The HIPAA Security Rule regarding electronic transactions requires administrative, physical, and technical safeguards detailed under eighteen standards to ensure the confidentiality, integrity, and availability of electronic protected health information (PHI) that is maintained, used, or transmitted by a health plan or provider. Designed to be technology neutral, the Security Rule allows covered entities to devise policies, procedures, training, and implementation approaches that will work with their existing system capabilities.
The Security Rule standards are broken down into two types: required and addressable. Required standards are those that must be addressed by all covered entities in order to attain and maintain compliance with the Security Rule. Standards that are “addressable” provide some flexibility to covered entities in that if the covered entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. Or if the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure.
The Security Rule does not expressly prohibit the use of email for sending electronic PHI. But the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI. The standard for transmission security also includes addressable specifications for integrity controls and encryption. The Security Rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected.
The Security Rule makes the use of encryption an addressable implementation specification. In other words, there is no mandatory format for achieving a secure encryption. Covered entities are free to address this particular issue in any manner that best suits their particular requirements.
Physical safeguards under the Security Rule are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls.
The Security Rule does not apply to written or oral communications (they are covered under the broader PHI rule). This includes paper-to-paper faxes, video teleconferencing, and messages left on voice mail (because the information exchanged did not exist in an electronic format prior to transmission). The electronic Security Rule does apply to PHI transmitted via telephone voice response and faxback systems because they are used as input and output devices for computers.
If an individual (i.e., a subscriber or a patient) uses his or her credit or debit card to pay for health care, related costs are exempt from the Security Rule unless the individual making the payment is acting in some capacity on behalf of a covered entity.
Covered entities that allow employees to telecommute or work out of home-based offices and allow them to have access to electronic PHI must implement appropriate safeguards to protect the organization’s data. The automatic logoff implementation specification is addressable. But the information access management and access control standards require the covered entity to implement policies and procedures for authorizing access to electronic PHI and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights.