What are HIPAA’s security requirements?

HIPAA's security regulations describe how covered entities are to safeguard and protect the confidentiality, integrity and availability of electronic protected health information (ePHI). They specify a series of administrative, technical and physical security procedures for covered entities to use. The standards are delineated into either required or addressable implementation specifications.

The security regulations require plan sponsors with access to PHI to amend their plan documents to provide that the plan sponsor will comply with the security regulations. Plan sponsors who only have access to PHI in summary health information or for enrollment and disenrollment purposes do not need to amend their plans. However, plan sponsors who access electronic PHI for other purposes must amend their plans to incorporate provisions that require the plan sponsor to:

• implement reasonable and appropriate safeguards to protect electronic PHI that it creates, receives, maintains, or transmits on behalf of the group health plan;

• ensure that the security measures provide for adequate separation (firewalls);

• ensure that any agents, including subcontractors, to whom it provides this information agrees to implement reasonable and appropriate safeguards;

• report to the group health plan any security incident of which it becomes aware; and

• make its policies and procedures and documentation relating to these safeguards available to the Secretary for purposes of determining the group health plan's compliance.

Security measures. The security regulations also require covered entities to: implement physical safeguards to restrict access to data at workstations; assign a unique identifier to data users; audit logs, access reports, and security incident reports; implement procedures that terminate an electronic session after a period of inactivity; sanction workforce members for noncompliance with security policies and procedures; and implement a security awareness and training program for all employees. Because of variations in the size, complexity and capabilities of covered entities, they are given flexibility under the security rule in determining how they implement the security standards.

Business associates. Business associate contracts must include requirements that the business associate has security policies and procedures similar to the covered entity. Effective February 17, 2010, business associates will become directly subject to security rules (and penalties) in the same manner as covered entities. Business associate contracts should be updated to reflect the changes.

Compliance date. For most organizations, the deadline to come into compliance with HIPAA's security regulation was April 21, 2005. However, certain small health plans had an additional year to comply.

A section of the American Recovery and Reinvestment Act of 2009 (ARRA) expanded requirements related to the privacy and security of PHI. The section is generally effective on February 17, 2010, but various provisions have their own effective dates.