chapter ten privacy and security recordsmyresource.phoenix.edu › secure › resource › hcis255r1...

10Chapter Ten

Learning OutcomesAfter completing this chapter, you should be able to:

◆ List HIPAA transactions and uniform identifiers

◆ Understand HIPAA privacy and security concepts

◆ Apply HIPAA privacy policy in a medical facility

◆ Discuss HIPAA security requirements and safeguards

◆ Follow security policy guidelines in a medical facility

◆ Explain electronic signatures

Privacy andSecurity

of HealthRecords

Understanding HIPAA

In Chapter 11 we will discuss various ways the Internet is being used for health-care, including various implementations of EHR on the Internet, Internet-basedpersonal health records (PHR), and remote access. In Chapter 12 we will explorethe relationship of the EHR data to the determination of codes required formedical billing. Before moving to those topics it is prudent to understandHIPAA. HIPAA is an acronym for the Health Insurance Portability andAccountability Act, passed by Congress in 1996.

The HIPAA law was intended to:

◆ Improve portability and continuity of health insurance coverage.

◆ Combat waste, fraud, and abuse in health insurance and healthcare delivery.

◆ Promote use of medical savings accounts

◆ Improve access to long-term care

◆ Simplify administration of health insurance

ISB

N1-

256-

9738

8-2

Electronic Health Records: Understanding and Using Computerized Medical Records, Second Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2012 by Pearson Education, Inc.

376 Chapter 10 | Privacy and Security of Health Records

HIPAA law regulates many things. However, a portion known as the Adminis-trative Simplification Subsection1 of HIPAA covers entities such as healthplans, clearinghouses, and healthcare providers. HIPAA refers to these ascovered entities or a covered entity. This means a healthcare facility or healthplan and all of its employees. If you work in the healthcare field, these regula-tions likely govern your job and behavior. Therefore, it is not uncommon forhealthcare workers to use the acronym HIPAA when they actually mean onlythe Administrative Simplification Subsection of HIPAA.

As someone who will work with patients’ health records, it is especially importantfor you to understand the regulations regarding privacy and security. However,let us begin with a quick review of HIPAA, then study the privacy and securityportions in more depth.

HIPAA implementation and enforcement is under the jurisdiction of severalentities within the U.S. Department of Health and Human Services (HHS). Thischapter will make extensive use of documents prepared by HHS.

Administrative Simplification SubsectionThe Administrative Simplification Subsection has four distinct components:

1. Transactions and code sets

2. Uniform identifiers

3. Privacy

4. Security

HIPAA Transactions and Code Sets

The first section of the regulations to be implemented governed the electronictransfer of medical information for business purposes such as insuranceclaims, payments, and eligibility. When information is exchanged electronically,both sides of the transaction must agree to use the same format in order tomake the information intelligible to the receiving system. Before HIPAA, trans-actions for nearly every insurance plan used a format that contained variationsthat made it different from another plan’s format. This meant that plans couldnot easily exchange or forward claims to secondary payers and that mostproviders could only send to a few plans electronically.

Eight HIPAA TransactionsHIPAA standardized these formats by requiring specific transaction standardsfor eight types of EDI or Electronic Data Interchange. Two additional EDItransactions are not yet finalized. The HIPAA transactions are:

1. Claims or Equivalent Encounters and Coordination of Benefits (COB)

2. Remittance and Payment Advice

3. Claims Status

4. Eligibility and Benefit Inquiry and Response

1Health Insurance Portability and Accountability Act, Title 2, subsection f.

Note

Covered Entity

HIPAA documentsrefer to healthcareproviders, plans,and clearing-houses as coveredentities. In thecontext of thischapter, think of acovered entity as ahealthcare organi-zation and all ofits employees.

ISB

N1-256-97388-2


Chapter 10 | Privacy and Security of Health Records 377

5. Referral Certification and Authorization

6. Premium Payments

7. Enrollment and De-enrollment in a Health Plan

8. Retail Drug Claims, Coordination of Drug Benefits and Eligibility Inquiry

9. Health Claims Attachments (Not Final)

10. First Report of Injury (Not Final)

Standard Code SetsIn an EDI transaction, certain portions of the information are sent as codes.For the receiving entity to understand the content of the transaction, both thesender and the receiver must use the same codes. In most cases, these are notthe nomenclature codes discussed in Chapter 2, but rather standardized codesused to effectively communicate demographic and billing information.

For example, in an insurance claim, charges for patient visits are sent as pro-cedure codes instead of their long descriptions. The medical reasons for theprocedure are sent in the claim as diagnosis codes. HIPAA requires the use ofstandard sets of codes. Two of those standards are:

◆ Diagnoses (ICD-9-CM) codes

◆ Procedure (CPT-4 and HCPCS) codes

You have already been introduced to the ICD-9-CM codes. CPT-4 and HCPCScodes will be discussed in Chapter 12.

There are additional codes sets for demographic and payment information.Under HIPAA, any coded information within a transaction is also subject tostandards. Just a few examples of the hundreds of other codes include codesfor sex, race, type of provider, and relation of the policyholder to the patient.

HIPAA Uniform Identifiers

You can see the importance of both the sending and receiving system usingthe same formats and code sets to report exactly what was done for the patient.Similarly, it is necessary for multiple systems to identify the doctors, nurses,and healthcare businesses sending the claim or receiving the payment. IDnumbers are used in a computer processing instead of names because, forexample, there could be many providers named John Smith.

However, before HIPAA, all providers had multiple ID numbers assigned to themfor use on insurance claims, prescriptions, and so on. A provider typically receiveda different ID from each plan and sometimes multiple numbers from the sameplan. This created a problem for the billing office to get the right ID on the rightclaim and made electronic coordination of benefits all but impossible.

HIPAA established uniform identifier standards to be used on all claims andother data transmissions. These include:

◆ National Provider Identifier This type of identifier is assigned to doctors,nurses, and other healthcare providers.

ISB

N1-

256-

9738

8-2



◆ Employer Identifier This identifier is used to identify employer-sponsoredhealth insurance. It is the same as the federal Employer Identification Number(EIN) employers are assigned for their taxes by the Internal Revenue Service.

◆ National Health Plan Identifier This identifier has not yet been imple-mented, but when it is it will be a unique identification number assigned toeach insurance plan and to the organizations that administer insuranceplans, such as payers and third-party administrators.

HIPAA Privacy Rule

The HIPAA privacy standards are designed to protect a patient’s identifiablehealth information from unauthorized disclosure or use in any form, whilepermitting the practice to deliver the best healthcare possible. When the HIPAAlegislation was passed, “Congress recognized that advances in electronic tech-nology could erode the privacy of health information. Consequently, Congressincorporated into HIPAA provisions that mandated the adoption of Federalprivacy protections for individually identifiable health information.”2

2Guidance on HIPAA Standards for Privacy of Individually Identifiable Health Information(Washington, DC: U.S. Department of Health and Human Services Office for Civil Rights, December3, 2002, and revised April 3, 2003).3Ibid.

Note PHI

HIPAA privacy rules frequently refer to PHI or Protected Health Information.PHI is the patient’s personally identifiable health information.

Healthcare providers have a strong tradition of safeguarding private healthinformation and have established privacy practices already in effect for theiroffices. For instance:

◆ ”By speaking quietly when discussing a patient’s condition with family mem-bers in a waiting room or other public area;

◆ By avoiding using patients’ names in public hallways and elevators, and post-ing signs to remind employees to protect patient confidentiality;

◆ By isolating or locking file cabinets or records rooms; or

◆ By providing additional security, such as passwords, on computers maintain-ing personal information.

However, The Privacy Rule establishes, for the first time, a foundation of federalprotections for the privacy of protected health information. The Rule does notreplace federal, state, or other law that grants individuals even greater privacyprotections, and covered entities are free to retain or adopt more protectivepolicies or practices.”3

To comply with the law, privacy activities in the average medical facility mightinclude:

◆ Providing a copy of the office privacy policy informing patients about theirprivacy rights and how their information can be used.

ISB

N1-256-97388-2



◆ Asking the patient to acknowledge receiving a copy of the policy or signing aconsent form.

◆ Obtaining signed authorization forms and in some cases tracking the disclo-sures of patient health information when it is to be given to a person or orga-nization outside the practice for purposes other than treatment, billing, orpayment purposes.

◆ Adopting clear privacy procedures for its practice.

◆ Training employees so that they understand the privacy procedures.

◆ Designating an individual to be responsible for seeing that the privacy proce-dures are adopted and followed.

◆ Securing patient records containing individually identifiable health informa-tion so that they are not readily available to those who do not need them.

Let us examine each of these points.

Privacy Policy“The HIPAA Privacy Rule gives individuals a fundamental new right to be informedof the privacy practices of their health plans and of most of their healthcareproviders, as well as to be informed of their privacy rights with respect to theirpersonal health information. Health plans and covered healthcare providers arerequired to develop and distribute a notice that provides a clear explanation ofthese rights and practices. The notice is intended to focus individuals on privacyissues and concerns, and to prompt them to have discussions with their healthplans and healthcare providers and exercise their rights.

“Covered entities are required to provide a notice in plain language that describes:

◆ How the covered entity may use and disclose protected health informationabout an individual.

◆ The individual’s rights with respect to the information and how the individualmay exercise these rights, including how the individual may complain to thecovered entity.

◆ The covered entity’s legal duties with respect to the information, including astatement that the covered entity is required by law to maintain the privacyof protected health information.

◆ Whom individuals can contact for further information about the coveredentity’s privacy policies.”4

The privacy policy must meet the requirements of HIPAA law and the use or dis-closure of PHI must be consistent with the privacy notice provided to the patient.

ConsentThe term consent has multiple meanings in a medical setting. Informed consentrefers to the patient’s agreement to receive medical treatment having been pro-vided sufficient information to make an informed decision. Consent for medicalprocedures must still be obtained by the practice.

4Ibid.

ISB

N1-

256-

9738

8-2



Under the Privacy Rule the term consent is only concerned with use of thepatient’s information, and should not be confused with consent for the treatmentitself. The Privacy Rule originally required providers to obtain patient “consent”to use and disclose PHI except in emergencies. The rule was almost immediatelyrevised to make it easier to use PHI for the purposes of treatment, payment, oroperation of the healthcare practice.

Under the revised Privacy Rule, the patient gives consent to the use of their PHIfor the purposes of treatment, payment, and operation of the healthcare practice.The patient does this by signing a consent form or signing an acknowledgmentthat he or she has received a copy of the office’s privacy policy. Figure 10-1shows a patient receiving a copy of the medical facility’s privacy policy. Thepatient signs a form acknowledging receipt of the privacy policy.

Although most healthcare providers who see patients obtain HIPAA “consent”as part of the routine demographic and insurance forms that patients sign, therule permits some uses of PHI without the individual’s authorization:

◆ A healthcare entity may use or disclose PHI for its own treatment, payment,and healthcare operations activities. For example, a hospital may use PHI toprovide healthcare to the individual and may consult with other healthcareproviders about the individual’s treatment.

◆ A healthcare provider may disclose PHI about an individual as part of a claimfor payment to a health plan.

◆ A healthcare provider may disclose PHI related to the treatment or paymentactivities of any healthcare provider (including providers not covered by thePrivacy Rule). Consider these examples:

A doctor may send a copy of an individual’s medical record to a specialist who needsthe information to treat the individual.

A hospital may send a patient’s healthcare instructions to a nursing home to whichthe patient is transferred.

A physician may send an individual’s health plan coverage information to a labora-tory that needs the information to bill for tests ordered by the physician.

� Figure 10-1 The patientacknowledges receipt ofthe medical facility’sprivacy policy.

ISB

N1-256-97388-2



A hospital emergency department may give a patient’s payment information to anambulance service that transported the patient to the hospital in order for theambulance provider to bill for its treatment.

◆ A health plan may use protected health information to provide customerservice to its enrollees.

Others within the office can use PHI also. For example, doctors and nursescan share the patient’s chart to discuss what the best course of care might be.The doctor’s administrative staff can access patient information to performbilling, transmit claims electronically, post payments, file the charts, type upthe doctor’s progress notes, and print and send out patient statements.

The office administrators can also use PHI for operation of the medical practice—for example, to determine how many staff they will need on a certain day, whetherthey should invest in a particular piece of equipment, what types of patients theyare seeing the most of, where most of their patients live, and any other usesthat will help make the office operate more efficiently.

The HHS Guidance document states: “A covered entity may voluntarily choose,but is not required, to obtain the individual’s consent for it to use and discloseinformation about him or her for treatment, payment, and healthcare operations.A covered entity that chooses to have a consent process has complete discretionunder the Privacy Rule to design a process that works best for its business andconsumers.”5

Modifying HIPAA Consent“Individuals have the right to request restrictions on how a covered entity will useand disclose protected health information about them for treatment, payment,and healthcare operations. A covered entity is not required to agree to an individ-ual’s request for a restriction, but is bound by any restrictions to which it agrees.

“Individuals also may request to receive confidential communications from thecovered entity, either at alternative locations or by alternative means. For exam-ple, an individual may request that her healthcare provider call her at her office,rather than her home. A healthcare provider must accommodate an individ-ual’s reasonable request for such confidential communications.”6

Authorization“A consent document is not a valid permission to use or disclose protectedhealth information for a purpose that requires an authorization under thePrivacy Rule.”7

Authorization differs from consent in that it does require the patient’s permis-sion to disclose PHI.

Some instances that would require an authorization include sending the resultsof an employment physical to an employer and sending immunization recordsor the results of an athletic physical to the school.

5Ibid.6Ibid.7Ibid.

ISB

N1-

256-

9738

8-2



� Figure 10-2 Sample authorization form with elements required by HIPAA.

ISB

N1-256-97388-2



The appearance of an authorization form is up to the practice, but the PrivacyRule requires that it contain specific information. Specific elements required byHIPAA are highlighted in yellow on the sample form shown in Figure 10-2. Therequired elements are:

◆ Date signed

◆ Expiration date

◆ To whom the information may be disclosed

◆ What is permitted to be disclosed

◆ For what purpose the information may be used

Unlike the Privacy Rule concept of consent, authorizations are not global. A newauthorization is signed each time there is a different purpose or need for thepatient’s information to be disclosed.

Research Authorizations are usually required for researchers to use PHI. Theonly difference in a research authorization form is that it is not required to havean expiration date. The authorization may be combined with consent to partici-pate in a clinical trial study for example.

Research Exceptions To protect the patient’s information while at the sametime ensuring that researchers continue to have access to medical informationnecessary to conduct vital research, the Privacy Rule does allow some excep-tions that permit researchers to access PHI without individual authorizations.Typically, these are cases where the patients are deceased; where the researcheris using PHI only to prepare a research protocol; or where a waiver has beenissued by an internal review board, specifying that none of the information willbe removed or used for any other purpose.

Marketing The Privacy Rule specifically defines marketing and requires indi-vidual authorization for all uses or disclosures of PHI for marketing purposeswith limited exceptions. These exceptions are generally when information fromthe provider is sent to all patients in the practice about improvements or addi-tions to the practice; or when the information is sent to the patient about theirown treatments. For example, a reminder about an annual checkup is notmarketing.

Government AgenciesOne area that permits the disclosure of PHI without a patient’s authorization orconsent is when it is requested by an authorized government agency. Generally,such requests are for legal (law enforcement, subpoena, court orders, and soon) or public health purposes. A request by the FDA for information on patientswho are having adverse reactions to a particular drug might be an example.Another example might be an audit of medical records by CMS to determine ifsufficient documentation exists to justify Medicare claims.

The Privacy Rule also permits the disclosure of PHI, without authorization, topublic health authorities for the purpose of preventing or controlling disease orinjury as well as maintaining records of births and deaths. This would include,for example, the reporting of a contagious disease to the CDC or an adversereaction to a regulated drug or product to the FDA.

ISB

N1-

256-

9738

8-2



Similarly, providers are also permitted to disclose PHI concerning on-the-jobinjuries to workers’ compensation insurers, state administrators, and otherentities to the extent required by state workers’ compensation laws.

To ensure that covered entities protect patients’ privacy as required, thePrivacy Rule requires that health plans, hospitals, and other covered entitiescooperate with efforts by the HHS Office for Civil Rights (OCR) to investigatecomplaints or otherwise ensure compliance.

Minimum NecessaryThe Privacy Rule minimum necessary standard is intended to limit unnecessaryor inappropriate access to and disclosure of PHI beyond what is necessary. Forexample, if an insurance plan requests the value of a patient’s hematocrit testto justify a claim for administering a drug, then the minimum necessary disclo-sure would be to send only the hematocrit result, not the patient’s entire panelof tests.

8Ibid.

“The Privacy Rule generally requires covered entities to take reasonable steps tolimit the use or disclosure of, and requests for, protected health information tothe minimum necessary to accomplish the intended purpose. The minimumnecessary standard does not apply to the following:

◆ Disclosures to or requests by a healthcare provider for treatment purposes.

◆ Disclosures to the individual who is the subject of the information.

◆ Uses or disclosures made pursuant to an individual’s authorization.

◆ Uses or disclosures required for compliance with the Health InsurancePortability and Accountability Act (HIPAA) Administrative Simplification Rules.

◆ Disclosures to the Department of Health and Human Services (HHS) whendisclosure of information is required under the Privacy Rule for enforcementpurposes.

◆ Uses or disclosures that are required by other law.

The implementation specifications for this provision require a covered entity todevelop and implement policies and procedures appropriate for its own organi-zation, reflecting the entity’s business practices and workforce.”8

Incidental Disclosures“Many customary healthcare communications and practices play an importantor even essential role in ensuring that individuals receive prompt and effectivehealthcare. Due to the nature of these communications, as well as the various

No Restrictions on PHI for Treatment of the Patient

The minimum necessary standard does not apply to disclosures to or requests by ahealthcare provider for PHI used for treatment purposes.

ISB

N1-256-97388-2



environments in which individuals receive healthcare, the potential exists foran individual’s health information to be disclosed incidentally.

For example, a hospital visitor may overhear a provider’s confidential conversa-tion with another provider or a patient, or may glimpse a patient’s informationon a sign-in sheet or nursing station whiteboard.

The HIPAA Privacy Rule is not intended to impede customary and essential com-munications and practices and, thus, does not require that all risk of incidentaluse or disclosure be eliminated to satisfy its standards. In fact the Privacy Rulepermits certain incidental uses and disclosures of protected health informationto occur where there is in place reasonable safeguards and minimum neces-sary policies and procedures that normally protect an individual’s privacy”9

Incidental disclosure is one of the exceptions to the Breach NotificationRequirements discussed later in the chapter.

Critical Thinking Exercise 60: What Is Required?You are employed at a medical facility. One of your patients is being treated asa result of an accident. The doctor asks you to take the patient’s x-rays to acolleague for an opinion on the best treatment.

1. What HIPAA form does the patient need to sign to permit you to do this?

The same patient is suing the company responsible for the accident. Hisattorney has asked for copies of the x-rays to prepare his case.

2. What HIPAA form does the patient need to sign to permit you to do this?

A Patient’s Right to Know about DisclosuresWhether the practice has disclosed PHI based on a signed authorization or tocomply with a government agency, the patient is entitled to know about it.Therefore, in most cases the medical facility must track the disclosure.

The Privacy Rule gives individuals the right to receive a report of all disclosuresmade for purposes other than treatment, payment, or operation of the health-care facility. The report must include the date of the disclosure, to whom theinformation was provided, a description of the information, and the stated pur-pose for the disclosure. The patient can request the report at any time and thepractice must keep the records for at least six years.

Furthermore, Breach Notification Requirements, discussed later in the chapter,require the patient to be notified in writing when a breach of his or her PHI hasoccurred.

Patient Access to Medical RecordsIn addition to protecting privacy, the law generally allows patients to be able tosee and obtain copies of their medical records and request corrections if theyidentify errors and mistakes. Health plans, doctors, hospitals, clinics, nursinghomes, and other covered entities generally must provide access to these

9Ibid.

ISB

N1-

256-

9738

8-2



records within 30 days of a patient request, but may charge patients for thecost of copying and sending the records.

Personal Representatives“There may be times when individuals are legally or otherwise incapable ofexercising their rights, or simply choose to designate another to act on theirbehalf with respect to these rights. Under the Rule, a person authorized toact on behalf of the individual in making healthcare related decisions is theindividual’s personal representative.

“The Privacy Rule requires covered entities to treat an individual’s personal repre-sentative as the individual with respect to uses and disclosure of the individual’sprotected health information, as well as the individual’s rights under the Rule.

“The personal representative stands in the shoes of the individual and has theability to act for the individual and exercise the individual’s rights. . . . In additionto exercising the individual’s rights under the Rule, a personal representative mayalso authorize disclosures of the individual’s protected health information.”10

In general, the personal representative’s authority over privacy matters paral-lels his or her authority to act on other healthcare decisions.

◆ Where the personal representative has broad authority in making healthcaredecisions, the personal representative is treated as the individual for allpurposes under the Privacy Rule.

◆ Examples include a parent with respect to a minor child or a legal guardianof a mentally incompetent adult.

◆ Where the representative’s authority is limited to particular healthcaredecisions, his or her authority concerning PHI is limited to the same area.

◆ For example, a person with limited healthcare power of attorney about artifi-cial life support could not sign an authorization for the disclosure of protectedhealth information for marketing purposes.

10Ibid.

If theIndividual Is:

The PersonalRepresentative Is:

Examples:

An Adult or anEmancipated

Minor

A person with legal authorityto make health care decisions

on behalf of the individual

Health care power of attorneyCourt appointed legal guardian

General power of attorney

A Minor(not emancipated)

A parent, guardian, or otherperson acting in loco parentiswith legal authority to make

health care decisions on behalfof the minor child

Parent, guardian, or other person(with exceptions in state law)

Deceased

A person with legal authorityto act on behalf of the decedentor the estate (not restricted to

health care decisions)

Executor of the estateNext of kin or other family member

Durable power of attorney

� Figure 10-3 Persons automatically recognized as personal representatives for patients.

ISB

N1-256-97388-2



◆ When the patient is deceased, a person who has authority to act on the behalfof the deceased or the deceased’s estate is the personal representative for allpurposes under the Privacy Rule.

Figure 10-3 provides a chart of who must be recognized as the personal repre-sentative for a category of individuals.

Minor ChildrenIn most cases, the parent, guardian, or other person acting as parent is thepersonal representative and acts on behalf of the minor child with respect toPHI. Even if a parent is not the child’s personal representative, the Privacy Rulepermits a parent access to a minor child’s PHI when and to the extent it ispermitted or required by state or other laws.

Conversely, regardless of the parent’s status as personal representative, thePrivacy Rule prohibits providing access to or disclosing the child’s PHI to the par-ent, when and to the extent it is expressly prohibited under state or other laws.

However, the Privacy Rule specifies three circumstances in which the parent isnot the personal representative with respect to certain health informationabout the minor child. “The three exceptional circumstances when a parent isnot the minor’s personal representative are:

◆ When State or other law does not require the consent of a parent or otherperson before a minor can obtain a particular healthcare service, and theminor consents to the healthcare service;

Example: A State law provides an adolescent the right to obtain mental healthtreatment without the consent of his or her parent, and the adolescent consentsto such treatment without the parent’s consent.

◆ When a court determines or other law authorizes someone other than theparent to make treatment decisions for a minor;

Example: A court may grant authority to make healthcare decisions for theminor to an adult other than the parent, to the minor, or the court may makethe decision(s) itself.

◆ When a parent agrees to a confidential relationship between the minor andthe physician.

Example: A physician asks the parent of a 16-year-old if the physician can talkwith the child confidentially about a medical condition and the parent agrees.

If state or other laws are silent or unclear about parental access to the minor’sPHI, the Privacy Rule grants healthcare professionals the discretion to allow ordeny a parent access to a minor’s PHI based on their professional judgment.”11

Critical Thinking Exercise 61: Comparison of Privacy PolicyThe purpose of this exercise is let you compare what you have learned in thischapter to an example from the real world. Visit a medical office or otherhealthcare facility and ask for a copy of their HIPAA Privacy Policy. Someproviders have their privacy policy on their web site as well. You may print acopy of that as an acceptable alternative for the purpose of this exercise.

11Ibid.

ISB

N1-

256-

9738

8-2



Figure 10-4 provides a summary of patient rights under the Privacy Rule. It ispublished by HHS Office of Civil Rights, which enforces the HIPAA PrivacyRule.

Compare the contents of the privacy policy you obtained with the points in thesample CMS brochure shown in Figure 10-4. Write a brief paper comparing thepoints of the government document with the copy of the privacy policy youobtained. Give your instructor a copy of the privacy policy you obtained alongwith your paper.

� Figure 10-4 PatientPrivacy Summarypublished by the U.S. Department ofHealth and HumanServices Office forCivil Rights.

ISB

N1-256-97388-2



Business Associates“The HIPAA Privacy Rule applies only to covered entities—healthcare providers,plans, and clearinghouses. However, most healthcare providers and healthplans do not carry out all of their healthcare activities and functions by them-selves. Instead, they often use the services of a variety of other persons or busi-nesses. The Privacy Rule allows covered providers and health plans to discloseprotected health information to these business associates if the providers orplans obtain written satisfactory assurances that the business associate will use

� Figure 10-4(Continued)

ISB

N1-

256-

9738

8-2



the information only for the purposes for which it was engaged by the coveredentity, will safeguard the information from misuse, and will help the coveredentity comply with some of the covered entity’s duties under the Privacy Rule.

“The covered entity’s contract or other written arrangement with its businessassociate must contain the elements specified in the privacy rule. For example,the contract must:

◆ Describe the permitted and required uses of protected health information bythe business associate;

◆ Provide that the business associate will not use or further disclose the pro-tected health information other than as permitted or required by the contractor as required by law; and

◆ Require the business associate to use appropriate safeguards to prevent ause or disclosure of the protected health information other than as providedfor by the contract.”12

It will generally fall to the privacy officer (or in larger healthcare organizations,the legal department) to ensure that business associate agreements are on filefor clearinghouses, transcription services, and other businesses with whomyour employer will exchange PHI.

Civil and Criminal Penalties“Congress provided civil and criminal penalties for covered entities that misusepersonal health information. For civil violations of the standards, OCR may im-pose monetary penalties up to $100 per violation, up to $25,000 per year, foreach requirement or prohibition violated. Criminal penalties apply for certainactions such as knowingly obtaining protected health information in violationof the law. Criminal penalties can range up to $50,000 and one year in prisonfor certain offenses; up to $100,000 and up to five years in prison if the of-fenses are committed under ‘false pretenses’; and up to $250,000 and up to 10years in prison if the offenses are committed with the intent to sell, transfer oruse protected health information for commercial advantage, personal gain ormalicious harm.”13

The Health Information Technology and Economic Clinical Health (HITECH)Act, introduced in Chapter 1, also addressed privacy and security concernsassociated with the electronic transmission of health information, in partthrough several provisions that strengthen the civil and criminal enforcementof the HIPAA rules. Subtitle D of the HITECH Act strengthens the civil andcriminal enforcement of the HIPAA rules by establishing:

◆ Four categories of violations that reflect increasing levels of culpability

◆ Four corresponding tiers of penalty amounts that significantly increase theminimum penalty amount for each violation

◆ A maximum penalty amount of $1.5 million for all violations of an identicalprovision

12Ibid.13Fact Sheet: Protecting the Privacy of Patients’ Health Information (Washington, DC: U.S.Department of Health and Human Services Press Office, April 14, 2003).

Note

HIPAA Duties ofOCR versus CMS

OCR within HHSoversees and en-forces the PrivacyRule, whereas CMSoversees and enforces all otherAdministrativeSimplification requirements,including theSecurity Rule.

ISB

N1-256-97388-2



Real-Life StoryThe First HIPAA Privacy Case

The first legal case under the privacy rule concerned thetheft of patient demographic information (name, address,date of birth, Social Security number) by an employee in a

medical office.

The former employee of a cancer care facility pled guilty infederal court in Seattle, Washington, to wrongful disclosure of individually identifiable health information for economicgain. This is the first criminal conviction in the United Statesunder the health information privacy provisions of the HealthInsurance Portability and Accountability Act (HIPAA), whichbecame effective in April 2003. Those provisions made it illegal to wrongfully disclose personally identifiable health information.

The former employee admitted that he obtained a cancer patient’s name, date of birth, and Social Security number whileemployed at the medical facility, and that he disclosed that information to get four credit cards in the patient’s name. Healso admitted that he used several of those cards to rack up morethan $9,000 in debt in the patient’s name. He used the cards topurchase various items, including video games, home improve-ment supplies, apparel, jewelry, porcelain figurines, groceries,and gasoline for his personal use. He was fired shortly after theidentity theft was discovered.

“Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be

a vulnerable cancer patient, fighting for your life, and having tocope with identity theft is just unconscionable,” stated UnitedStates Attorney John McKay. “This case should serve as a reminder that misuse of patient information may result in criminalprosecution.”

The case was investigated by the Federal Bureau of Investigation(FBI) and prosecuted by the United States Attorney’s Office. Theman was sentenced to a term of 10 to 16 months. He also hasagreed to pay restitution to the credit card companies, and tothe patient for expenses he incurred as a result of the misuse ofhis identity.

Although identity theft is serious, the consequences are muchgreater in a medical setting than if the same information hadbeen stolen from an ordinary business. Why? Because even thepatient’s name and date of birth are part of the PHI. Additionally,the disclosure of medical information for financial gain couldhave resulted in a sentence of 10 years for each violation. Thecase serves as a reminder for everyone in the healthcare field ofthe personal responsibility for protecting PHI.

Although the patient privacy rule under HIPAA does not restrictthe internal use of health information by the staff for treatment,payment, and office operations, you should make every effortto protect your patients’ privacy and always follow the privacypolicy of the practice.

From the United States Attorney’s Office, Western District of Washington14

14Press release, United States Attorney’s Office, Western District of Washington, August 19, 2004.

HIPAA Security Rule

To fully comply with the Privacy Rule, it is necessary to understand and imple-ment the requirements of the Security Rule. There are clearly areas in whichthe two rules supplement each other because both the HIPAA Privacy andSecurity rules are designed to protect identifiable health information. However,the Privacy Rule covers PHI in all forms of communications, whereas theSecurity Rule covers only electronic information. Because of this difference,security discussions are assumed to be about the protection of electronic

ISB

N1-

256-

9738

8-2



health records, but the Security Rule actually covers all PHI that is stored elec-tronically. This is called EPHI.

Note PHI—EPHI

The Security Rule applies only to EPHI, whereas the Privacy Rule applies to PHI,which may be in electronic, oral, and paper form.

In this section, you will learn about the Security Rule. As with the previoussection, much of the information provided is drawn directly from HHS documents.HHS regulates and enforces HIPAA using two different divisions for enforce-ment. OCR or Office of Civil Rights enforces the Privacy Rule whereas CMSenforces the Security Rule. As an employee of a covered entity, it is importantthat you participate in the security training and follow the security policy andprocedures of your healthcare organization.

Why a Security Rule?Before HIPAA, no generally accepted set of security standards or general require-ments for protecting health information existed in the healthcare industry. Atthe same time, new technologies were evolving, and the healthcare industrybegan to move away from paper processes and rely more heavily on the use ofcomputers to pay claims, answer eligibility questions, provide health informa-tion, and conduct a host of other administrative and clinically based functions.

In order to provide more efficient access to critical health information, coveredentities are using web-based applications and other “portals” that give physi-cians, nurses, medical staff as well as administrative employees more access toelectronic health information. Although this means that the medical workforcecan be more mobile and efficient (i.e., physicians can check patient recordsand test results from wherever they are), the rise in the adoption rate of thesetechnologies creates an increase in potential security risks. As the countrymoves towards its goal of a National Health Information Infrastructure (NHII),and greater use of electronic health records, protecting the confidentiality,integrity, and availability of EPHI becomes even more critical.

The security standards in HIPAA were developed for two primary purposes.

◆ First, and foremost, the implementation of appropriate security safeguardsprotects certain electronic healthcare information that may be at risk.

◆ Second, protecting an individual’s health information, although permittingthe appropriate access and use of that information, ultimately promotes theuse of electronic health information in the industry.

The Privacy Rule and Security Rule ComparedThe Privacy Rule sets the standards for, among other things, who may haveaccess to PHI, while the Security Rule sets the standards for ensuring that onlythose who should have access to EPHI will actually have access. The primarydistinctions between the two rules follow:

◆ Electronic versus oral and paper: The Privacy Rule applies to all forms ofpatients’ protected health information, whether electronic, written, or oral. Incontrast, the Security Rule covers only protected health information that is in

ISB

N1-256-97388-2



electronic form. This includes EPHI that is created, received, maintained, ortransmitted.

◆ “Safeguard” requirement in Privacy Rule: While the Privacy Rule containsprovisions that currently require covered entities to adopt certain safeguardsfor PHI, the Security Rule provides for far more comprehensive security require-ments and includes a level of detail not provided in the Privacy Rule section.

Security Standards

The security standards are divided into the categories of administrative, physi-cal, and technical safeguards. Each category of the safeguards is comprised ofa number of standards, which generally contain a number of implementationspecifications.

◆ Administrative safeguards: In general, these are the administrative functionsthat should be implemented to meet the security standards. These includeassignment or delegation of security responsibility to an individual and secu-rity training requirements.

◆ Physical safeguards: In general, these are the mechanisms required toprotect electronic systems, equipment and the data they hold, from threats,environmental hazards and unauthorized intrusion. They include restrictingaccess to EPHI and retaining off-site computer backups.

◆ Technical safeguards: In general, these are primarily the automatedprocesses used to protect data and control access to data. They include usingauthentication controls to verify that the person signing onto a computer isauthorized to access that EPHI, or encrypting and decrypting data as it isbeing stored and/or transmitted.

In addition to the safeguards (listed above), the Security Rule also containsseveral standards and implementation specifications that address organiza-tional requirements, as well as policies and procedures and documentationrequirements.15

Implementation SpecificationsAn implementation specification is an additional detailed instruction for imple-menting a particular standard. Implementation requirements and featureswithin the categories were listed in the Security Rule by alphabetical order toconvey that no one item was considered to be more important than another.

Implementation specifications in the Security Rule are either “Required” or“Addressable.” Addressable does not mean optional.

To help you understand the organization of safeguards, security standards,and implementation specifications, a matrix of the HIPAA Security Rule isprovided in Figure 10-5. The matrix is a part of the official rule and publishedas an appendix to the rule.16 You may wish to refer to Figure 10-5 as we discusseach of the following sections.

15Adapted from Security 101 for Covered Entities, HIPAA Security Series (Baltimore, MD: Centersfor Medicare and Medicaid Services, November 2004 and revised March 2007).16Figure adapted from Appendix A to Subpart C of Part 164, Health Insurance Reform: SecurityStandards; Final Rule.

ISB

N1-

256-

9738

8-2



Security Standards MatrixAdministrative SafeguardsStandards Section of Rule Implementation

SpecificationsRequired orAddressable

Risk Analysis Required

Risk Management Required

Sanction Policy Required

Security ManagementProcess

§ 164.308Addressable(1)

Information SystemActivity Review

Required

Assigned SecurityResponsibility

§ 164.308Addressable(2) Required

Authorization and/orSupervision

Addressable

Workforce ClearanceProcedure

Addressable

Workforce Security § 164.308Addressable(3)

Termination Procedures Addressable

Isolating Health CareClearinghouse Function

Required

Access Authorization Addressable

Information AccessManagement


Access Establishmentand Modification

Addressable

Security Reminders Addressable

Protection fromMalicious Software

Addressable

Log-In Monitoring Addressable

Security Awareness andTraining


Password Management Addressable

Security Incident Procedures § 164.308Addressable(6) Response and Reporting Required

Data Backup Plan Required

Disaster Recovery Plan Required

Emergency ModeOperation Plan

Required

Testing and RevisionProcedure

Addressable

Contingency Plan § 164.308Addressable(7)

Applications and DataCriticality Analysis

Addressable

Evaluation § 164.308Addressable(8) Required

Business AssociateContracts and OtherArrangement

§ 164.308(b)(1) Written Contract orOther Arrangement

Required

� Figure 10-5 HIPAA Security Standards Matrix.

Administrative Safeguards17

The name Security Rule sounds like it might be very technical, but the largestcategory of the rule is Administrative Safeguards. The AdministrativeSafeguards comprise over half of the HIPAA security requirements.

Administrative Safeguards are the policies, procedures, and actions to managethe implementation and maintenance of security measures to protect EPHI.The Administrative Standards are as follows:

17Adapted from Security Standards: Administrative Safeguards, HIPAA Security Series #2(Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005 and revised March 2007).

ISB

N1-256-97388-2



Security Management ProcessThe Security Management Process is the first step. It is used to establish theadministrative processes and procedures. There are four implementation speci-fications in the Security Management Process standard.

1. Risk Analysis Identify potential security risks and determine how likelythey are to occur and how serious they would be.

2. Risk Management Make decisions about how to address security risksand vulnerabilities. The risk analysis and risk management decisions areused to develop a strategy to protect the confidentiality, integrity, andavailability of EPHI.

Physical SafeguardsStandards Section of Rule Implementation


Contingency Operations Addressable

Facility Security Plan Addressable

Access Control andValidation Procedures

Addressable

Facility Access Controls § 164.310Addressable(1))

Maintenance Records Addressable

Workstation Use § 164.310(b)Required Required

Workstation Security § 164.310(c)Required Required

Disposal Required

Media Re-use Required

Device and Media Controls § 164.310(d)(1)

Accountability Addressable

Data Backup andStorage

Addressable

Technical SafeguardsStandards Section of Rule Implementation


Unique UserIdentification

Required

Emergency AccessProcedure

Required

Automatic Logoff Addressable

Access Control § 164.312Addressable(1)

Encryption andDecryption

Addressable

Audit Controls § 164.312(b) Required

Integrity § 164.312(c)(1) Mechanism toAuthenticate ElectronicProtected HealthInformation

Addressable

Person or EntityAuthentication

§ 164.312(d) Required

Integrity Controls AddressableTransmission Security 164.312(e)(1)

Encryption Addressable

� Figure 10-5 (Continued)

ISB

N1-

256-

9738

8-2



3. Sanction Policy Define for employees what the consequences of failing tocomply with security policies and procedures are.

4. Information System Activity Review Regularly review records such asaudit logs, access reports, and security incident tracking reports. Theinformation system activity review helps to determine if any EPHI has been used or disclosed in an inappropriate manner.

Assigned Security ResponsibilitySimilar to the Privacy Rule, which requires an individual be designated as theprivacy official, the Security Rule requires one individual be designated thesecurity official. The security official and privacy official can be the same person,but do not have to be. The security official has overall responsibility for secu-rity; however, specific security responsibilities may be assigned to other indi-viduals. For example, the security official might designate the IT Director to beresponsible for network security. Figure 10-6 shows a staff meeting at whichsecurity policy is being reviewed.

Workforce SecurityWithin Workforce Security there are three addressable implementationspecifications:

1. Authorization or Supervision Authorization is the process of determiningwhether a particular user (or a computer system) has the right to carry outa certain activity, such as reading a file or running a program.

2. Workforce Clearance Procedure Ensure members of the workforce withauthorized access to EPHI receive appropriate clearances.

3. Termination Procedures Whether the employee leaves the organizationvoluntarily or involuntarily, termination procedures must be in place to

� Figure 10-6 Medicaloffice staff review securitypolicy and appoint securityofficer.

ISB

N1-256-97388-2



� Figure 10-7 Training a new employee on securitypolicy and procedures.

remove access privileges when an employee, contractor, or other individualpreviously entitled to access information no longer has these privileges.

Information Access ManagementRestricting access to only those persons and entities with a need for access is abasic tenet of security. By managing information access, the risk of inappropri-ate disclosure, alteration, or destruction of EPHI is minimized. This safeguardsupports the “minimum necessary standard” of the HIPAA Privacy Rule.

The Information Access Management standard has three implementationspecifications.

1. Access Authorization In the Workforce Security standard (see precedingsection) the healthcare organization determines who has access. Thissection requires the organization to identify who has authority to grantthat access and the process for doing so.

2. Access Establishment and Modification Once a covered entity has clearlydefined who should get access to what EPHI and under what circumstances,it must consider how access is established and modified.

3. Isolating Healthcare Clearinghouse Functions A clearinghouse is aunique HIPAA-covered entity whose function is to translate nonstandardtransactions into HIPAA standards. In the very rare case that your health-care organization also operates a clearinghouse, the rule requires the isola-tion of clearinghouse computers from other systems in the organization.

Security Awareness and TrainingSecurity awareness and training for all new and existing members of the work-force is required. Figure 10-7 illustrates training an employee. In addition, peri-odic retraining should be given whenever environmental or operational changesaffect the security of EPHI.

ISB

N1-

256-

9738

8-2



Regardless of the Administrative Safeguards a covered entity implements, thosesafeguards will not protect the EPHI if the workforce is unaware of its role inadhering to and enforcing them. Many security risks and vulnerabilities withincovered entities are internal. This is why the Security Awareness and Trainingstandard is so important.

The Security Awareness and Training standard has four implementationspecifications.

1. Security Reminders Security reminders might include notices in printedor electronic form, agenda items and specific discussion topics at monthlymeetings, focused reminders posted in affected areas, as well as formalretraining on security policies and procedures.

2. Protection from Malicious Software One important security measurethat employees need to be reminded of is that malicious software isfrequently brought into an organization through email attachmentsand programs that are downloaded from the Internet. As a result of an unauthorized infiltration, EPHI and other data can be damaged ordestroyed or, at a minimum, can require expensive and time-consumingrepairs.

3. Log-In Monitoring Security awareness and training also should addresshow users log onto systems and how they are supposed to manage theirpasswords. Typically, an inappropriate or attempted login is when someoneenters multiple combinations of user names or passwords to attempt toaccess an information system. Fortunately, many information systems canbe set to identify multiple unsuccessful attempts to log in. Other systemsmight record the attempts in a log or audit trail. Still other systems mightdisable a password after a specified number of unsuccessful log in attempts.Once capabilities are established, the workforce must be made aware ofhow to use and monitor them.

4. Password Management In addition to providing a password for access,entities must ensure that workforce members are trained on how to safe-guard the information. Train all users and establish guidelines for creatingpasswords and changing them during periodic change cycles.

Security Incident ProceduresSecurity incident procedures must address how to identify security incidentsand provide that the incident be reported to the appropriate person or persons.Examples of possible incidents include:

◆ Stolen or otherwise inappropriately obtained passwords that are used to accessEPHI

◆ Corrupted backup tapes that do not allow restoration of EPHI

◆ Virus attacks that interfere with the operations of information systems withEPHI

◆ Physical break-ins leading to the theft of media with EPHI

◆ Failure to terminate the account of a former employee that is then used by anunauthorized user to access information systems with EPHI

ISB

N1-256-97388-2



◆ Providing media with EPHI, such as a PC hard drive or laptop, to another userwho is not authorized to access the EPHI before removing the EPHI stored onthe media

There is one required implementation specification for this standard:

1. Response and Reporting Establish adequate response and reportingprocedures for these and other types of events.

Contingency PlanWhat happens if a healthcare facility experiences a power outage, a naturaldisaster, or other emergency that disrupts normal access to healthcare infor-mation? A contingency plan consists of strategies for recovering access to EPHIshould the organization experience a disruption of critical business operations.The goal is to ensure that EPHI is available when it is needed.

The Contingency Plan standard includes five implementation specifications:

1. Data Backup Plan Data backup plans are an important safeguard and arequired implementation specification. Most covered entities already havebackup procedures as part of current business practices.

2. Disaster Recovery Plan These are procedures to restore any loss of data.

3. Emergency Mode Operation Plan When operating in emergency modebecause of a technical failure or power outage, security processes to protectEPHI must be maintained.

4. Testing and Revision Procedures Periodically test and revise contingencyplans.

5. Application and Data Criticality Analysis Analyze software applicationsthat store, maintain, or transmit EPHI and determine how important eachis to patient care or business needs. A prioritized list of specific applicationsand data will help determine which applications or information systemsget restored first or that must be available at all times.

EvaluationOngoing evaluation of security measures is the best way to ensure all EPHI isadequately protected. Periodically evaluate strategy and systems to ensurethat the security requirements continue to meet the organization’s operatingenvironments.

Business Associate Contracts and Other ArrangementsThe Business Associate Contracts and Other Arrangements standard is compa-rable to the Business Associate Contract standard in the Privacy Rule, but isspecific to business associates that create, receive, maintain, or transmit EPHI.The standard has one implementation specification:

1. Written Contract or Other Arrangement Covered entities should have awritten agreement with business associates ensuring the security of EPHI.Government agencies that exchange EPHI should have a Memorandum ofUnderstanding.

ISB

N1-

256-

9738

8-2



Real-Life StoryContingency Plans Ensure Continued Ability to Deliver Care

Several years ago I had the opportunity to set up a newhospital that used all-digital health records—that is, therewere no paper patient records, charts, or orders. As I talked

to other hospitals and IT professionals about our accomplishments,one question I was frequently asked was, “What are your contingency plans in case of a power or system failure?”

Much of our plan was designed to avoid an outage in the firstplace. We had several redundancies in place to prevent that. Forexample, there are two WAN (wide-area network) connections—completely separate links going out different sides of the build-ing to our core data center. The idea is that if one of those lineswere to become disconnected for any reason, the other wouldseamlessly continue to function. In actual capacity they are balanced to make sure that can be accomplished. We also haveredundancies on the LAN (local-area network) with wireless access points. As mobile as we are, we are very dependent on wireless.

For data protection we have multiple data centers. On the hospital side we have two different data centers that are redundant. On the ambulatory side there are three. In additionto these data centers, we also back up all the data in real timeto another off-site location in Madison, which is a couple ofhours away.

Should we lose connectivity because both links are down, wehave a satellite antenna on the roof that can access the backupdata in Madison. So as long as you can still power up yourcomputer, you can get to the historical information. Electrical

power can be supplied by an emergency generator that is designed to come online automatically in the event of apower loss.

Should the systems ever be completely down, we still need totake care of patients. In that event, we have downtime proce-dures for using paper forms that would allow us to continue tofunction. The necessary forms can be printed on demand but wehave some preprinted copies on hand in case a power loss pre-vented us from printing. Once the system again becomes avail-able, we have a policy and process for incorporating that paperdocumentation back into the system so we are not forced tocarry that paper record forward.

The other area where we have built redundancy is our voicecommunications. We are using Voice-over-IP technology for ourtelecommunications, so a power or network outage wouldmean our phones would not work either. We plan for that byhaving cell phones and radios available. We also have certainphones that use traditional phone lines so we can continue tocommunicate.

We do a practice run, a mock downtime situation twice a year.One run is just simulated, but for the second one we actually takethe systems down to make sure that we know how we are goingto function. We also have planned outages, where we need totake the system down because we are upgrading it or doingmaintenance on it. We continue to strive to keep those outagesas brief as possible, but in those events we go to our downtimeprocedures and we continuously learn and improve on these.

By Tanya Townsend

Chief information Officer at HSHS—Eastern Division in Greenbay, Wisconsin.

Physical Safeguards18

The Security Rule defines physical safeguards as physical measures, policies,and procedures to protect a covered entity’s electronic information systems andrelated buildings and equipment from natural and environmental hazards, andunauthorized intrusion.

18Adapted from Security Standards: Physical Safeguards, HIPAA Security Series #3 (Baltimore, MD:Centers for Medicare and Medicaid Services, February 2005 and revised March 2007).

ISB

N1-256-97388-2



� Figure 10-8 Review facility security and emergency contingency plans periodically.

Facility Access ControlsFacility Access Controls are policies and procedures to limit physical access toelectronic information systems and the facility or facilities in which they arehoused. Figure 10-8 illustrates a staff meeting on facility security.

There are four implementation specifications.

1. Access Control and Validation Procedures Access Control and Validationare procedures to determine which persons should have access to certainlocations within the facility based on their role or function.

2. Contingency Operations Contingency operations refer to physical security measures to be used in the event of the activation of contingencyplans.

3. Facility Security Plan The Facility Security Plan defines and documentsthe safeguards used to protect the facility or facilities. Some examplesinclude:

◆ Locked doors, signs warning of restricted areas, surveillance cameras, alarms

◆ Property controls such as property control tags, engraving on equipment

◆ Personnel controls such as identification badges, visitor badges, or escorts forlarge offices

◆ Private security service or patrol for the facility

In addition, all staff or employees must know their roles in facility security.

4. Maintenance Records Document facility security repairs and modificationssuch as changing locks, making routine maintenance checks, or installingnew security devices.

ISB

N1-

256-

9738

8-2



Workstation UseInappropriate use of computer workstations can expose a covered entity to risks,such as virus attacks, compromise of information systems, and breaches ofconfidentiality. Specify the proper functions to be performed by electroniccomputing devices.

Workstation use also applies to workforce members using off-site workstationsthat can access EPHI. This includes employees who work from home, in satel-lite offices, or in another facility.

Workstation SecurityAlthough the Workstation Use standard addresses the policies and proceduresfor how workstations should be used and protected, the Workstation Securitystandard addresses how workstations are to be physically protected fromunauthorized users.

Device and Media ControlsDevice and Media Controls are policies and procedures that govern the receiptand removal of hardware and electronic media that contain EPHI, into and outof a facility, and the movement of these items within the facility.

The Device and Media Controls standard has four implementation specifica-tions, two required and two addressable.

1. Disposal When disposing of any electronic media that contains EPHI,make sure it is unusable or inaccessible.

2. Media Reuse Instead of disposing of electronic media, covered entitiesmay want to reuse it. The EPHI must be removed before the media can bereused.

3. Accountability When hardware and media containing EPHI are movedfrom one location to another, a record should be maintained of the move.Portable computers and media present a special challenge. Portable tech-nology is getting smaller, is less expensive, and has an increased capacityto store large quantities of data, making accountability even more impor-tant and challenging.

4. Data Backup and Storage This specification protects the availability ofEPHI and is similar to the Data Backup Plan for the contingency plan.

Technical Safeguards19

The Security Rule defines technical safeguards as “the technology and thepolicy and procedures for its use that protect electronic protected health infor-mation and control access to it.”

Because security technologies are likely to evolve faster than legislative rules,specific technologies are not designated by the Security Rule. Where the CMS

19Adapted from Security Standards: Technical Safeguards, HIPAA Security Series #4 (Baltimore,MD: Centers for Medicare and Medicaid Services, May 2005 and revised March 2007).

ISB

N1-256-97388-2



guidance documents provide examples of security measures and technical solu-tions to illustrate the standards and implementation specifications, these arejust examples. The Security Rule is technology neutral; healthcare organiza-tions have the flexibility to use any solutions that help them meet the require-ments of the rule.

Access ControlThe Access Control standard outlines the procedures for limiting access to onlythose persons or software programs that have been granted access rights bythe Information Access Management administrative standard (discussed ear-lier). Figure 10-9 shows one of the most common methods of access control.

Courtesy of Allscripts, LLC.

� Figure 10-9 A clinicianlogs on Allscripts Enterpriseusing a unique user ID andsecure password.

Four implementation specifications are associated with the Access Controlsstandard.

1. Unique User Identification Unique User Identification provides a way toidentify a specific user, typically by name or number. This allows an entityto track specific user activity and to hold users accountable for functionsperformed when logged into those systems.

2. Emergency Access Procedure Emergency Access procedures are docu-mented instructions and operational practices for obtaining access to nec-essary EPHI during an emergency situation. Access Controls are necessary

ISB

N1-

256-

9738

8-2



under emergency conditions, although they may be very different fromthose used in normal operational circumstances.

3. Automatic Logoff As a general practice, users should log off the systemthey are working on when their workstation is unattended. However, therewill be times when workers may not have the time, or will not remember, tolog off a workstation. Automatic logoff is an effective way to prevent unau-thorized users from accessing EPHI on a workstation when it is left unat-tended for a period of time.

Many applications have configuration settings for automatic logoff. After apredetermined period of inactivity, the application will automatically logoff the user. Some systems that may have more limited capabilities mayactivate an operating system screen saver that is password protected aftera period of system inactivity. In either case, the information that wasdisplayed on the screen is no longer accessible to unauthorized users.

4. Encryption and Decryption Encryption is a method of converting regulartext into code. The original message is encrypted by means of a mathemati-cal formula called an algorithm. The receiving party uses a key to convert(decrypt) the coded message back into plain text. Encryption is part of accesscontrol because it prevents someone without the key from viewing or usingthe information.

Audit ControlsAudit Controls are “hardware, software, and/or procedural mechanisms thatrecord and examine activity in information systems.”

Most information systems provide some level of audit controls and audit reports.These are useful, especially when determining if a security violation occurred.This standard has no implementation specifications.

IntegrityProtecting the integrity of EPHI is a primary goal of the Security Rule. EPHIthat is improperly altered or destroyed can result in clinical quality problems,including patient safety issues. The integrity of data can be compromised byboth technical and nontechnical sources.

There is one addressable implementation specification in the Integritystandard.

1. Mechanism to Authenticate Electronic Protected Health InformationOnce risks to the integrity of EPHI data have been identified during therisk analysis, security measures are put in place to reduce the risks.

Person or Entity AuthenticationThe Person or Entity Authentication standard has no implementation specifica-tions. This standard requires “procedures to verify that a person or entity seek-ing access to electronic protected health information is the one claimed.”

There are several ways to provide proof of identity for authentication.

ISB

N1-256-97388-2



20Adapted from Security Standards: Organizational, Policies and Procedures, HIPAA Security Series #5(Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005, and revised March 2007).

◆ Require something known only to that individual,such as a password or PIN.

◆ Require something that individuals possess, suchas a smart card, a token, or a key. An example ofa smart card is shown in Figure 10-10.

◆ Require something unique to the individual, suchas a biometric. Examples of biometrics includefingerprints, voice patterns, facial patterns, oriris patterns.

Most covered entities use one of the first twomethods of authentication. Many small provideroffices rely on a password or PIN to authenticatethe user.

Transmission SecurityTransmission Security procedures are the “measures used to guard againstunauthorized access to electronic protected health information that is beingtransmitted.”

The Security Rule allows for EPHI to be sent over an electronic open networkas long as it is adequately protected. This standard has two implementationspecifications.

1. Integrity Controls Protecting the integrity of EPHI maintained in informa-tion systems was discussed previously in the Integrity standard. Integrityin this context is focused on making sure the EPHI is not improperly modi-fied during transmission. A primary method for protecting the integrity ofEPHI being transmitted is through the use of network communicationsprotocols. Using these protocols, the computer verifies that the data sent isthe same as the data received.

2. Encryption As previously described in the Access Control standard, encryp-tion is a method of converting an original message of regular text into en-coded or unreadable text that is eventually decrypted into plain compre-hensible text.

Encryption is necessary for transmitting EPHI over the Internet. There arevarious types of encryption technology available, but for encryption tech-nologies to work properly both the sender and receiver must be using thesame or compatible technology. Currently no single interoperable encryp-tion solution for communicating over open networks exists.

Organizational, Policies and Procedures, and Documentation Requirements20

In addition to the standards in the Administrative, Physical, and TechnicalSafeguards categories of the Security Rule, there also are four other standardsthat must be implemented. These are not listed in the Security StandardsMatrix (Figure 10-5), but they must not be overlooked.

Courtesy of Digital Identification Solutions, LLC.

� Figure 10-10 A staff ID card that uses smart card technology.

ISB

N1-

256-

9738

8-2



Organizational RequirementsThere are two implementation specifications of this standard.

1. Business Associate Contracts The Business Associate Contracts are usedif the business associate creates, receives, maintains, or transmits EPHImust meet the Security Rule requirements.

2. Other Arrangements The Other Arrangements implementation specifica-tions apply when both parties are government entities. There are two alter-native arrangements:

◆ A memorandum of understanding (MOU), which accomplishes the objectives ofthe Business Associate Contracts section of the Security Rule

◆ A law or regulations applicable to the business associate that accomplishes theobjectives of the Business Associate Contracts section of the Security Rule

Policies and ProceduresAlthough this standard requires covered entities to implement policies andprocedures, the Security Rule does not define either “policy” or “procedure.”Generally, policies define an organization’s approach. Procedures describe howthe organization carries out that approach, setting forth explicit, step-by-stepinstructions that implement the organization’s policies. Policies and proceduresmay be modified as necessary.

DocumentationThe Documentation standard has three implementation specifications.

1. Time Limit Retain the documentation required by the rule for 6 yearsfrom the date of its creation or the date when it last was in effect,whichever is later.

2. Availability Make documentation available to those persons responsiblefor implementing the procedures to which the documentation pertains.

3. Updates Review documentation periodically, and update as needed, inresponse to environmental or operational changes affecting the securityof the electronic protected health information.

The Security Rule also requires that a covered entity document the rationalefor all security decisions.

Breach Notification Requirements21

The HITECH Act also added new requirements regarding the occurrence of a breach of unsecured protected health information. A breach is definedas an impermissible use or disclosure under the Privacy Rule that compro-mises the security or privacy of the PHI such that the use or disclosureposes a significant risk of financial, reputation, or other harm to the affectedindividual.

21Breach Notification Interim Final Regulation (45 CFR 164.408).

ISB

N1-256-97388-2



There are three exceptions to the definition of “breach”:

◆ Unintentional acquisition, access, or use of PHI by an employee of a coveredentity or business associate

◆ Inadvertent disclosure of PHI from an authorized person to another authorizedperson at the covered entity or business associate

◆ If the covered entity or business associate has a good faith belief that theunauthorized individual, to whom the impermissible disclosure was made,would not have been able to retain the information

Covered entities must notify affected individuals, the Secretary of Health andHuman Services, and, in certain circumstances, the media following the discoveryof a breach of unsecured PHI. Business associates must notify covered entitiesif a breach has occurred. The OCR must post a list of breaches that affect500 or more individuals.

Individual NoticeCovered entities must provide affected individuals written notice by first-classmail, or alternatively, by e-mail if the affected individual has agreed to receivesuch notices electronically. If the covered entity has insufficient or out-of-datecontact information for 10 or more individuals, the covered entity must providesubstitute individual notice by either posting the notice on the home page ofits web site or by providing the notice in major print or broadcast media wherethe affected individuals likely reside. If the covered entity has insufficient orout-of-date contact information for fewer than 10 individuals, the coveredentity may provide substitute notice by an alternative form of written, telephone,or other means.

These individual notifications must be provided without unreasonable delayand in no case later than 60 days following the discovery of a breach and mustinclude, to the extent possible, a description of the breach, a description of thetypes of information that were involved in the breach, the steps affected indi-viduals should take to protect themselves from potential harm, a brief descrip-tion of what the covered entity is doing to investigate the breach, mitigate theharm, and prevent further breaches, as well as contact information for the cov-ered entity. Additionally, for substitute notice provided via web posting ormajor print or broadcast media, the notification must include a toll-free num-ber for individuals to contact the covered entity to determine if their PHI wasinvolved in the breach.

Media NoticeCovered entities that experience a breach affecting more than 500 residents ofa State or jurisdiction are, in addition to notifying the affected individuals,required to provide notice to prominent media outlets serving the State orjurisdiction. Covered entities will likely provide this notification in the form ofa press release to appropriate media outlets serving the affected area. Likeindividual notice, this media notification must be provided without unreason-able delay and in no case later than 60 days following the discovery of a breachand must include the same information required for the individual notice.

ISB

N1-

256-

9738

8-2



Notice to the SecretaryIn addition to notifying affected individuals and the media (where appropriate),covered entities must notify the Secretary of Health and Human Services ofbreaches of unsecured PHI. Covered entities will notify the Secretary by visitingthe HHS web site and filling out and electronically submitting a breach reportform. If a breach affects 500 or more individuals, covered entities must notify theSecretary without unreasonable delay and in no case later than 60 days followinga breach. If, however, a breach affects fewer than 500 individuals, the coveredentity may notify the Secretary of such breaches on an annual basis. Reports ofbreaches affecting fewer than 500 individuals are due to the Secretary no laterthan 60 days after the end of the calendar year in which the breaches occurred.

Notification by a Business AssociateIf a breach of unsecured PHI occurs at or by a business associate, the businessassociate must notify the covered entity following the discovery of the breach. Abusiness associate must provide notice to the covered entity without unreason-able delay and no later than 60 days from the discovery of the breach. To theextent possible, the business associate should provide the covered entity withthe identification of each individual affected by the breach as well as any infor-mation required to be provided by the covered entity in its notification toaffected individuals.

Electronic Signatures for Health Records

The HIPAA Security Rule was originally titled “Security and Electronic SignatureStandards.” The original Security Rule also proposed a standard for electronicsignatures. The final rule covered only security standards.

The Electronic Signatures in Global and National Commerce Act22 made digitalsignatures as binding as their paper-based counterparts for commerce.However, HIPAA does not yet require the use of electronic signatures, becauseHIPAA does not yet have a Rule for Electronic Signature standards. ElectronicSignature standards eventually will be necessary to achieve a completely paperless EHR. In this section, we will discuss electronic signatures and thecriteria required for successful implementation.

What Is an Electronic Signature and What Is Not?Compare Figure 10-11 and Figure 10-12. Which of these has an electronicsignature? If you said Figure 10-12, you would be correct. An electronic signa-ture is not a scanned image of someone’s paper signature. Valid electronic signa-tures must meet three criteria.

1. Message Integrity Message Integrity means the recipient must be able toconfirm that the document has not been altered since it was signed.

2. Nonrepudiation The signer must not be able to deny signing the document.

3. User Authentication The recipient must be able to confirm that the signature was in fact “signed” by the real person.

22Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat.464, enacted June 30, 2000, 15 U.S.C. ch. 96.

ISB

N1-256-97388-2



5/1/2012 11:00AM

S. Rosa Garcia is a 27 year old female complaining of chronic/recurring headaches for more than 5 days. Headaches are occurring daily, recently worse, inadequately controlled, and lasting 2-4 hours. Daily coffee consumption was 7-8 cups per day but she recently stopped all coffee consumption.O. Physical exam showed no evidence of a head injury. A mental status exam was normal. Vital Signs were WNL: Vital Signs/Measurements Value Oral temperature 98.6 F RR 25 breaths/min PR 75 bpm Blood pressure 117/75 mmHg Weight 140 lbs Height 64 inA. Vasoconstrictor withdrawal headache from caffeineP. Eat regular meals, get plenty of exercise, and limit intake of caffeine, and alcohol

� Figure 10-11 Scanneddocument with an image of signature.

<Signed SigID=001>

5/1/2012 11:00AM

S. Rosa Garcia is a 27 year old female complaining of chronic/recurring headaches for more than 5 days. Headaches are occurring daily, recently worse, inadequately controlled, and lasting 2-4 hours. Daily coffee consumption was 7-8 cups per day but she recently stopped all coffee consumption.O. Physical exam showed no evidence of a head injury. A mental status exam was normal. Vital Signs were WNL: Vital Signs/Measurements Value Oral temperature 98.6 F RR 25 breaths/min PR 75 bpm Blood pressure 117/75 mmHg Weight 140 lbs Height 64 inA. Vasoconstrictor withdrawal headache from caffeineP. Eat regular meals, get plenty of exercise, and limit intake of caffeine, and alcohol

// Electronically Signed by Terry Jones, M.D. 201205011114EST

</Signed><Signature SigID=001 PsnID=jones001>2AB3764578CB212990BA5C18A29870F40198B240C330249C9461D20774C1622D39D2302B2349802DE002342</Signature>

� Figure 10-12Electronically signeddocument with a PKIsignature.

The electronic signature process involves the successful identification andauthentication of the signer at the time of the signature, binding of the signa-ture to the document, and nonalterability of the document after the signaturehas been affixed. Only “digital signatures” meet all three of these criteria.

ISB

N1-

256-

9738

8-2



How Digital Signatures WorkDigital signatures use a branch of mathematics called cryptography and PKI,which stands for Public Key Infrastructure. Each PKI user has two “keys,” aprivate key for signing documents and a public key for verifying his or her sig-nature. Only you know your private key, whereas your public key is availableto all through a public directory.

Usually the directory for your public key is maintained by a certificate author-ity. The certificate authority is a trusted third party who has validated youridentity and issued a certificate to that effect. A certificate is an electronicrecord of your public key, which has been digitally signed by the certificateauthority. The certificate can be validated by its own key. This provides reason-able assurance that the signer and their public key are genuine.

� Figure 10-13 How a digital signature works.

23Figure adapted from Digital Signature Standard, published By U.S. Department of Commerce/National Institute of Standards and Technology, 2000.

Figure 10-13 illustrates the electronic signature and verification process of PKI.23

Compare Figure 10-13 with the following steps:

� A computer software program performs a mathematical calculation on theentire contents of the electronic document to be signed.

� The result is a unique code referred to as the “message digest.”

ISB

N1-256-97388-2



� This code is encrypted using your “private” key. Your private key might besimilar to a password, which you must keep secret so that no one else can“forge” your signature.

The digital signature is then typically attached to or sent with the document.

When the recipient wishes to validate your signature, that person uses acomputer program that decodes the signature with your public key, anddetermines if the message digest is identical to that which was originallysent.

� The validation process uses the same algorithm as the original program toproduce a “message digest” of the text of the document.

� The public key is retrieved from a public directory or certificate authority.

� The signature verification process decodes the digital signature using yourpublic key and compares it to the message digest. If the results of the algo-rithm match, the signature is verified.

PKI digital signatures not only confirm that you are the signer but also that thedocument has not been altered since you signed it.

Some EHR Signatures Are Not True Electronic SignaturesEven though HIPAA has not adopted an official standard for electronic signatures,they are already necessary in the EHR. Prescriptions are sent to a pharmacy,dictation and electronic medical records are “signed,” and orders are issued fromEHR systems every day. However, most of the systems currently in use do not usethe process described earlier to produce and store an electronic signature.

Many systems have a process to “sign” their records with a PIN, a password, oreven a fingerprint, but the underlying software simply sets a field in the data-base indicating the provider “signed” the record. This is adequate to the partic-ular EHR system, but it would not meet the criteria of an electronic signature ifit were necessary to send a copy of the record to an outside entity. Partly this isthe fault of HHS. Until there is a national infrastructure for issuing certificatesand national standards for signing and validating digital signatures, EHR soft-ware cannot comply.

Whether electronic signatures in your office are true digital signatures or justmechanisms for locking and protecting EHR system records, it is importantthat you follow the policies and procedures of your facility. Most EHR systemshave an internal audit trail detailing who has created each document andmedical record.

◆ Always log on to the EHR as yourself.

◆ Always log off when you are through.

◆ Always keep your passwords or PIN numbers private.

This will prevent someone else from signing medical records under your ID.

The Future of Electronic SignaturesThe Joint Commission (JCAHO) accepts the use of electronic signatures in hos-pital, ambulatory care, home care, long-term care, and mental health settings.

ISB

N1-

256-

9738

8-2



The Joint Commission requirement for electronic signatures and computer keysignatures is simple: “The practitioner must sign a statement that he or shealone will use it.”24

Currently, CMS permits the authentication of medical records by computer keybut does not specify methods. The President of the United States directed theU.S. Department of Commerce, National Institute of Standards and Technologyto develop a set of standards for Digital Signatures. HHS will likely adopt thesame cryptographically based digital signature for the HIPAA standard.

State laws vary on electronic signatures for medical records and some do notaddress it at all. States will likely come into alignment only after HHS publica-tion of HIPAA standards for electronic signatures. If you have any questionabout regulations in your state, check with the medical licensing authority inyour state.

Critical Thinking Exercise 62: Your Electronic Signature1. What is the legal status of the electronic signature in the EHR in your state?

2. How can you protect your own electronic signature?

3. Identify potential impacts of a failure to log off or exit from the patient record.

HIPAA Privacy, Security, and You

As someone who will work with patients’ health records, it is especially impor-tant for you to understand the regulations regarding privacy and security.Follow the privacy policy and security rules at your place of work. Know whothe privacy and security officials are. Ask them if you have any questions re-garding policies at your practice or if you feel that you need additional training.

It is especially important not to give others your password and to always logout of a medical records computer when you are not using it. Remember totreat every medical record (paper or electronic) in a confidential manner.

Chapter Ten Summary

The Health Insurance Portability and Accountability Act, or HIPAA, was passedin 1996. The Administrative Simplification Subsection (Title 2, f ) (hereafter justcalled HIPAA) has four distinct components:

1. Transactions and code sets

2. Uniform identifiers

3. Privacy

4. Security

HIPAA regulates health plans, clearinghouses, and healthcare providers as“covered entities” or a “covered entity” with regard to these four areas.

24Comprehensive Accreditation Manual for Hospitals (CAMH), Standard IM. 6.10, Joint Commissionon Accreditation of Healthcare Organizations, 2004.

ISB

N1-256-97388-2



HIPAA standardized formats for EDI or Electronic Data Interchange by requir-ing specific Transaction Standards. These currently are used for eight types oftransactions between covered entities. This was the first of the AdministrativeSimplification Subsection to be implemented. This section also requires stan-dardized code sets such as HCPCS, CPT-4, ICD-9-CM, and others to be used.

HIPAA also established uniform identifier standards, which will be used on allclaims and other data transmissions. These will include:

◆ National provider identifier for doctors, nurses, and other healthcare providers

◆ Federal employer identification number used to identify employer-sponsoredhealth insurance

◆ National health plan identifier, a unique identification number that will beassigned to each insurance plan, and to the organizations that administerinsurance plans, such as payers and third-party administrators

The privacy and security rules use two acronyms: PHI, which stands forProtected Health Information, and EPHI, which stands for Protected HealthInformation in an Electronic Format.

The HIPAA privacy standards are designed to protect a patient’s identifiablehealth information from unauthorized disclosure or use in any form, while per-mitting the practice to deliver the best healthcare possible. To comply with thelaw, privacy activities in the average medical office might include:

◆ Providing a copy of the office privacy policy informing patients about theirprivacy rights and how their information can be used

◆ Asking the patient to acknowledge receiving a copy of the policy or signing aconsent form

◆ Obtaining signed authorization forms and in some cases tracking the disclo-sures of patient health information when it is to be given to a person or orga-nization outside the practice for purposes other than treatment, billing, orpayment

◆ Adopting clear privacy procedures for its practice

◆ Training employees so that they understand the privacy procedures

◆ Designating an individual to be responsible for seeing that the privacy proce-dures are adopted and followed

◆ Securing patient records containing individually identifiable health informa-tion so that they are not readily available to those who do not need them

When the Privacy Rule initially was issued, it required providers to obtain patient“consent” to use and disclose PHI for the purposes of treatment, payment, andhealthcare operations, except in emergencies. The rule was almost immediatelyrevised to make consent optional. In general, the practice can use PHI foralmost anything related to treating the patient, running the medical practice,and getting paid for services. This means doctors, nurses, and other staff canshare the patient’s chart within the practice.

Authorization differs from consent in that it does require the patient’s permis-sion to disclose PHI. Some examples of instances that would require an autho-rization would include sending the results of an employment physical to an

ISB

N1-

256-

9738

8-2



employer, immunization records, or the results of an athletic physical to theschool.

The authorization form must include a date signed, an expiration date, to whomthe information may be disclosed, what is permitted to be disclosed, and forwhat purpose the information may be used. The authorization must be signedby the patient or a representative appointed by the patient. Unlike the openconcept of consent, authorizations are not global. A new authorization is signedeach time there is a different purpose or need for the patient’s information tobe disclosed.

Practices are permitted to disclose PHI without a patient’s authorization or con-sent when it is requested by an authorized government agency. Generally, suchrequests are for legal (law enforcement, subpoena, court orders, and so on)public health purposes, or for enforcement of the Privacy Rule itself. Providersalso are permitted to disclose PHI concerning on-the-job injuries to workers’compensation insurers, state administrators, and other entities to the extentrequired by state law.

Whether the practice has disclosed PHI based on a signed authorization or tocomply with a government agency, the patient is entitled to know about it. ThePrivacy Rule gives the individuals the right to receive a report of all disclosuresmade for purposes other than treatment, payment, or operations. Therefore, inmost cases the medical office must track the disclosure and keep the recordsfor at least six years.

Most healthcare providers and health plans use the services of a variety of otherpersons or businesses. The Privacy Rule allows covered providers and healthplans to disclose protected health information to these “business associates.”The Privacy Rule requires that a covered entity obtain a written agreement fromits business associate, which states the business associate will appropriatelysafeguard the protected health information it receives or creates on behalf ofthe covered entity.

Congress provided civil and criminal penalties for covered entities that misusepersonal health information. The privacy rule is enforced by the HHS Office forCivil Rights (OCR).

The Privacy Rule sets the standards for, among other things, who may haveaccess to PHI, whereas the Security Rule sets the standards for ensuring thatonly those who should have access to EPHI actually will have access. ThePrivacy Rule applies to all forms of patients’ protected health information,whether electronic, written, or oral. In contrast, the Security Rule covers onlyprotected health information that is in electronic form.

Security standards were designed to provide guidelines to all types of coveredentities, while affording them flexibility regarding how to implement the stan-dards. Covered entities may use appropriate security measures that enablethem to reasonably implement a standard.

Security standards were designed to be “technology neutral.” The rule does notprescribe the use of specific technologies, so that the healthcare communitywill not be bound by specific systems or software that may become obsolete.

ISB

N1-256-97388-2



The security standards are divided into the categories of administrative, physi-cal, and technical safeguards.

Administrative safeguards. In general, these are the administrative functionsthat should be implemented to meet the security standards. These includeassignment or delegation of security responsibility to an individual and securitytraining requirements.

Physical safeguards. In general, these are the mechanisms required to protectelectronic systems, equipment, and the data they hold, from threats, environ-mental hazards, and unauthorized intrusion. They include restricting access toEPHI and retaining off-site computer backups.

Technical safeguards. In general, these are primarily the automated processesused to protect data and control access to data. They include using authentica-tion controls to verify that the person signing onto a computer is authorized toaccess that EPHI, or encrypting and decrypting data as it is being stored ortransmitted.

Breach Notification Requirements require covered entities to notify affectedindividuals, the Secretary of Health and Human Services, and in certain circum-stances the media, the occurrence of a breach of unsecured PHI. Businessassociates must notify covered entities if a breach has occurred. The OCR mustpost a list of breaches that affect 500 or more individuals.

The original Security Rule also proposed a standard for electronic signatures.The final rule covered only security standards.

The Electronic Signatures in Global and National Commerce Act made digitalsignatures as binding as their paper-based counterparts. Although the lawmade digital signatures valid for commerce, HIPAA does not require the use ofelectronic signatures. Electronic signature standards will eventually be neces-sary to achieve a completely paperless EHR. A Rule for Electronic Signaturestandards may be proposed at a later date.

A valid electronic signature must meet three criteria.

1. Message Integrity—the recipient must be able to confirm that the documenthas not been altered since it was signed.

2. Nonrepudiation—the signer must not be able to deny signing thedocument.

3. User Authentication—the recipient must be able to confirm that the signa-ture was in fact “signed” by the real person.

Digital signatures meet all three of these criteria. Digital signatures use abranch of mathematics called cryptography and PKI, which stands for PublicKey Infrastructure.

Each PKI user has two “keys,” a private key for signing documents and a publickey for verifying his or her signature. A computer software program performs amathematical calculation on the entire contents of the electronic document tobe signed. The result is a unique “message digest,” which is then encryptedusing the “private” key.

ISB

N1-

256-

9738

8-2



The digital signature is then attached to or sent with the document. When therecipient wishes to validate the signature, a similar computer program regener-ates the “message digest” and decodes the digital signature with the public key.Comparing the two, the program determines if the message digest is identicalto that which was originally sent. In this way digital signatures not only con-firm that you are the signer but also that the document has not been alteredsince it was signed.

Testing Your Knowledge of Chapter 10

Answer the following questions:

1. What do the acronyms PHI and EPHI stand for?

2. List the three criteria of an electronic signature.

3. Compare the difference between consent and authorization.

4. Does a provider need the patient’s consent to share PHI with an authorizedgovernment agency?

5. List the four components of the HIPAA Administrative Simplification Subsection.

6. Which part of the regulation went into effect first?

7. Which part of the regulation went into effect last?

8. Business Associate Agreements apply to which components of the AdministrativeSimplification Subsection?

9. What department of the U.S. government enforces HIPAA?

10. List the three categories of the Security Rule.

11. Name the covered entities under HIPAA.

12. Which components of the Administrative Simplification Subsection have employee training as one of the requirements?

13. List the requirements for the medical office privacy policy.

14. Name three of the technical safeguards.

15. Who may sign an authorization to release PHI?

ISB

N1-256-97388-2


chapter ten privacy and security recordsmyresource.phoenix.edu › secure › resource › hcis255r1...

Documents