Security Standards
The HIPAA Security Standards must be applied by health plans, health care clearinghouses, and health care providers to all health information that is maintained or transmitted electronically. The standards are intended to protect both the system and the information it contains from unauthorized access and misuse. Each covered entity must assess its systems for potential risk and vulnerabilities to the health information it houses and develop, implement, and maintain appropriate security measures. The security requirements include:
- Administrative procedures - security measures to protect data and manage the conduct of personnel in protecting data
- Physical safeguards - protection of physical computer systems and related buildings from hazards and intrusion
- Technical security services - processes to protect, control, and monitor information access
- Technical security mechanisms - processes to prevent unauthorized access to data transmitted over a communications network
The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Compliance is required by April 21, 2005.
- The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technial, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
More information can be found for the implementation of this rule at the CMS website . - IHS Security Standards Checklist [PDF - 41 KB]
The IHS effort to comply with the HIPAA Security Standards is being led by Ryan Wilson, the Chief Information Security Officer or designee. If you want information on what the CISO is doing, he can be reached by telephone at 301-443-2537.
IHS Information Security Status
There is a great deal of cross over between The Federal Information Security Act (FISMA) which applies to Federal programs and the security requirements for HIPAA. The attached matrix [PDF 1 MB] demonstrates the areas of crossover. The Indian Health Service has been working to comply with FISMA for several years and by doing this IHS has meet most of the HIPAA security standards. Information on the IHS Information Security Program can be found at the IHS Security Program WEB site. The attached manual [PDF 1.5 MB] provides guidelines for navigating IHS Security Program WEB pages. For security reasons this security WEB site is only available to users of the IHS Intranet.
IHS Chief Information Security Officer Guidance for Meeting HIPAA Security Standards.
Use of Encryption
When implementing controls under HIPAA covered entities must in general "(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308, § 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health information." [§ 164.306 Security standards: General rules.]
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. [§ 164.312 Technical safeguards.]
Under this standard is the Encryption Implementation Specification (IS). While this is an Addressable IS the standard requires some technical security measure to guard against the unauthorized access of EPHI. Typically the easiest and most economical technical measure for accomplishing this is via cryptographic methods. So, while encryption is addressable and there is some flexibility in implementing, it is likely the best solution for this standard. In addition, under this standard is the Addressable IS to protect the integrity of EPHI. Just as, or sometimes more, important than the confidentiality of EPHI is its integrity. Again, typically the easiest and most economical technical measure for accomplishing this is via cryptographic methods.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
EPHI has been categorized as High according to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199 Standards for Security Categorization of Federal Information and Information Systems. As such Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline is used to help determine the types of controls required. Annex 3 delineates the following security controls for transmission confidentiality and integrity.
SC - 9: The information system protects the confidentiality of transmitted information. The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., protective distribution systems).
SC - 8: The information system protects the integrity of transmitted information. The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).
NIST Special Publications (SP) are guides and not mandatory. However, SP 800-53 is being written to a FIPS Publication. The Federal Information Security Management Act 2002 (FISMA) made all FIPS Publications mandatory without an option for waivers. This means that the controls delineated in the final FIPS Pub 200 will be mandatory for all federal entities. It is likely that the controls above, SC 8 and 9, will be part of the FIPS Pub 200 and be mandatory.
Tribal requirements for complying with HIPAA:
Click this link for the following letter from Dr. Grimm that discusses the issue of Tribally run health facilities complying with HIPAA. [PDF - 57 KB]
While the May 2003 letter at times addresses specifically the Privacy Rule the implication is for the requirements under HIPAA to include the later finalized Security Rule.
§ 164.312 Technical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Access control.
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification
(Required). Assign a unique name and/or number for identifying and tracking user identity.
(ii) Emergency access procedure
(Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
(iii) Automatic logoff (Addressable).
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
(iv) Encryption and decryption
(Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
(2) Implementation specification:
Mechanism to authenticate electronic protected health information
(Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable).
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable).
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
(c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308,
§ 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health information.
(d) Implementation specifications.
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(1) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity must-
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity-
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate-
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.