BMN Blog

It is especially important for smaller practices to be mindful of Electronic Protected Health Information (ePHI) security regulations – a breach of ePHI can lead to costly notification requirements and potential monetary penalties under the HITECH Act.[1]  Managing physicians of small independent practices hold many responsibilities, including the duty to comply with the Security Rule within HIPAA regulations.  This article provides a brief overview of federal ePHI compliance safeguards required in a practice.  While not meant to be a comprehensive discussion of all requirements, it highlights legal considerations and safeguards a practice must implement to comply with HIPAA ePHI regulations.  The federal Security Rule under HIPAA requires a health care provider (typically known as a Covered Entity[2]) to have the minimum ePHI safeguards, listed below.

Before diving into required safeguards, a practice should first understand the scope of ePHI.  ePHI is formally defined as “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.”[3] ePHI is protected under the Security Rule, which “applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with covered entities and business associates.”[4]  The Security Rule works to protect individuals’ health information in a modern, technologically advanced world.  It is meant to be flexible to work among various kinds of health care providers, ranging anywhere from small independent practices to large multistate hospital systems.  The Security Rule requires covered entities to “1) ensure the confidentiality, integrity, and availability of all ePHI [practices] create, receive, maintain or transmit; 2) identify and protect against reasonably anticipated threats to the security or integrity of the information; 3) protect against reasonably anticipated uses or disclosures; and 4) ensure compliance by their workforce.”[5] As more health care providers routinely use electronic means to document and store patient records, ePHI policies and procedures are critical to implement and follow in order to comply with HIPAA.

a. Administrative Safeguards. HIPAA defines administrative safeguards as policies and procedures “to manage the selection, development, implementation, and maintenance of security measures to protected electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”[6]  The following is a list of selected administrative safeguards required by the Security Rule for all covered entities:

• The Security Rule requires health care providers to conduct risk analysis as part of a security management process to reduce risks and vulnerabilities.[1]
• Practices must designate a security official within the business to implement and maintain security policies and procedures.[2] For example, an office administrator can serve as the practice’s security official.
• The Security Rule also requires a practice to implement policies and procedures related to authorized access to ePHI – who is allowed to access what information and how?[3]
• A physician’s workforce must also receive appropriate training regarding access to and authorization of ePHI and must establish appropriate sanctions for employees who violate its policies and procedures.[4]
• A practice must evaluate itself periodically on its ePHI security policies and procedures to identify and improve on any weaknesses found to comply with the Security Rule.[5] Once again, an office administrator can serve in this role, making timely evaluations of the practice’s ePHI policies and procedures throughout each year.

b.  Physical Safeguards. Physical safeguards under the Security Rule are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[6]  The following are required under the physical safeguard prong of the Security Rule:

• A practice must have a policy for appropriate use, physical attributes, and security workstations for its employees to access ePHI. For example, a practice should consider who has access to workstations, and how visible each workstation is to unauthorized users.
• A practice is required to have policies and procedures implemented that specify appropriate functions to be performed by specific employees, the manner of those functions, and specific workstations.
• Policies and procedures must be in place for the addition, disposal, or reuse of hardware or electronic media that contains ePHI. A practice needs to consider what it plans to do with older technology that may contain ePHI when phasing in modern technologies.

While possibly commonsense, it is very important for clinics to implement physical safeguards, such as workstation and device control, to ensure that access to technology containing ePHI is secure and that outdated technology containing ePHI is safeguarded when disposed of or repurposed.

c.  Technical Safeguards. Not only does a practice need physical safeguards in protecting ePHI, but it also need to have policies and procedures that limit software programs access to only those with authorized access.  Technical safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[1]  A practice must have the following technical safeguards:

• A practice must maintain access controls within the practice’s technology. This includes requiring a unique user identification for each employee and an emergency access procedure to access ePHI during an emergency.[2]
• A practice must implement and maintain audit controls, whereby a “hardware, software and/or procedural mechanism” can record and examine activity in the practice’s database systems that contain or use ePHI.[3]
• A practice must implement policies and procedures that maintain the integrity of the ePHI.[4] For example, if there is a security breach in the practice’s system, there needs to be a procedure in place to protect and maintain, to the greatest extent possible, patient ePHI from being breached.
• A practice must maintain an authentication system that confirms a user to be who they claim to be.[5] A unique password to each user’s log-in information usually satisfies this requirement.
• Finally, transmission of ePHI needs to be protected – encryption of ePHI is key when transmitting it anywhere.[6]

Conclusion

It is important to note on all three of these requirement topics that the HHS Office of Civil Rights understands and allows that each covered entity is different and thus, are evaluated on several considerations:

Compliance with the Security Rule will depend on a number of factors, including those identified in § 164.306(b)(2):

‘(i) The size, complexity, and capabilities of the covered entity.

(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to EPHI.’[1]

Based on these considerations, each ePHI safeguard requirement may look different for each practice in application.

Additionally, practices often contract with third parties that specialize in system practice and ePHI management. Using a vendor like this can be valuable to a practice – it often cuts costly and time-consuming requirements from a practice to be able to turn over to third parties. When contracting with these vendors, a practice must execute a Business Associate contract under HIPAA to remain in compliance with the Security Rule.[2] In other words, to protect a practice’s ePHI when working with a third party, the practice must ensure that the third party is acting within the parameters set out in the Security Rule by executing a contract that it will abide by such laws.[3]

 As each HIPAA requirement (even beyond ePHI) can become complicated and convoluted for a new practice, it is recommended that a physician wanting to open a healthcare practice consult with a specialized health care attorney on these matters.  Moreover, a specialized consultant can ensure that the practice reasonably and appropriately complies with HIPAA requirements.  Not only are ePHI safeguards required by federal law, they also play a critical and vital role to maintaining security to sensitive health data.  ePHI security is guaranteed to play an increasing role in healthcare as technology continues to advance.

1 HITECH Act § 1320d-5.

2 Covered Entities and Business Associates, HHS.gov (June 16, 2017), https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.

3 45 C.F.R. § 160.103.

4 Summary of the HIPAA Security Rule¸ HHS.gov (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.

5 45 C.F.R. § 164.306(a).

6 Security Standards: Administrative Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf; see Elizabeth Snell, A Review of Common HIPAA Administrative Safeguards, HealthIT Security (July 17, 2015);

https://healthitsecurity.com/news/a-review-of-common-hipaa-administrative-safeguards.

7 45 C.F.R. § 164.308(a)(1).

8 45 C.F.R. § 164.308(a)(2).

9 45 C.F.R. 164.308(a)(4).

10 45 C.F.R. § 164.308(a)(3).

11 45 C.F.R. 164.308(a)(8).

12 Security Standards: Physical Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.

13 45 C.F.R. § 164.304.

14 45 C.F.R. § 164.304; § 164.312(a)(2)(i); § 164.312(a)(2)(ii).

15 45 C.F.R. § 164.312(b).

16 45 C.F.R. § 164.304.

17 45 C.F.R. § 164.312(d).

18 45 C.F.R. § 164.312(e)(1).

19 Security Standards: Administrative Safeguards, HIPAA Security Series (March 2007), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf.

20 Business Associate Contracts, HIPAA (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

21 See id.