The HIPAA Security Final Rule comprises Standards (what must be done) and Implementations Specifications (how it must be done) for creating policies, procedures and practices to prevent, detect, contain and correct security violations.

Implementation specifications are indicated as required or addressable.  As organizations work towards HIPAA-HITECH compliance, it is important to understand the difference.

A covered entity or business associate must comply with a required implementation specification must.  For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:

• Implement the addressable implementation specification as stated;
• Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
• Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities and business associates are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.

An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Our advice…

• Don’t waste time debating about ‘addressable’ versus ‘required’.
• Just do it! – the vast majority of the standards specifications make good business sense.
• HIPAA Security Standards set a “floor” or “baseline” for security
• Don’t make the mistake of thinking ‘addressable’ means ‘optional’; it does not!
• Check out our HIPAA-HITECH compliance software to jump-start your program

Tags: Business Associates, Covered Entities, HIPAA, hipaa compliance, hipaa compliance software, HIPAA-HITECH
Posted in News | Comments Off

Bob Chaput wrote this blog. Bob is president of Data Mountain LLC, a data security, disaster recovery and data protection services firm. Data Mountain specializes in helping Covered Entities and Business Associates assure they are compliant with the Contingency Plan Standard of the HIPAA Security Law and The HITECH Act.

---

bob.chaput@datamountain.com | (800) 704-3394 | Follow Bob on Twitter: twitter.com/BobChaput

---

Whew! Nothing like a Notice of Proposed Rule Making (NPRM) from Health and Human Services (HHS) to send the HIPAA compliance blogosphere into a near “brown out “ and hatch a new crop of self-proclaimed HIPAA privacy and security experts!

More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one! “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM! No doubt, that will impress you about the blogger’s reading skills and chronic insomnia. I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates. The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate. (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

1. Let’s stick with data and facts for those seeking real information, not opinions:
   The official HHS Press Release on this NPRM: http://www.hhs.gov/news/press/2010pres/07/20100708c.html
2. The official NPRM was issued on July 14, 2010: http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf
   A Notice of Public Rule Making is not the final regulation. It is a notice and an invitation for public comment.
3. Public comments are due in roughly 60-days; therefore, September 13, 2010.
4. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
5. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
6. Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult. Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
7. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
2. Don’t set your hair on fire yet!
3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor. I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
   1. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
   2. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
   3. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
   4. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
   5. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to call or write.

Tags: Business Associates, data protection services firm, HIPAA, HIPAA Security, HIPAA Security Rule compliance, HIPAA-HITECH
Posted in News | No Comments »

Bob Chaput wrote this blog. Bob is president of Data Mountain LLC, a data security, disaster recovery and data protection services firm. Data Mountain specializes in helping Covered Entities and Business Associates assure they are compliant with the Contingency Plan Standard of the HIPAA Security Law and The HITECH Act.

---

bob.chaput@datamountain.com | (800) 704-3394 | Follow Bob on Twitter: twitter.com/BobChaput

---