Implementation specifications are indicated as required or addressable.  As organizations work towards HIPAA-HITECH compliance, it is important to understand the difference.

A covered entity or business associate must comply with a required implementation specification must.  For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:

• Implement the addressable implementation specification as stated;
• Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
• Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities and business associates are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.

An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Our advice…

• Don’t waste time debating about ‘addressable’ versus ‘required’.
• Just do it! – the vast majority of the standards specifications make good business sense.
• HIPAA Security Standards set a “floor” or “baseline” for security
• Don’t make the mistake of thinking ‘addressable’ means ‘optional’; it does not!
• Check out our HIPAA-HITECH compliance software to jump-start your program

More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one! “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM! No doubt, that will impress you about the blogger’s reading skills and chronic insomnia. I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates. The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate. (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

1. Let’s stick with data and facts for those seeking real information, not opinions:
   The official HHS Press Release on this NPRM: http://www.hhs.gov/news/press/2010pres/07/20100708c.html
2. The official NPRM was issued on July 14, 2010: http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf
   A Notice of Public Rule Making is not the final regulation. It is a notice and an invitation for public comment.
3. Public comments are due in roughly 60-days; therefore, September 13, 2010.
4. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
5. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
6. Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult. Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
7. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
2. Don’t set your hair on fire yet!
3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor. I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
   1. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
   2. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
   3. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
   4. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
   5. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to call or write.

Our July 2010 Data Protection eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

Our colleagues at HIPAASurvivalGuide.com recently published their June 2010 “HITECH / HIPAA Newsletter June 2010″ centered around Business Associate Agreements.  In fact, they have developed a terrific tool/product aimed at helping Covered Entities and Business Associates reshape these now more-critical-than-ever agreements.

You may wish to check out “Business Associate Agreement – A HITECH Ready Model Contract” to get a jump on this important element of compliance.

We would love to hear your thoughts.  Please comment below!

Here’s a question from our HIPAA-HITECH FAQs Series…
Q11. What is a “risk analysis?”

A fundamental design principle in the Security Rule was that “one size does not fit all”. That is, organizations needed to first understand the law, second assess their risks vis-à-vis the law and, third, take appropriate actions for their organization to mitigate their risks in order to comply with the law.

“Risk” is defined as the degree or likelihood that a certain threat or vulnerability will occur, resulting in a breach of safeguards designed to provide control or protection of patient health information. Risk is quantified by taking into account two factors involving (1) the likelihood and (2) the impact (criticality) of loss.

A “risk analysis” is a systematic and comprehensive assessment of all aspects of information including electronic conversion, processing, storage, or transmission that could potentially compromise the integrity of patient health information. Thus, the scope of a risk analysis should address all facets of the CEs and BAs computer hardware, software, and networks and associated electronic equipment and systems.

The initial risk analysis should alsoassess security policies and procedures and technical safeguards, to determine the extent to which they meet the standards contained in the Security Rule. Then CEs and BAs must perform ongoing risk analyses in response to environmental or operational changes.

Risk analysis findings should identify levels of risk and make recommendations to reduce these risks to a reasonable and appropriate level. These findings and their remedies should be documented and retained as a permanent component of the HIPAA Security Rule compliance program. This documentation should take the form of:

• Security Gap Analysis (depicting the difference between the current and the optimal levels of risk)
• Risk Remediation Plan (outlining the process for achieving the optimal levels of risk)

A CE or BA can choose to have a third party perform the risk analysis and thus provide an independent assessment of the organization’s security with respect to the HIPAA Security Standards.

View our entire series of HIPAA Security Law – HITECH Act FAQs…

Attend one of our HIPAA-HITECH Webinars…

Here’s a question from our HIPAA-HITECH FAQs Series…

Q9. What is a “standard” as defined by the Security Rule?

A standard is a provision of the Security Rule that all CEs and BAs must comply with, specifically with respect to EPHI. There are no exceptions. There are 18 standards defined in the Security Rule. With HITECH, the number of Standards has not changed; however, more explicit guidance and clarity is provided in many areas of the Security Rule and the Privacy Rule as well.

View our entire series of HIPAA Security Law – HITECH Act FAQs…

Attend one of our HIPAA-HITECH Webinars…

Here’s a question from our HIPAA-HITECH FAQs Series…

Q10. What are “implementation specifications?”

Generally, a standard defines what a CE must do while an “implementation specification” describes how it must be done. There are two types of specifications, those that are “required” and those that are “addressable.” Required implementation specifications are critical and CEs and BAs, must implement them.

Addressable implementation specifications may or may not be implemented depending on the outcome of a security risk analysis. For an addressable specification, a CE or BA must:

• ASSESS whether the specification is a reasonable and appropriate safeguard,
• AND implement the specification if it is reasonable and appropriate,
• OR document why it is not reasonable and appropriate,
• AND implement an equivalent alternative measure if one can be identified as reasonable and appropriate.

For years, we have been advising both CEs and BAs to treat both “required” and “addressable” specifications as “required”. First, it simply makes good business and risk management sense. Second, data and information is becoming more and not less vulnerable and privacy and security laws are only going to become more stringent over time.

View our entire series of HIPAA Security Law – HITECH Act FAQs…

Attend one of our HIPAA-HITECH Webinars…

In May and June, our Complimentary live webinar offerings are listed below with direct links to see the overview and learning objectives of each webinar:

May 2010

• The Truth About HIPAA Security, The HITECH Act and Data Backup  – Tuesday, 5/18/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT
• How to Avoid the New Health & Human Services ‘Wall of Shame” – Thursday, 5/20/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT
• A Buyer’s Guide – What to Look For in Online Backup and Recovery Services – Tuesday, 5/25/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT

June 2010

• Information Risk Management – Follow the Money – Tuesday, 6/1/2010 – 2:30pm ET / 1:30pm CT / 11:30am PT – Fred Scholl, Ph.D. 
• HIPAA Security, The HITECH Act and Contingency Planning – Thursday, 6/10/2010 – 2:30pm ET / 1:30pm CT / 11:30am PT 
• How to Avoid the New Health & Human Services ‘Wall of Shame” – Thursday, 6/17/2010 – 2:30pm ET / 1:30pm CT / 11:30am PT 
• The Truth About HIPAA Security, The HITECH Act and Data Backup – Tuesday, 6/22/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT
• A Buyer’s Guide – What to Look For in Online Backup and Recovery Services -  Thursday, 6/24/2010 - 2:30pm ET | 1:30pm CT | 11:30am PT 
• How The HITECH Act Raises the Ante on HIPAA Security Rule Compliance -   Tuesday, 6/29/2010 -2:30pm ET | 1:30pm CT | 11:30am PT

If there is a data protection topic you would like us to cover and do not see it listed, please contact us using the information below.

Attend one of our HIPAA-HITECH Data Protection Webinars… Register Today!

Here’s a question from our HIPAA-HITECH FAQs Series…
Q15. By what date must CEs and BAs comply with the provisions of the Security Rule?

Most Covered Entities (CEs) were required to be in compliance with the Security Rule by April 21, 2005. However, a large portion of the Privacy Rule required certain Security Rule components to be in place as of April 14, 2003.

Business Associates (BAs) must be fully compliant with the Security Rule by February 17, 2010. Remember, HITECH is a game-changer, especially for BAs.

• All of the HIPAA security administrative safeguards, physical safeguards, technical safeguards, and security policies, procedures, and documentation requirements apply directly to all BAs
• HHS (and state attorneys general under the new enforcement provisions) may impose fines directly against BAs of HIPAA covered entities who do not comply with these HIPAA security standards
• New BA security requirements must be added to all business associate agreements
• All civil and criminal penalties applicable to CEs for violating the security provisions are also applicable to BAs

View our entire series of HIPAA Security Law – HITECH Act FAQs…

Attend one of our Live HIPAA-HITECH Webinars…

View one of our Pre-Recorded HIPAA-HITECH Webinars…

Here’s a question from our HIPAA-HITECH FAQs Series…

Q14. What are some of the electronic security techniques that CEs may have to consider to be compliant?

The HIPAA Security Standards are largely technology-neutral. Standards are categorized into Administrative, Physical and Technical. The five technical safeguard standards are: access control, audit controls, integrity, person or entity authentication, and transmission security. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.”The rule lays out the requirements and it is up to each individual organization to determine how to best meet the requirements, including which specific security technologies to implement. Now, however, on an annual basis, HHS is required to issue “…guidance on the most effective and appropriate technical safeguards”. HHS is required to assess advances in information technology and security measures that CEs and BAs may use to control and protect their EPHI including, but not limited to:

• Firewalls
• Encryption
• Password authentication
• Digital signatures
• Secure, remote data backup
• Biometric access methods
• Anti-Spyware and Anti-virus software
• Security Auditing and Logging
• Smart cards
• Computer physician order entry (CPOE) systems

View our entire series of HIPAA Security Law – HITECH Act FAQs…

Attend one of our Live HIPAA-HITECH Webinars…

View one of our Pre-Recorded HIPAA-HITECH Webinars…