must be implemented, while the "addressable" specifications are more flexible and permit the use of alternative steps. However, each addressable specification should be evaluated individually to determine whether they are reasonable and appropriate. If they aren't appropriate, the reasons should be documented and an equivalent alternative measure should be developed by the covered entity.
The addressable specifications, although more flexible than the required specifications, remain more specific and rigid than the general Privacy Rule requirements. Compliance with the Security Standards literally requires marking off, in a checklist format, the steps taken to comply with the specifications. In order to know what steps to take, one should perform a risk analysis, similar to the Privacy Rule gap analysis, to determine where an organization or system is vulnerable and needs to implement and document specific policies and procedures. Then in order to comply with the Security Standards on a going forward basis, the organization's Security Officer will regularly monitor and update this checklist.
The Privacy Rule is not as clear cut. Where does a Privacy Rule compliance program start and stop? Covered entities must implement a plan to safeguard and prevent unauthorized uses and disclosures of PHI, but what does this really mean? In a oversimplified way, this means the covered entity may use or disclose PHI for treatment, payment or health care operations purposes. For all other purposes the covered entity should find a specific reason under the Privacy Rule permitting such use or disclosure. A Privacy Rule compliance program must be implemented and the covered entity's employees should be trained on this program. The organization's HIPAA Privacy Officer should oversee this process.
But wait, what if the Security Officer prohibits an organizations HR Director from allowing certain employees log-in access to PHI that they need access to, in order to provide an individual with access to his or her own PHI in accordance with the Privacy Rule? Or, what if the PHI, maintained by a covered entity, is encrypted in accordance with the Security Standards and cannot be transmitted or amended, in accordance with the Privacy Rule, as instructed by the individual to whom that information relates? What if a health care provider's Security Standards data backup plan provides access to an individual's PHI outside of the restrictions imposed by that individual as permitted under the Privacy Rule? Who wins?
If a covered entity finds that its Privacy Officer and Security Officer are engaging in a wrestling match over who is right for purposes of HIPAA compliance, then it might be a good time to step back and see where the organization's Privacy Rule compliance program and Security Standards compliance plan conflict. The good news is that in most cases, there is not a direct conflict, and there are alternatives that can be taken to ensure that the requirements of the Privacy Rule and Security Standards are both met. For example, exceptions may be made to the addressable facility access requirements imposed by the Security Standards, to permit individuals to have access to their own PHI in compliance with the Privacy Rule. As a result it is recommended that on a regular basis, the two HIPAA plans should be compared to determine if any conflicts exist, and then the plans may be revised so both may work in harmony.