Congress passed the Health Insurance Portability and Accountability Act in 1996 to simplify, and thereby reduce the cost of the administration of health care. HIPAA does this by encouraging the use of electronic transactions between healthcare providers and payers, thereby reducing paperwork. The HIPAA Privacy Rule, which had a compliance date of April 14, 2003, established standards for the protection of patient health information. The Security Rule, with a compliance date of April 21, 2005, focuses specifically on standards to protect the confidentiality of electronic patient information.
State law (Civil Code §56.101, Health and Safety Code §123149) imposes on all healthcare providers requirements similar to the HIPAA Security Rule. Providers who do not conduct electronic transactions or undertake other activities that would designate them as HIPAA-covered entities are required by the state to automatically record and preserve any change or deletion of any electronic health information stored on their systems. Providers must preserve the confidentiality of the information.
The state requires that if electronic recordkeeping systems are only utilized in the dental office, the office must use an offsite backup storage system, an imaging mechanism that is able to copy signature documents, and a mechanism to ensure that once a record is input, it is unalterable. The dentist must develop and implement policies and procedures to include safeguards for confidentiality and unauthorized access to electronically stored records, authentication by electronic signature keys, and systems maintenance. The electronic health record system must automatically record and preserve any change or deletion of electronically stored health information and requires the record to include, among other things, the identity of the person who accessed and changed the information and the change that was made to the information.
HIPAA Privacy and Security Rules: The Similarities, the Differences
Implementation of both the HIPAA Privacy Rule and Security Rule requirements is eased by the flexibility of the regulatory standard within the rules. The compliance standards for covered entities include reasonable measures to protect the confidentiality of patient information in all forms and to secure the availability and integrity of electronic patient information. What constitutes reasonable measures for a particular practice are largely determined by such things as the size of the practice, the physical layout of the office, how patient information is used and conveyed within the practice, and even such factors as cost. What might be a reasonable measure to protect patient information within a hospital setting is going to be different from a reasonable measure in a dental practice with one or two dentists. Measures that are reasonably necessary for a hospital to protect against the unauthorized release of patient information may be unreasonable for a small private practice to implement.
There are differences between the concepts of privacy and security, however. The Privacy Rule deals with what might be termed “leakage” of protected health information in all its forms. Examples of such leakage are unauthorized disclosures of patient information on social media, patient information disposed of although still readable and overheard conversations with patient information.
Whereas the Privacy Rule protects against leakage, the Security Rule focuses on managing the threats and vulnerabilities to a covered entity’s information systems which can disrupt the availability and compromise the integrity of, and allow unauthorized access to, electronic patient information. The rule requires specific safeguards, the consideration of other safeguards and a risk management plan.
HITECH, Business Associates and Recognized Security Practices
The Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 established penalties for HIPAA violations, requires HIPAA business associates to comply with the Security Rule and some provisions of the Privacy Rule and included incentives for electronic record adoption. For information on business associates and business associate agreements, refer to the resource, HIPAA Business Associate Agreement, on cda.org.
HITECH was amended in 2021 to require the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to consider during data breach investigations whether a covered entity follows “recognized security practices” and has had them in place for a minimum of 12 months when determining resolutions to potential violations of the Security Rule. The amendment does not require a covered entity to adopt recognized security practices but if an entity has implemented them for the minimum period prior to an investigation, then civil money penalties and other remedies can be mitigated. Implementation of recognized security practices is not a safe harbor from investigations or fines.
Recognized security practices are defined in the HITECH amendment as standards, guidelines, best practices, methodologies, procedures and processes developed under:
- Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
- Section 405(d) of Cybersecurity Action of 2015; or
- Other programs that address cybersecurity that is recognized by statute or regulation.
NIST standards are known as the NIST Cybersecurity Framework. Government agencies and large organizations have long followed NIST technical standards. However, dental practices and their IT advisors may find the Health Industry Cybersecurity Practices developed by the 405(d) group to be more useful. The information in 405(d) technical volumes was developed with different-sized organizations in mind. Volume 1 focuses on small healthcare organizations and many of the recommended practices overlap with HIPAA Security Rule requirements.
See the resources list below for links to an OCR video and 405(d) Health Industry Cybersecurity Practices.
Security Rule Requirements
In complying with the HIPAA Security Rule, covered entities and business associates should begin by recognizing three basic elements:
- Confidentiality. Ensure data or information is not made available or disclosed to unauthorized entities.
- Integrity. Ensure data or information is not altered by unauthorized entities.
- Availability. Ensure data or information is accessible and usable upon demand by an authorized entity.
Covered entities and business associates must comply with the Security Rule standards that are categorized as follows: administrative safeguards, physical safeguards, and technical safeguards. Essentially, administrative safeguards involve documented, formal practices to manage the selection and implementation of security measures; physical safeguards control physical access to information systems, especially at times when there is a loss of power or natural disaster; and technical safeguards involve processes that protect and monitor information access, and protect data that is transmitted over a network.
Many of the compliance standards include implementation specifications. The implementation specifications are either “required” or “addressable.” Required specifications must be implemented. Addressable specifications should be implemented if the business after it conducts its risk analysis, deems the specification reasonable, appropriate and applicable. Where there is no implementation specification for a standard, compliance with the standard itself is required.
Required administrative safeguards include:
- conducting thorough initial and periodic analyses to determine potential risks to the security of patient information that is stored and used electronically;
- implementing practices to reduce identified risks and vulnerabilities;
- instituting a system to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
- responding to security incidents;
- training staff (including unpaid volunteers and students who work in the practice) to be aware of and follow office information security policies and procedures;
- implementing a policy to sanction staff members who violate office information security policies and procedures;
- designating one staff person to be the Security Officer (similar to the designation of a Privacy Officer as required by the HIPAA Privacy Rule);
- establishing appropriate access levels for staff to patient records (determined by job requirements);
- assigning a unique name and/or number for identifying and tracking the identity of information system users;
- establishing data backup and disaster recovery plans;
- establishing a contingency plan to enable the continuation of critical business processes for the protection of the security of patient information while operating in emergency mode; and
- having business associate agreements that require compliance with Security Rules and notification of data breaches that occur with the respective business associate
Addressable administrative safeguards include:
- implementing procedures for the authorization and/or supervision of staff members who work with patient information or in locations where it might be accessed;
- implementing procedures to determine that the access of a staff member to patient information is appropriate;
- implementing procedures for terminating access to patient information when the employment of a staff member ends;
- implementing security reminders;
- implementing procedures to guard against and detect malicious software
- implementing procedures for periodic testing and revision of contingency plans; and
- implementing procedures for creating, changing, and safeguarding passwords.
Required physical safeguards include:
- implementing policies and procedures to limit physical access to a practice’s information system to authorized individuals for specified activities;
- implementing policies and procedures for workstation use that specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings (including tablets and PDAs)
- implementing policies and procedures to ensure the physical safeguard and security of workstations; and
- implementing policies and procedures governing the receipt, security, transport, removal, re-use, and disposal of hardware and electronic media containing electronically stored protected health information.
Addressable physical safeguards include:
- establishing procedures that allow access to the physical space where data is stored in support of restoration of lost data under a disaster recovery plan and emergency mode operations plan;
- implementing policies and procedures to safeguard the physical facility and equipment from unauthorized physical access and theft;
- implementing procedures to verify a person’s authorization to access facilities and software programs for testing and revision;
- implementing policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, walls, doors, and locks); and
- creating a retrievable, exact copy of patient information before equipment is moved from where it is stored.
Required technical safeguards are:
- access controls, including unique user identification and emergency access procedure;
- audit controls (ability to monitor/track activity on the practice’s information system); and
- person or entity authentication.
Addressable technical safeguards are:
- automatic logoff (electronic procedures that terminate a session after a predetermined time of inactivity);
- implementing a mechanism to encrypt patient information whenever appropriate;
- implementing policies and procedures to prevent improper alteration of information on the system; and
- implementing a mechanism to verify that patient information has not been altered or destroyed in an unauthorized manner.
Many of these safeguards have been added to current versions of practice management software. Dental offices should contact their practice management software vendors to inquire about the development and availability of upgraded versions that are compliant with the HIPAA Security Rule. Also, be aware that the security standards were written to be technology neutral, that is, the use of specific technologies is not mandated so that entities are not bound by systems or software that may become obsolete.
Risk Analysis/Risk Management
Through its enforcement actions and audits, OCR has identified the lack of or incomplete, risk analyses as a key factor in the failure of covered entities to adequately safeguard information. A risk analysis is a required administrative safeguard. It is intended to be an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity. “Risk” is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact. “Vulnerability” is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally or intentionally) and result in a security breach or violation of security policy. Covered entities must evaluate the risk levels and, for high-risk items, describe how the risk is mitigated or how it will be managed.
The ADA Practical Guide to HIPAA Compliance includes a dental practice-specific risk assessment tool. Also, HHS offers a free risk assessment tool online. Links to both are listed below.
Flexibility of Approach
It bears repeating that HIPAA allows covered entities flexibility in reasonably and appropriately implementing safeguards. The regulation states:
§ 164.306 Security standards: General rules.
(a) General requirements. . . .
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronically protected health information.
(c) Standards. . . .
The ADA Practical Guide to HIPAA Compliance
HHS: Security Rule Guidance Material
HHS: Security Risk Assessment Tool
HHS: Covered Entities and Business Associates
OCR: Recognized Security Practices (video)
Health Industry Cybersecurity Practices
NIST: Computer Security Incident Handling Guide
California Center for Data Insights and Innovation
HIPAA and California Health Information Privacy and Protection Laws Q&A
Data Breach Notification Requirements Checklist
Patient Records: Requirements and Best Practices