INFORMATION SECURITY ASSESSMENTS

Trends in Healthcare IT:

Understanding HITECH, the HIPAA Security Rule,
and How to Safeguard Your Electronic Protected
Health Information (EPHI)

There are increasingly

strong private and
public incentives to
implement electronic
exchange of health
information

Recent federal
legislation mandates
greater enforcement of
laws for safeguarding
electronic protected
health information

Security risks should

be mitigated to avoid
costly penalties,
protect company
reputation, and gain
competitive advantage

6450 Via Real, Suite3

Carpinteria, CA 93013

WHITE PAPER
800-721-9177
805-684-6858
 TABLE OF CONTENTS
1 Executive Summary
2 The HIPAA Security Rule
3 High Costs for Failure to Safeguard EPHI
4 Keys to Successfully Safeguarding EPHI
5 Glossary
6 About Redspin, Inc.

Page 1 | www.redspin.com 2010 | White Paper

 Executive Summary
Healthcare providers, health insurers, and
health information service companies today
are moving faster than ever to implement
IT systems to electronically capture, share,
and warehouse healthcare information. The
business incentives for moving to electronic
health records (EHR)—including speed, low
storage costs, and reduced administration
expense—have been understood for decades.
Recently these goals were given a boost by the
US government through the Health Information
Technology for Economic and Clinical Health
(HITECH) Act. The HITECH Act was enacted as
The HIPAA part of the large federal stimulus bill known as
the American Recovery and Reinvestment Act
Security Rule of 2009 (ARRA), signed into law by President
Obama on February 17, 2009. The HITECH
specifically focuses Act promotes the adoption and meaningful use
of health information technology by providing
on safeguarding monetary incentives for healthcare entities that
electronic protected implement EHR systems, and by eventually
penalizing those entities that do not use EHR.
health information With the US healthcare industry properly
(EPHI). funded and motivated, it is not surprising to
see a surge of interest in EHR implementation.
This rush also has highlighted important
considerations regarding healthcare IT security.
Under the HITECH Act, the federal government
mandates improved enforcement of laws
Page 2 | www.redspin.com
related to healthcare IT security, most notably
the Security Rule under the Health Insurance
Portability and Accountability Act of 1996
(HIPAA). The HIPAA Security Rule specifically
focuses on safeguarding electronic protected
health information (EPHI).
The Department of Health and Human
Services (HHS) has been quick to highlight
the importance of ensuring the security and
privacy of health information. In an August
3, 2009 news release, HHS Secretary
Kathleen Sebelius noted, “Security and
privacy of health information are increasingly
intersecting as the department works with
the health industry to adopt electronic health
records and participate in an even greater
level of electronic exchange of health
information.” HHS has also taken recent steps
to expand penalties for security violations and
to implement rules of notification for breaches
of security.
This paper explores important business
implications regarding the HITECH Act and
the HIPAA Security Rule, provides guidance
for the healthcare industry on how EPHI
can be properly safeguarded, and explains
how effective EPHI security can work to an
organization’s competitive advantage.
2010 | White Paper
 The HIPAA Security Rule
The HIPAA Security Rule, published in 2003 by the Secretary of Health and Human Services, is
a component of the larger HIPAA law of 1996. The HIPAA Security Rule specifically focuses on
the safeguarding of electronic protected health information (EPHI) by ensuring three key aspects of
EPHI:

Confidentiality: defined as “the property that data or information is not made available
or disclosed to unauthorized persons or processes”

Integrity: defined as “the property that data or information have not been altered or
destroyed in an unauthorized manner”

Availability: defined as “the property that data or information is accessible and useable
upon demand by an authorized person”

Each section The Security Rule states that EPHI that is received, maintained, or transmitted must be protected
against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In
contains standards general the requirements, standards, and implementation specifications of the Security Rule apply
to the following covered entities.
and implementation
Covered Health Providers: Providers of medical or other health services/supplies
specifications that who transmit health information in electronic form in connection with a transaction

all covered entities Health Plans: Individual or group plans that provide or pay the cost of medical care

Healthcare Clearinghouses: Public or private entities that process another entity’s

must follow. healthcare transactions

HIPAA Security Rule Organization

The HIPAA Security Rule is organized into six sections. Each section contains standards and
implementation specifications that all covered entities must follow. Failure by a covered entity to
adhere to the applicable standards and implementation specifications may result in stiff sanctions
and a detailed corrective action plan. The six sections are listed below.

• Security Standards and General Rules: Includes the general requirements all
covered entities must meet; establishes flexibility of approach; identifies standards and
implementation specifications; outlines decisions a covered entity must make regarding
implementation specifications; and requires maintenance of security measures to continue
reasonable and appropriate protection of EPHI

• Administrative Safeguards: Defined in the Security Rule as the “administrative

actions and policies, and procedures to manage the selection, development,
implementation, and maintenance of security measures to protect EPHI and to manage the
conduct of the covered entity’s workforce in relation to the protection of that information.”

• Physical Safeguards: Defined in the Security Rule as the “physical measures, policies,
and procedures to protect a covered entity’s EPHI systems and related buildings and
equipment from natural and environmental hazards, and unauthorized intrusion.”

• Technical Safeguards: Defined as the “technology and the policy and procedures for
its use that protect EPHI and control access to it.”

• Organizational Requirements: Includes standards for business associate contracts

and other arrangements, including memoranda of understanding between a covered
entity and a business associate, and requirements for group health plans

• Policies and Procedures and Documentation Requirements: Requires

implementation of reasonable and appropriate policies and procedures to comply with
the standards, implementation specifications and other requirements of the Security Rule;
maintenance of written documentation and/or records that includes policies, procedures,
actions, activities, or assessments required by the Security Rule, and retention, availability,
and update requirements related to the documentation

Page 3 | www.redspin.com 2010 | White Paper

 HIPAA Security Standards Table
The following table shows how the HIPAA Security Rule standards are organized within each
section of the law.

Identify the security

official responsible
for the development
and implementation
of the required
policies and
procedures.

Page 4 | www.redspin.com 2010 | White Paper

 HIPAA Security Standards Table (cont.)

Implement
procedures to
verify that a person
or entity seeking
access to EPHI is
the one claimed.

Page 5 | www.redspin.com 2010 | White Paper

 High Costs for Failure to Safeguard EPHI
The proper safeguarding of EPHI has obvious importance for patients and for the reputation of
covered healthcare entities that use and exchange EPHI. As a measure of protection, the Department
of Health and Human Services (HHS) has established penalties for violating the HIPAA Security
Rule. Failure to safeguard EPHI can be very costly.

Consider the case of Providence Health & Services, a Seattle-based not-for-profit health system. In
at least five incidents in 2005 and 2006 unencrypted EPHI of Providence patients was stored on
backup tapes, optical disks, and laptops that were taken offsite from Providence by members of its
workforce. The data were then misplaced or stolen, potentially compromising the health information
of over 375,000 patients. Providence advised patients of the loss of information in accordance
with state notification law, and though there is no evidence that EPHI was wrongfully used, HHS
launched an investigation focusing on Providence’s failure to implement policies and procedures
to safeguard the data. In July 2008 HHS entered into a settlement with Providence that included
Failure to a $100,000 monetary settlement and a multi-point, 3-year Corrective Action Plan focusing on
the development, implementation, training, monitoring, and enforcement of robust policies and
safeguard EPHI procedures for handling EPHI under the HIPAA Security Rule.

can be very costly. New Penalties for Violating the HIPAA Security Rule
As required by the adoption of the HITECH Act and in the understanding that EPHI implementation
is likely to accelerate quickly, HHS has taken steps to further define the landscape in terms of
compliance under the HIPAA Security Rule. The action has centered around two main areas:

• New categories and corresponding penalty amounts for EPHI security

violation; and

• New breach notification rules for unsecured EPHI

Updated Categories of Violations and Penalty Amounts for EPHI

The HITECH Act addressed the privacy and security concerns associated with EPHI in part by
strengthening the civil and criminal enforcement of the HIPAA Security Rule. Under guidance from
HHS that took effect November 30, 2009, a new framework was developed to establish:

Four categories of violations that reflect increasing levels of culpability

Four corresponding tiers of penalty amounts that significantly increase the minimum
penalty amount for each violation

A maximum penalty amount of $1.5 million for all violations of an

identical provision

Page 6 | www.redspin.com 2010 | White Paper

 In cases where a
breach involves
more than 500
individuals, the
covered entity is
required to notify
the media as well
as HHS.
Table 1 — Categories of HIPAA Security Rule Violations and Respective Penalty Amounts
(Federal Register/Vol. 74, No. 209, Friday, October 30, 2009/Rules and Regulations, page 56127)

Rules for Notification of EPHI Breach

Under the HITECH Act Congress mandates notification for the breach of “unsecured” EPHI -- the
HHS definition of “unsecured” is below. The notification requirements for breaches of unsecured
EPHI apply to all entities subject to HIPAA. To constitute a breach under the law, the acquisition, use,
access or disclosure of the EPHI must “compromise the security or privacy of such information.”

In August 2009 HHS and the Federal Trade Commission (FTC), respectively, published rules on
when and how HIPAA covered entities and vendors of personal health records (PHR) such as
Google Health and Microsoft’s Health Vault must notify individuals of security breaches.

The HHS rule requires HIPAA-covered entities to provide affected individuals with timely notice
(less than 60 days) upon the discovery of a breach of their unsecured EPHI. HHS regulations
mandate that notice include certain information, including a brief description of the event that led
to the breach, the specific EPHI involved, and the steps affected individuals should take to protect
themselves from harm. In cases where a breach involves more than 500 individuals, the covered
entity is required to notify the media as well as HHS.

Importantly, the risk of and responsibility for an EPHI breach is not limited to the covered entity.
Business associates of a covered entity—including entities both “covered” under HIPAA and
entities that are not defined as “covered” such as some third party administrators and health record
vendors—also are required to notify an affiliated covered entity of an EPHI breach, and the covered
entity must then provide the affected persons with notice. In this sense the integrity of EPHI is the
responsibility of all business associates in the chain, regardless of where the EPHI is physically
located.

Page 7 | www.redspin.com 2010 | White Paper

 Defining a Breach
Regarding EPHI, HHS generally defines a breach as the unauthorized acquisition, access, use or
disclosure of protected health information in violation of the HIPAA Security Rule. HHS provides for
three exceptions to its definition of “breach”:

The unintentional acquisition, access, or use of EPHI by an employee or individual acting

under the authority of the covered entity or businesses associate (e.g., a physician’s
assistant mistakenly sends an accounting employee an email containing a patient’s EPHI);

The inadvertent disclosure of EPHI from a person authorized to access EPHI at a covered
entity or business associate to another person authorized to access EPHI at the covered
entity or business associate; and

Disclosures in which an unauthorized recipient would not reasonably have been able to
retain the EPHI (e.g., if a covered entity mistakenly sends an explanation of benefits to the
wrong person, which is then returned by the Post Office, unopened)

Distinguishing between an “Unsecured” and a “Secured” EPHI

Breach
HHS rules for notification of breach of EPHI apply only to “unsecured” EPHI; there is no obligation
to provide notice for breaches of “secured” EPHI. This is an important distinction for covered entities
and businesses associated with personal health records (PHR). To qualify as “secured,” a covered
entity must use a technology or methodology to safeguard EPHI so that it is “unusable, unreadable,
or indecipherable to unauthorized individuals.”

Encryption of EPHI Recommended

HHS guidance cites the HIPAA Security Rule’s encryption standard as an appropriate methodology
for safeguarding EPHI. Although HIPAA’s Security Rule requires the safeguarding of EPHI, encryption
is not required under HIPAA. Comparable alternatives such as firewalls and other access controls
are also acceptable. However, if a covered entity chooses to encrypt EPHI pursuant to the new
HHS guidance, the EPHI shall be considered “secured” for the purposes of the breach notification
rule. If a breach of that encrypted EPHI is later discovered, then the covered entity is not required
to provide notice since the information will not be considered “unsecured.” In this sense, encryption
undertaken in conformance with the HHS guidance works as a “safe harbor” from the breach
notification requirements.

HIPAA ADOPTION

Timelime of
Healthcare Security
Legislation

Figure 1. HIPAA Adoption: Timeline of Healthcare Security Legislation

Page 8 | www.redspin.com 2010 | White Paper

 Keys to Successfully Safeguarding EPHI
Safeguarding EPHI requires management and implementation tasks that range across the entire
business enterprise. While a comprehensive examination of every specific step to do this is beyond
the scope of this paper, the following recommendations from Redspin can help a healthcare
organization get on the right track. These recommendations are based on years of Redspin’s IT
security assessment consulting work with dozens of leading companies.

Key #1: Organizational Attitude

The companies most successful at safeguarding electronic information tend to be those that
demonstrate a true commitment to information security across the entire enterprise—not just within
the IT arena. A complete Information Security Program (ISP) surely covers IT security, and may
also include items such as facilities availability and contingency, disaster preparedness, employee
safety, human resource confidentiality, etc. The most effective ISP takes a risk-based approach,
As the exchange balancing potential risks against the convenience and expense to mitigate identified risks.

of electronic Key #2: View IT Security as a Competitive Advantage

Savvy companies understand that IT security can be more than a cost center—in fact it can be
health information a competitive advantage. In ever increasing amounts, the heart of an enterprise is found in the
proper collection, storage, communication, availability, integrity, and protection of electronic data.
becomes more Companies that experience IT security breakdowns are subject to damaging consequences that
pervasive, all can limit competitiveness, such as:

• Large monetary penalties from regulators

entities in the chain
• Loss of mission-critical IT systems including web applications, business associate networks
bear responsibility and internal networks

for safeguarding • Breach notifications to customers/patients and the media (reputation damage)

• Legal action by affected customers/business associates/vendors

EPHI.
• Theft and/or misuse of the data itself

Key #3: Focus on the Process of Security

Redspin consistently observes that the most secure IT systems are found in organizations which
implement and follow well-documented security policies and procedures, which periodically review
and adjust these policies and procedures, and which monitor and measure compliance to industry
best practices such as ISO 27002. Interestingly, having the latest and greatest array of technical
“gear” such as firewalls, wireless infrastructure, virtualization, and vulnerability management
software appears to lead to a false sense of security in many cases. Without the disciplined
management of organizational processes to manage and monitor the effectiveness of IT security
solutions, the best gear can be compromised.

Key #4: Include Business Associates in EPHI Security Programs

As the exchange of electronic health information becomes more pervasive, all entities in the chain
bear responsibility for safeguarding EPHI. A breakdown anywhere in the chain affects all entities,
both practically and legally speaking. For example, the Department of Health and Human Services
has made clear that a business associate’s breach of EPHI may require the notification of the
customers/patients of all entities with access to the EPHI. Organizations are therefore encouraged
to collaborate with business associates on the implementation of EPHI security programs. It may
be appropriate for business contracts to address the scope of business associates’ EPHI security
requirements/compliance, the cost of breach notification, the need for independent security
assessments and other related issues.

Key #5: Conduct Independent Security Assessments

Safeguarding EPHI is a dynamic endeavor—constant vigilance is required. The IT security environment
is becoming ever more complex: new IT security tools, software updates, wireless infrastructure,
web application development, workstation upgrades, off-site data storage/recall, and vendor/
business associate network development are just a few of the items that add complexity—and
therefore risk—to a company’s goal for EPHI confidentiality, integrity and availability.

Page 9 | www.redspin.com 2010 | White Paper

 HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of EPHI
security programs, policies, and procedures. An independent security assessment that evaluates
EPHI security against potential security risks--in a format accordant with HIPAA Security Standards-
-is recommended. Independent security assessments may also include the evaluation of business
associates with whom health data is exchanged. A high quality EPHI security assessment will:

1. A thorough EPHI security assessment will comprehensively evaluate all Standards of the
HIPAA Security Rule

2. Stratify security risks according to a level of urgency in terms of the potential business
impact of a HIPAA Security Rule breach

3. Provide specific recommendations on how to effectively nullify EPHI security threats

4. Follow a repeatable pathway so that EPHI security risks can be efficiently re-evaluated
after changes are implemented

5. Maintain complete independence from the sales and management of EPHI security
HIPAA law requires products

covered entities to
conduct routine
Glossary
evaluations of
ARRA: The American Recovery and Reinvestment Act of 2009. A large economic stimulus bill
the effectiveness signed into law by President Obama in February 2009.
of EPHI security Business Associate: An entity that does business with a Covered Entity, as defined by HIPAA.
programs, policies, A business associate of a Covered Entity may or may not be a Covered Entity itself. Regardless, the
actions of Business Associates impact each of the other organizations as it concerns safeguarding
and procedures. EPHI.

Covered Entity: A healthcare industry organization that is subject to the laws and standards of
HIPAA.

EHR: Electronic Health Record

EPHI: Electronic Protected Health Information. Similar to protected health information (PHI), but
distinguished by its electronic form.

HHS: The Department of Health and Human Services, a branch of the US federal government.

HIPAA: Health Insurance Portability and Accountability Act of 1996. A large and comprehensive
law dealing with numerous aspects of healthcare programs, including the privacy and security of
health information.

HIPAA Security Rule: The portion of HIPAA law that specifically focuses on safeguarding
EPHI—ensuring the confidentiality, integrity and availability of the data.

HIPAA Security Standards: A set of standards and implementation specifications required of

covered entities for the safeguarding of EPHI.

HITECH: The Healthcare Information Technology Economic and Clinical Health Act. A component
of ARRA that promotes the adoption and meaningful use of health information technology by
providing monetary incentives for healthcare entities that implement electronic health records, and
by eventually penalizing those entities that do not adopt electronic health records.

ISP: An Information Security Program provides the framework of the necessary processes and
procedures to manage risk to information assets.

OCR: Office of Civil Rights. The department within HHS responsible for enforcing HIPAA Security
and Privacy laws, and investigating allegations of PHI violations.

Page 10 | www.redspin.com 2010 | White Paper

 INFORMATION SECURITY ASSESSMENTS

About Redspin
Redspin, Inc. delivers the highest quality, independent Information Security Assessments through
technical expertise, business acumen and objectivity. Redspin customers include leading companies
in the industries of healthcare, financial services, hotels, casinos and resorts, as well as retailers
and technology providers. Some of the largest communications providers and commercial banks
rely upon Redspin to provide effective technical solutions tailored to their business context, allowing
them to reduce risk, maintain compliance and increase the value of their business unit and
IT portfolios.
www.redspin.com

Page 11 | www.redspin.com 2010 | White Paper