The Evolution of HIPAA: Part 2
Posted by: Chris Lyons
In part one of this HIPAA blog series, it was discussed how HIPAA is a requirement of all healthcare companies that create health information or provide services to a healthcare company. Covered Entities (CEs), or anyone that operates as a Business Associate (BA) which provides services to CEs, are required to follow the requirements. Services to consider an entity as a BA include any service that includes the processing, storage, or transmission of electronic Protected Health Information (ePHI) in any form. If a company provides any services to a healthcare company that pertain to ePHI, it is considered a BA.
CEs are required to be compliant with all of the rules of HIPAA. These rules include the requirements of Security, Privacy, and Breach Notification. BAs are required to be compliant with a smaller subset of the above rules which are defined by HIPAA and the BA agreements that are signed with the CEs. HIPAA has multiple requirements that are defined first by the category (CE vs BA) and second by the agreements that are signed between the CE and BA.
HIPAA is divided into two (2) distinct groups of requirements. The first is Required controls. Required controls are controls that HIPAA states “must be implemented as stated”. As stated, controls must be implemented as listed in the rule. For example, the Risk Analysis rule within HIPAA, 164.308(a)(1)(ii)(A), is a required control. All companies that are under the mandate of HIPAA are required to conduct a risk assessment on a “regular” basis. The risk assessment must include the entire environment that could possibly contain electronic protected health information (ePHI). This assessment must include, at a minimum, the following:
- A defined scope and methodology that will be used for the assessment.
- Details of identified threats and vulnerabilities.
- Details of any currently implemented security controls.
- A list of any identified threats and vulnerabilities to the environment.
- An analysis of the impact and likelihood of identified threats.
- A risk rating of the identified threats.
- Any additional details that are relevant to the identified environment.
Required controls also include controls that specify things such as individual access, which includes the ability (requirement) to track all access to PHI.
The second level of controls are Addressable controls. HIPAA Addressable Controls are controls that can be implemented as a company requires. The following link shows the HIPAA requirements where Addressable controls are concerned: . While these controls are “Addressable”, they are technically not optional. Some companies feel that Addressable means “If we can we will implement them, but we don’t have to”. This thought is technically incorrect. The purpose of addressable controls for HIPAA is that the company will implement either the control as specified or an alternative control that is at least as strong. These controls must meet the following:
- Implement the Addressable control as specified.
- Implement a solution that is at least as secure and document how it meets the requirement of the rule along with how it is sufficient to meet the requirement of the Addressable control.
- Do not implement the control. If the control is not implemented, the reason that the control is unreasonable must be documented. (Warning: Any controls that are not implemented and result in a breach will be looked at more harshly by the Office for Civil Rights [OCR] in the event of an audit or breach.) Additionally, an alternate control should be implemented if reasonable and appropriate. HIPAA implementation specifications CFR 164.306(d).
Required controls are controls that HIPAA requires at a minimum and must be implemented as stated. Addressable controls are controls that can be implemented in a way that is best for each company. Ultimately, Required and Addressable controls are flexible for healthcare companies and their BAs to implement, as they need to ensure they secure the ePHI of patients and meet the requirements of the written rules. Any Addressable controls not implemented must be documented, and the reason they are unreasonable must be stated.
HIPAA is a baseline security standard and as such is designed is to allow each company to implement controls that are consistent with their environment and the threats each company faces. The HIPAA standard is fluid but has changed very little in intent, even though the landscape of technology has evolved massively. This fluidity allows the Office for Civil Rights (OCR) to enforce HIPAA based on current technological advances. Meeting the basic HIPAA standards is the minimum level mandated but may not be sufficient for all companies. The standard/law/regulation of HIPAA is always enforced in the best interest of the protection of individuals’ information. HIPAA is designed to allow the OCR to have the ability to enforce requirements to be commensurate with current technological abilities.
Click here to learn about GuidePoint’s HIPAA compliance service offerings and how we can help you assess your HIPAA compliance readiness.
Chris Lyons
Sr. Security Consultant, Compliance,
GuidePoint Security
Chris Lyons, Senior Security Consultant at GuidePoint Security, began his career in the security industry in 1995. His professional experience includes conducting security assessments, specializing in HIPAA, PCI, and HITRUST. He has led and participated in security assessments throughout the world in the banking, commercial, retail, and healthcare industries.
Chris earned a Bachelor of Science degree in Business Administration from Bethel University, a Master’s in Business Administration (MBA) from the University of Phoenix, and a Master’s in Education from Liberty University. He holds several certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), PCI Qualified Security Assessor (QSA), Certified HITRUST Assessor, and Healthcare Certified Information Security and Privacy Practitioner (HCISSP).