As promised, we are writing again today on Business Associates and the Security Rule. If you have been following us for a while, then by now you know that in general, if a Business Associate fails to comply with the Security Rule, it may be exposed to the same civil and criminal penalties that a covered entity faces.
And you also know that Security Rule specifications are either "Required" or "Addressable." Required specifications must be implemented. Addressable specifications must be assessed, and then implemented as specified if reasonable and appropriate to the Business Associate. If, after an assessment, a Business Associate determines that an addressable specification is not reasonable and appropriate, then it must document the reason(s), and an equivalent alternative measure must be implemented, provided the alternative is "reasonable and appropriate." Don’t be fooled by the Flexibility Approach. ALL specifications must be dealt with in some way, shape, or form, by ALL Business Associates, regardless of size.
We have said this before, but it bears repeating. At a minimum, we recommend that a Business Associate do the following in order to demonstrate a good faith effort at compliance:
Name a Security Officer
Name a Privacy Officer
Develop, distribute and get signatures on Privacy, Security and Breach Notification Policies
In our last post, we discussed the four principal objectives of the Security Rule (§160.306(a)).
We mentioned that although the items enumerated did not appear unreasonable or overly burdensome, the devil was in the details. So here are some of those details.
The Security Rule contains a concept called the "Flexibility Approach;" what others refer to as the Security Rule's guiding principle. In essence, the flexibility principle enumerates four factors that a Business Associate should consider when deciding how to "reasonably and appropriately" implement the standards and implementation specifications.
The four Security Rule Flexibility Factors are as follows:
The size, complexity, and capabilities of the BA.
The BA's technical infrastructure, hardware, and software security capabilities.
The costs of security measures.
The probability and criticality of potential risks to ePHI.
More on the standards and implementation specifications next time.
Five years out from the promulgation of the HITECH Act, and business associates are still struggling with what the Act requires of them under the modified HIPAA regulations. Although under the Omnibus Rule it should be clear that a business associate ("BA") must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule, the requirements of the Security Rule ("SR") bedevil BAs the most.
The SR requires that a BA implement three types of safeguards: (1) administrative, (2) physical, and (3) technical. The principal objectives of the SR, as it pertains to both a Covered Entity and a BA, are as follows (§160.306(a)):
Ensure the confidentiality, integrity, and availability of all its ePHI.
Protect against any reasonably anticipated threats or hazards of its ePHI.
Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule ("PR").
Ensure its workforce complies with the SR.
The items enumerated above do not appear unreasonable or overly burdensome. However, the devil (as always) lies in the details.
Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.
A Risk Assessment is not something that you perform once and then forget. Because the threat landscape changes on a daily basis, it is inconceivable that you could perform a rigorous "full blown" Risk Assessment less than once a year. Further, it is more likely that once a quarter should be what you strive for. Now the HIPAA Rules do not mandate the frequency of Risk Assessments, rather the Rules require that you perform a Risk Assessment whenever your operational environment, or the law, changes in a material way. That said, a couple of points need to be noted: (1) given the amount of change occurring in the healthcare industry (now and in the foreseeable further) operational environments are going to be changing quite often; and (2) if your objective is to manage risk then performing a Risk Assessment only once a yearis simply not a "reasonable and appropriate" thing to do.