HIPAA Security Rule Compliance in Municipal Organizations
By Jeffrey Morgan
I am always astonished by the number of organizations I encounter that are not in compliance with the HIPAA Security Rule (45 CFR Parts 160, 162 and 164). If you are running a County government, for instance, there is a high probability that one or more of your departments are covered entities and have an obligation to comply with this regulation. Human Resources, Public Health, Mental Health, Social Services the County Jail, the County Home, Probation, Courts, and Child and Adult Protective services may all be covered entities and may process, store, transmit and manage Protected Health Information (PHI). While many covered entities have complied with the Privacy Rule, my observation has been that many covered entities are not in compliance with the Security Rule. Is your organization in compliance?
According to the Department of Health and Human Services (HHS), a covered entity is one of the following:
- A Health Care Provider
- Nursing Homes
- A Health Plan
- Health Insurance Companies
- Company Health Plans
- Government Programs that pay for health care such as Medicare, Medicaid, and Military and Veterans health care programs.
- A Health Care Clearinghouse
In the list above, I have highlighted entities that are likely to exist in a municipal government operation. Do you have covered entities in your organization? If so, are you in compliance with both the Privacy and Security Rules? You can view HIPAA as an onerous compliance issue, or you can view it as an opportunity to address critical security issues in your organization. Regardless of how you feel about it, it is federal law and there may be severe consequences and penalties for failure to comply.
A Brief History
The HIPAA Security Rule was adopted in 1996 and the Final Rule was published in 2003. Compliance for most covered entities was required in 2005. After more than 30 years of dealing with organizational security and Information Security Policies for government entities I have come to the conclusion that the best way to handle HIPAA is to bring the entire organization up the HIPAA Security Rule standards. Why would I suggest this?
A Solid Foundation
The HIPAA Security Rule provides a pretty good foundation and framework for an Information Security Policy even if you are not a covered entity. There are more than 3000 County governments in the United States and more than 19,000 municipal entities. Many of them don’t have any type of Comprehensive Information Security Policy. Even if you are not managing a covered entity, you should have a solid Information Security Policy. You may not be protecting PHI, but you have plenty of other information that should be protected. In my opinion, the lack of a security policy in an organization responsible for collecting, storing, and managing large amounts of sometimes sensitive public information constitutes organizational malpractice. If you get sued for a catastrophic breach, the courts are likely to agree with this assessment.
Roles and Responsibilities
Who should be responsible for HIPAA Security Rule Compliance or Information Security Compliance in your organization? There is no easy answer to this question, but as the Executive responsible for the organization as a whole, compliance is ultimately your responsibility. At another level, Information Security is everyone’s responsibility. The law has been on the books for 20 years and compliance has been required for the last 11 years. I didn’t know is no longer an acceptable response. But, maybe you really didn’t know? You have a lot on your plate, but now is the time to fix it.
I will provide you with one possible high level look at how responsibilities might be distributed. First, someone in your organization should fill the role of an Information Security Officer. Depending on the size of your organization, this may only need to be a part time role. Nevertheless, you need a Go To person for problems, policies, issues, and questions about information Security. Because of conflicts of interest, this role should never be delegated (in my opinion) to a person on the Information Technology staff. Attorneys, or staff members with backgrounds in law enforcement, security, regulatory compliance or investigation are often good choices for this role.
Privacy Rule issues should probably be handled by individual departments based on their exposure, but there should be some organization-wide privacy policies as well. The HIPAA Security Rule covers physical security, technical and electronic security, and administrative security issues, so those roles will be filled by different, applicable departments or subject matter experts. For instance, compliance with the physical security components may be addressed by someone in your Facilities department, for instance.
As far as technical safeguards and full compliance with the Security Rule are concerned, that is a discussion for another article.
Sample Compliance Matrix
In the table below, I have included a sample compliance matrix. If you are a covered entity, or have departments that are covered entities, your Information Security Policy should contain, at a minimum, these elements.. Take a look at your policy and see if it measures up.
|HIPAA Security Rule Compliance Matrix||R/A||Reference|
|Risk Management (R)||R||III.6|
|Sanction Policy (R)||R||III.1|
|Information System Activity Review (R)||R||III.7|
|Assigned Security Responsibility ………….. 164.308(a)(2) (R)||R||III.8|
|Workforce Security 164.308(a)(3)|
|Authorization and/or Supervision (A)||A||III.9.A|
|Workforce Clearance Procedure||III.9.B|
|Termination Procedures (A)||A||III.9.C|
|Information Access Management ………….||R|
|164.308(a)(4) Isolating Health care Clearinghouse Function (R)||NA||NA|
|Access Authorization (A)||A||III.10.|
|Access Establishment and Modification (A)||A||III.10|
|Security Awareness and Training …………. 164.308(a)(5)||A||III.11.A|
|Security Reminders (A)||A||III.11.B|
|Protection from Malicious Software (A)||A||III.11.C|
|Log-in Monitoring (A)||A||III.11.D|
|Password Management (A)||A||III.11.E|
|Security Incident Procedures ……………….. 164.308(a)(6) Response and Reporting (R)||R||III.12|
|Contingency Plan 164.308(a)(7)||R||III.13|
|Data Backup Plan (R)||R||III.13.A|
|Disaster Recovery Plan (R)||R||III.13.D|
|Emergency Mode Operation Plan (R)||R||III.13.D|
|Testing and Revision Procedure (A)||A||III.13.F|
|Applications and Data Criticality Analysis (A)||A||III.13.G|
|Evaluation . 164.308(a)(8) (R)||III.14|
|Business Associate Contracts and Other Arrangement.||III.15|
|164.308(b)(1) Written Contract or Other Arrangement (R)||III.15|
|Facility Access Controls ………………………. 164.310(a)(1)||A||IV.1|
|Contingency Operations (A)||A||III.13.D|
|Facility Security Plan (A)||A||IV.1.B|
|Access Control and Validation Procedures (A)||A||IV.1.B|
|Maintenance Records (A)||A||IV.1.C|
|Workstation Use 164.310(b) (R)||R||IV.2|
|Workstation Security …………………………… 164.310(c) (R)||R||IV.3|
|Device and Media Controls …………………. 164.310(d)(1)||R||IV.4|
|Media Re-use (R)||R||IV.4.C|
|Accountability (A)||A||IV.4.A, IV.4.B|
|Data Backup and Storage (A)||A||IV.4.D|
|Technical Safeguards (see § 164.312)|
|Access Control …………………………………… 164.312(a)(1)||R||V|
|Unique User Identification (R)||R||V.1.A|
|Emergency Access Procedure (R)||R||III.18.A, V.1.B|
|Automatic Logoff (A)||A||IV.3|
|Encryption and Decryption (A)||A||V.1.D|
|Audit Controls ……………………………………. 164.312(b) (R)||R||V.2.A|
|Integrity …………………………………………….. 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)||A||V.2.B|
|Person or Entity Authentication ……………. 164.312(d) (R)||R||V.2.B|
|Transmission Security …………………………. 164.312(e)(1)||A||V.3.A|
|Integrity Controls (A)||A||V.2.B|
If you would like to discuss Information Security or HIPAA Security Rule compliance in your organization, e-mail me at firstname.lastname@example.org. I would be happy to discuss your specific case.
Copyright © Jeffrey Morgan 2016