Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
NOTE: This article was published March 21, 2005 by the Bureau of National Affairs, Inc., in BNA's Privacy & Security Law Report http://www.bna.com.
Suffering "HIPAA Privacy Rule fatigue," many human resources and benefits professionals have passed the compliance baton for the HIPAA Security Rule to their colleagues in the Information Technology (IT) Department. Letting IT grapple on its own with the HIPAA Security Rule most likely will mean that your organization will not meet the April 21, 2005, compliance deadline for covered health plans with annual receipts exceeding $5 million, or even the April 21, 2006 compliance deadline for covered health plans falling below that threshold. The reason: even the best security software will provide an incomplete solution without comprehensive decisions about employee access to sensitive information, comprehensible written policies, meaningful training programs, and appropriate sanctions for employees who violate policies -- tasks best accomplished with the assistance of human resources and benefits professionals.
A Brief Overview of the HIPAA Security Rule
The HIPAA Security Rule applies to employers sponsoring self-insured group health, dental and/or vision plans with 50 or more participants or that are administered by a third-party. The Security Rule also applies to health care reimbursement flexible spending accounts and employee assistance programs subject to the same limitations. In contrast to the HIPAA Privacy Rule, which applies to protected health information (PHI) regardless of its format, the Security Rule applies only to PHI stored or transmitted electronically. PHI is individually identifiable information created or received by, or on behalf of, any of the plans described above (in HIPAA parlance, a "covered entity") that relates to a participant's past, present or future physical or mental health condition, treatment for the condition, or payment for treatment. Examples of PHI include information related to enrollment, claims processing, claims dispute resolution and premium payments.
The Security Rule's primary objective is to ensure that each covered entity safeguards the confidentiality, integrity and availability of electronic PHI. Those key terms are defined as follows:
- "Confidentiality" means that PHI is not made available or disclosed to unauthorized persons or processes.
- "Integrity" means that PHI has not been altered or destroyed in an unauthorized manner.
- "Availability" means that PHI is accessible and usable upon demand by an authorized person.
In addition, covered entities must protect electronic PHI against reasonably anticipated threats or hazards and against reasonably anticipated uses or disclosures by unauthorized persons or by authorized employees in an unauthorized manner.
The Security Rule requires each covered entity to engage in a "security management process" to meet these overarching objectives. That process begins with a risk analysis, i.e., an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. Using the results of the risk analysis, the covered entity must then engage in "risk management," by implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level. These security measures should be periodically re-evaluated, from a technical and non-technical perspective, and modified as necessary to address personnel, environmental and technological change. Once the security measures have been implemented, or after they are modified, the covered entity must monitor system activity, for example, by reviewing audit logs and access reports and tracking security incidents, to ensure that security measures are being followed and are effective.
HR's Role in HIPAA Security Compliance
While the security management process, at first blush, appears to involve only IT functions, the Security Rule identifies several constituent elements of the overall process that can be accomplished in most organizations only with the participation of human resources and benefits professionals. Each of those tasks is discussed in more detail below.
1. Amending Business Associate Agreements and Plan Documents
Under the HIPAA Privacy Rule, covered health plans are required to enter into written agreements with third-party service providers, such as benefits administrators, insurance brokers, and attorneys ("business associates"), who use and disclose PHI on the covered entity's behalf. The HIPAA Security Rule requires that these business associate agreements include language in addition to the language required by the HIPAA Privacy Rule. More specifically, each business associate agreement must require that the business associate implement safeguards for electronic PHI , ensure that any subcontractor or agent does the same, and report to the covered entity any known "security incident," i.e., attempted or actual unauthorized access to electronic PHI . Existing business associate agreements may need to be amended by the applicable compliance date if they do not already include the required provisions.
The HIPAA Privacy Rule also requires the amendment of plan documents to include provisions that effectively establish a "firewall" between the plan sponsor's employees who are authorized to use and disclose PHI for plan administration functions and all other employees. The Security Rule mandates additional amendments to plan documents. These amendments, similar to those for business associate agreements, require the plan sponsor to adequately safeguard electronic PHI, to ensure that any subcontractor or agent does the same, and to report any known security incident to the plan administrator. The plan document for each covered plan should be amended by the compliance deadline applicable to the plan.
For most employers, human resources and benefits professionals were exclusively responsible for negotiating business associate agreements and for ensuring that plan documents were amended as required by the HIPAA Privacy Rule. Consequently, responsibility for ensuring that these documents contain the additional amendments mandated by the HIPAA Security Rule logically falls to HR and benefits personnel as well.
2. Selecting a Responsible Security Official
Covered plans are required to designate a single person to be ultimately responsible for the security of electronic PHI. Because of the technical issues involved, this person should likely be someone other than the Privacy Officer named in the existing HIPAA privacy policy documents. This person also is responsible for ensuring that covered plans engage in the mandatory security management process. When several IT employees have the technical skills and the appropriate level of authority to fulfill this role, HR professionals can provide crucial guidance in choosing among the potential candidates. HR professionals most likely will be in a better position than IT staff to judge, for example, which of the candidates is best suited for the leadership role and will most effectively interact with other members of the employer's organization to accomplish Security Rule compliance.
3. Controlling Access to Electronic PHI
Controlling access to electronic PHI is one of the Security Rule's most important objectives. While the IT Department can program software to implement access controls on a technical level, HR and benefits personnel are needed to identify for the IT Department those employees who are authorized to have access to electronic PHI and the scope of that access. In addition, implementing effective access controls requires the on-going involvement of HR and benefits personnel.
To begin with, HR and benefits personnel will need to catalogue for the IT Department the categories of electronic PHI stored and transmitted by the organization and how the information is used and disclosed on the network to perform plan administration functions. This endeavor requires in-depth knowledge of the information–handling processes used to administer each covered plan and of all information exchanges with third-party service providers. In addition, given that transmissions of electronic PHI covered by the HIPAA Security Rule include intranet and Internet communications as well as the physical movement of electronic storage media, IT staff must be educated about the use of e-mail to communicate electronic PHI within the organization and to business associates and about the use and exchange of CDs and floppy disks containing PHI.
Once the cataloguing of electronic PHI has been completed, HR and benefits personnel will need to help the IT Department develop access control lists. Depending upon the types of plan administration functions performed on the network, these lists may identify the specific systems on the network, the applications within systems, the functions within applications, data files, and fields within files, that may be accessed by each employee authorized to use and disclose electronic PHI. HR and benefits personnel also will need to define the types of access that will be permitted, e.g., read only, create new files, modify or delete existing files, search files, change security settings for specific files, etc. Only employees intimately familiar with plan administration processes and the trustworthiness of employees who perform those functions can make the decisions necessary to ensure that the access control lists effectively safeguard the confidentiality, integrity and availability of electronic PHI.
After the access control lists have been developed, HR and benefits personnel need to communicate with the IT Department on a regular and on-going basis to ensure that the lists remain up-to-date. As employee job functions change, the access control lists most likely will need to be modified to reflect concomitant changes in access rights. Temporary changes to access control lists may be necessary when an employee takes an extended leave of absence. Even more important, the IT Department must be promptly notified when access rights should be terminated because an employee has left the organization or has moved to a position no longer involving plan administration functions.
4. Developing and Implementing Written Policies
Policy writing and implementation typically is the domain of the Human Resources Department. The HIPAA Security Rule calls for several written policies which almost surely would benefit from the input of HR staff. These policies cover (a) appropriate access to electronic PHI, including proper handling of terminated employees; (b) training; (c) identifying, reporting, investigating and responding to security incidents; (d) sanctioning employees for security violations; and (e) proper data destruction, which would include the handling of electronic resources used by terminated employees. Some of these policies may be engrafted to existing policies developed by HR to implement the HIPAA Privacy Rule.
In addition to helping draft these policies, HR's involvement will be needed on related administrative matters. For example, HR may need to obtain the approvals necessary for the organization's formal adoption of these policies. HR also will be responsible for communicating the policies to the workforce and, if the organization decides to do so, for obtaining employee acknowledgements of the new policies.
Responding to security incidents often will require the joint efforts of the IT and Human Resources Departments. While IT will focus principally on technical solutions, HR may help with investigating the incident, will participate in the decision whether and how to discipline employees implicated in the incident, and will be responsible for documenting that decision. HR also may be called upon to communicate with the media when a security incident receives press attention.
5. Security Awareness Training
While the IT Department likely will take the lead in developing the substance of security awareness training, the training program will be far more effective if it is tailored to the specific uses and disclosures of electronic PHI made by those who perform plan administration functions. Consequently, human resources and benefits personnel should collaborate with the IT Department in developing the training program.
The Human Resources Department also will be needed to perform several other critical functions related to training. These include identifying the employees who will need to undergo training, deciding whether new employees will be permitted to access electronic PHI before completing training, scheduling training sessions, and documenting employee participation in those sessions. HR and IT personnel also will need to jointly decide when current employees should receive supplemental training – because, for example, new applications software has been installed - and refresher training.
6. Contingency Planning
The Security Rule requires planning for contingencies that might affect the integrity or availability of data, such as fire, flood, vandalism, or a system crash. To that end, covered plans must (a) create and maintain data back-ups; (b) be capable of restoring lost data; and (c) establish policies and procedures that will safeguard, while ensuring access to, electronic PHI when operating in emergency mode. The HR Department should discuss with IT personnel whether, and if so how, these steps should be coordinated with the organization's overall contingency planning.
7. Communicating with Counsel Concerning the Effectiveness of the Overall Compliance Program
Human Resources and benefits personnel most likely developed a relationship with counsel when undertaking the HIPAA privacy compliance project. The same personnel should consider taking the lead in communicating with counsel concerning HIPAA security compliance with the participation of the person from the IT Department selected to oversee the effort. Counsel will prepare or review the amendments to business associate agreements and plan documents. In addition, counsel can confirm that the security management process has addressed all of the matters required to be addressed by the HIPAA Security Rule and has been appropriately documented. Counsel also can review newly-developed policies and procedures and confirm that designations on the access control lists are consistent with the HIPAA Privacy Rule's minimum necessary requirement.
Conclusion
Regardless of the size of your organization or its IT Department, the IT staff will not be able to accomplish effective compliance with the HIPAA Security Rule on its own. HR and benefits professionals have several critical roles to play in the process. By understanding and fulfilling those roles, HR and benefits personnel can help immeasurably to improve the security of electronic PHI and to protect their organization from potentially costly and embarrassing security incidents.
Philip L. Gordon is a Shareholder in Littler Mendelson's Denver office. If you would like further information, please contact your Littler attorney at 1.888.Littler, info@littler.com or Mr. Gordon at pgordon@littler.com.