HIPAA Security Rule FAQ
by Legal & Regulatory Affairs Staff
November 9, 2004 — The following questions and answers provide some basic information for psychologists about the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This rule is one of three main rules — in addition to the Privacy Rule and Transaction Rule — affecting psychologists that resulted from HIPAA.
Now is a good time to begin familiarizing yourself with the Security Rule and its requirements. Practitioners need to comply with this rule by April 20, 2005.
The Security Rule sets standards for administrative, physical, and technological safeguards — such as access to offices, computers and files — needed to keep electronic health care information confidential and secure. It is a companion to the HIPAA Privacy Rule.
While the Privacy Rule outlines to whom and under what circumstances a psychologist can intentionally disclose patient information, the Security Rule focuses on protecting information from unintended disclosures through breaches of security. This includes any reasonably anticipated threats or hazards and/or an inappropriate uses and disclosures of electronic confidential information.
The Security Rule, like the Privacy Rule, applies when a covered entity — including a psychologist — transmits information in electronic form in connection with a standard transaction (see the following question). In effect, a psychologist must comply with the Security Rule if having determined previously that he or she is required to comply with the Privacy Rule.
However, there is an important difference between the two rules. Unlike the Privacy Rule, which applies to all ‘protected health information’ (PHI), the Security Rule applies only to ‘electronic protected health information’ (EPHI).
PHI is defined as individually identifiable health information that is transmitted or maintained in all mediums — including electronic, written, and oral. EPHI is PHI that is transmitted or maintained in electronic media only.
The following electronic transactions trigger the Security Rule:
Health care claims
Health care payment and remittance advice
Coordination of benefits
Health care claim status, enrollment or disenrollment in a health plan
Eligibility for a health plan
Health plan premium payments
Referral certification and authorization
First report of injury
Health claims attachments
The Security Rule applies when a psychologist — or an entity, such as a billing service, acting on behalf of the psychologist — transmits health care information in electronic form in connection with any of the transactions listed above. Once a trigger occurs, the Security Rule then applies to all EPHI within a psychologist’s practice.
The first step in the compliance process involves the psychologist doing a “risk analysis” of his or her practice. This analysis is a thorough assessment of the practice’s potential security risks and vulnerabilities related to EPHI. The analysis entails reviewing the practice’s established security policies and procedures, and it provides the basis for making any appropriate modifications or enhancements to these procedures.
The Security Rule requires health care providers to take steps to ensure:
The confidentiality of EPHI
The integrity of EPHI, i.e., making sure the information is not changed or altered in storage or transmission
The availability of EPHI, i.e., ensuring the information is accessible to the appropriate people when needed
Yes. As with the Privacy Rule, the Security Rule embodies the concept of “scalability.” This means, for example, that a solo practitioner will not be expected to take the same steps to comply as will a large practice or a health care facility. According to the federal Centers for Medicare and Medicaid Services (CMS), a covered entity such as a health care provider can consider its size, capabilities, and costs in determining what security measures to use.
CMS is responsible for enforcing the Security Rule. The potential penalties range from administrative action to substantial fines and imprisonment, depending on the severity of the violation.