Employer-sponsored group health plans subject to the HIPAA privacy regulations now have an additional regulatory obligation: compliance with the HIPAA security regulations. The HIPAA security rules regulate electronic protected health information (“ePHI”). Large group health plans (more than $5 million in annual gross receipts or claims paid) must comply no later than April 20, 2005. Small group health plans ($5 million or less in annual gross receipts or claims paid) must comply no later than April 20, 2006. Health Care Reimbursement Accounts are included in the types of group health plans that must comply with the HIPAA privacy and security regulations.

HIPAA security compliance for employer-sponsored group health plans that create, receive, maintain or transmit ePHI will require the following:

  • Identify extent to which employer as plan administrator/plan sponsor creates, receives, maintains and/or transmits ePHI.
  • Appoint security official.
  • Conduct a security risk “gap analysis” that identifies potential risks relating to confidentiality, integrity and availability of ePHI.
  • Determine need, if any, to implement security measures to bring plan administration into compliance with HIPAA’s security standards.
  • Conduct employee training.
  • Create policies and procedures relating to compliance with HIPAA security.
  • Update business associate agreements with third-party vendors who provide services to the group health plans to address HIPAA security.
  • Amend plan document for HIPAA security.

There are three attachments to this Update. The first attachment is a compliance checklist. The second is a summary of the main requirements of the security regulations. The third attachment is a chart showing the security standards and implementation specifications.

The Employee Benefits group can assist employers in complying with the HIPAA security regulations. Please contact the attorney you work with for assistance or contact Leslie Anderson at (612) 343-7960 or Jessica Forbes Olson at (612) 492-6967.

HIPAA SECURITY COMPLIANCE CHECKLIST

Background

  • Continue security measures required by HIPAA privacy regulations. HIPAA privacy regulations required covered entities to adopt safeguards to protect protected health information. These safeguards should continue.

Initial Steps

  • Assemble an internal HIPAA security compliance team. The team members could include individuals from technology, human resources, benefits and legal departments.
  • Determine which group health plans have to comply with the HIPAA security regulations. Group health plans have to comply if they create, receive, maintain or transmit electronic protected health information.
  • Appoint a security official. Designate the security official in writing. The security official could be the same person who acts as the privacy official.
  • Determine when group health plans have to comply with the HIPAA security regulations. Group health plans have to comply by April 20, 2005 if they have more than $5 million in annual gross receipts or claims paid. Small group health plans ($5 million or less in annual gross receipts or claims paid) will have until April 20, 2006 to comply.

Risk Analysis and Risk Management

  • Conduct a risk analysis. The internal security team (or an outside consultant) must conduct a risk analysis that assesses the risks and vulnerabilities that could negatively affect the confidentiality, integrity and availability of ePHI.
  • Implement risk management measures. After conducting the risk analysis, group health plans must document the results and implement security measures to reduce the risk of compromising ePHI and to meet the security standards.
  • Implement security standards and implementation specifications. Implementation of the 18 security standards is mandatory. Most security standards have individual implementation specifications. Security implementation specifications are either required or addressable. (See previous page.)

Training

  • Perform security training. All employees with access to ePHI need to be trained on the security rule and how to protect ePHI.

Document Work

  • Draft policies and procedures. Draft policies and procedures to comply with the security standards and implementation specifications.
  • Document all actions undertaken to comply with the security regulations.
  • Identify business associates and enter into or amend business associate agreements (where the business associates create, receive, maintain or transmit ePHI on the plan’s behalf).
  • Amend plan documents for group health plans (unless those plans do not create, receive, maintain or transmit ePHI, as may be the case with insured plans).

Maintain Compliance

  • Maintain compliance. Periodically review and update security procedures and documentation in response to environmental changes.

BACKGROUND ON HIPAA SECURITY

Requirements of HIPAA Security Regulations

HIPAA security regulations require group health plans to implement reasonable and appropriate administrative, physical and technical safeguards that will:

  1. ensure the confidentiality, integrity and availability of all electronic protected health information that it creates, receives, maintains or transmits;
  2. protect against any reasonably anticipated threats to the security or integrity of such information;
  3. protect against any reasonably anticipated improper uses or disclosures of such information; and
  4. ensure that its workforce complies with the security regulations.

Information Subject to HIPAA Security Regulations

The security regulations are limited to electronic protected health information. Electronic protected health information includes protected health information that is created, received, maintained or transmitted by the group health plan (e.g., protected health information that is transmitted over the internet, stored on a computer hard drive or a CD, or e-mails that contain identifying health information from third-party vendors).

Entities Subject to HIPAA Security Regulations

The HIPAA security regulations directly require group health plans that create, receive, maintain or transmit ePHI to comply. This includes plans sponsored and administered by employers. The HIPAA security regulations apply indirectly to business associates of group health plans. Specifically, plan sponsors who allow business associates (e.g., third-party administrators, consultants) to create, receive, maintain or transmit ePHI on the plan’s behalf must enter into agreements with business associates that essentially require business associates to comply with the security regulations. The HIPAA security regulations also apply indirectly to plan sponsors. Plan sponsors that receive ePHI (other than enrollment/disenrollment information, summary health information or information pursuant to an authorization) must amend the group health plan documents to implement certain safeguards to protect ePHI created, received, maintained or transmitted on behalf of the plan.

HIPAA Security Standards

Group health plans have some flexibility in determining how to meet the security requirements. The security regulations prescribe 18 security standards, most of which fall into the categories of administrative, physical or technical safeguards. The security standards are designed to ensure the confidentiality, integrity and availability of ePHI, to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI, to protect against reasonably anticipated impermissible uses or disclosures of ePHI and to ensure compliance by the covered entity’s workforce with the security rules. All of the security standards are required to be implemented. Most of the security standards have corresponding “implementation specifications,” which specify how the security standards should be met. However, only some of the 36 implementation specifications are required (others are addressable). Group health plans must implement the “required” specifications. Group health plans also must implement an “addressable” specification if they determine it is a reasonable and appropriate security measure. If they determine an addressable implementation specification is not reasonable and appropriate, they must implement an equivalent measure, if it is reasonable and appropriate. In determining how to reasonably and appropriately implement the standards and corresponding implementation specifications, a group health plan must take into account the following factors: (1) the covered entity’s size, complexity and capabilities; (2) the covered entity’s technical infrastructure, hardware and software security capabilities; (3) the costs of the security measures; and (4) the probability and criticality of potential risks to electronic protected health information.

Deadline for Compliance with HIPAA Security Regulations

Large group health plans (more than $5 million in annual gross receipts or claims paid) must comply with HIPAA security regulations no later than April 20, 2005. Small group health plans ($5 million or less in annual gross receipts or claims paid) must comply no later than April 20, 2006.

Security Standards and Corresponding Implementation Specifications

Administrative Safegaurds

Security Management Process

  • Risk Analysis (required)
  • Risk Management (required)
  • Sanction Policy (required)

  • Information System Activity Review (required)

Assigned Security Responsibility (required)

Workforce Security

  • Authorization and/or Supervision (addressable)
  • Workforce Clearance Procedure (addressable)

  • Termination Procedures (addressable)

Information Access Management

  • Access Authorization (addressable)

  • Access Establishment and Modification

Security Awareness and Training

  • Security Reminders (addressable)
  • Protection from Malicious Software
  • Log-in Monitoring (addressable)
  • Password Management (addressable)

Security Incident Procedures

  • Response and Reporting (required)

Contingency Plan

  • Data Backup Plan (required)
  • Disaster Recovery Plan (required) Protected Health Information (addressable)
  • Emergency Mode Operation Plan (required)
  • Testing and Revision Procedure (addressable)
  • Applications and Data Criticality Analysis (addressable)

Evaluation (required)

Business Associate Contracts and Other Arrangement

  • Written Contract or Other Arrangement (required)

Physical Safegaurds

Facility Access Controls

  • Contingency Operations (addressable)
  • Facility Security Plan (addressable)
  • Access Control and Validation Procedures (addressable)
  • Maintenance Records (addressable)

Workstation Use (required)

Workstation Security (required)

Device and Media Controls

  • Disposal (required)
  • Media Re-use (required)
  • Accountability (addressable)
  • Data Backup and Storage (addressable)

Technical Safegaurds

Access Control

  • Unique User Identification (required)
  • Emergency Access Procedure (required)
  • Automatic Logoff (addressable)
  • Encryption and Decryption (addressable)

Audit Controls (required)

Integrity

  • Mechanism to Authenticate Electronic Protected Health Information (addressable)

Person or Entity Authentication (required)

Transmission Security

  • Integrity Controls (addressable)
  • Encryption (addressable)