The Journal of The DuPage County Bar Association

Back Issues > Vol. 17 (2004-05)

HIPAA - Here We Go Again! How The Security Rule May Affect Your Clients
By Monique Warren

Remember, "HIPPO" has two "P"s and one "O" and is a large mammal with short legs and a big mouth. "HIPAA" has one "P" and two "A"s and is a large addition to the Social Security Act with a short acronym and a big pain. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a law into which Congress packed a smorgasbord of provisions dealing with everything from "job lock" to health data security. The public’s first introduction to HIPAA was related to the portability provisions under which the United States Departments of Labor, Treasury, and Health and Human Services (HHS) promulgated regulations prohibiting Health Plans from discriminating on the basis of health conditions and requiring Health Plans to permit "special enrollments," among other things.1 The concept being, pre-existing condition limitations and other health insurance restrictions discouraged workers from changing jobs. After the HHS issued the Privacy Rule, the public became aware of "HIPAA Privacy Rights" which, for many, just means additional paperwork in doctors’ offices and another confusing notice from insurers and group health plans.

As if we all hadn’t heard enough about HIPAA after the issuance of the Privacy Rule2, now we have to deal with its late-blooming cousin, the Security Rule. Together with HIPAA’s privacy and electronic data interchange provisions, the security provisions compose what our United States Congress ironically labeled "Administrative Simplification" legislation.3 Of course, compliance with the related regulations seems to most clients as anything but simplification. At a minimum, covered entities have had to change at least some business operations, negotiate new contract provisions with service providers, create new policies and procedures, train staff members, issue wordy notices, and add more layers of recordkeeping and administration.

The Security Rule is designed to complement the Privacy Rule requirements with which some of your clients may already have wrestled. While the Privacy Rule focuses on confidentiality of individually-identifiable health information in any format, the Security Rule focuses on availability, integrity, and confidentiality of electronic individually-identifiable health information. Thus, the Security Rule is broader than the Privacy Rule in its purpose but narrower in its reach, as it applies only to "electronic protected health information" or "e-PHI," as I’ll call it from now on.

The compliance deadline for the Security Rule is April 21, 2005 (one year later for small Health Plans) and implementation of a compliance program for most covered entities will take several months. Therefore, if you have clients that are covered entities, it is time to help them develop a compliance program.

Do you have clients that are Employers who sponsor Group Health Plans? Health Care Providers? Health Insurers? Each of these is a covered entity under HIPAA or, in the case of your employer clients, a fiduciary of one or more HIPAA covered entities. Additionally, there is another covered entity category – dubbed "Health Care Clearinghouse" under HIPAA – that is largely a creature of the Rules themselves. Scan your client list and see which of your clients fit into one or more of the following categories:

Health Care Providers. Only Health Care Providers that engage in certain electronic transactions are HIPAA covered entities.4 Having said that, virtually all of your hospital, physician, clinic, and emergency service clients do engage in the specified electronic transactions. The covered electronic transactions include things like filing claims, inquiring about a patient’s health coverage, and making referrals and pre-authorizations. Because Medicare claims must be submitted electronically now and most providers bill Medicare, even small physician offices that do no other electronic billing are covered. Often overlooked are ambulance services and public health centers operated by local government units. In most cases, the local government unit providing these kinds of services bills Medicare electronically. Unfortunately, a provider entity does not escape HIPAA’s broad reach by hiring a billing service to process the provider’s Medicare claims. The provider entity is still a HIPAA covered entity and the billing service is its "Business Associate."

The e-PHI your Health Care Provider client is likely to have includes treatment and prescription records, appointment schedules, billing and insurance information, and other data relating to individual patients’ health treatment that is stored or transmitted electronically. This information and the systems used to store and transmit it must be safeguarded as prescribed in the Security Rule.

Health Plans. The second category of HIPAA covered entities, Health Plan, includes health insurers, health maintenance organizations (HMOs), and group health plans sponsored by your employer clients.5 Health insurers and HMOs tend to be well aware of, and generally in compliance with, HIPAA’s requirements. However, many employers are unaware of HIPAA’s privacy and security requirements and, consequently, many employer sponsored group health plans are woefully noncompliant. Virtually every employer sponsors a group health plan. Group health plans include plans providing medical and dental coverage, as well as most employee assistance plans and health care flexible spending accounts. Your employer client may sponsor a self-funded or a partially- or fully-insured plan for its employees. If the plan is self-funded or partially-insured or if your client performs any administration of the plan, then your client is the plan’s fiduciary, which means your client is responsible for the plan’s HIPAA compliance.

The e-PHI your Health Plan client is likely to have includes participant coverage information, participants’ claims, and other data about individual participants’ health benefit utilization that is stored or transmitted electronically.

Health Care Clearinghouses. A Health Care Clearinghouse is an entity that converts nonstandard transactions into HIPAA standard transactions and vice-versa. A medical billing service that takes a paper claim, converts it into electronic format, and transmits the claim to the payer is an example of a Health Care Clearinghouse. Most of these entities are on top of their HIPAA compliance requirements because their very existence depends upon it.

Once you have identified your clients that are HIPAA covered entities, make sure they know what to do in order to comply with the Security Rule between now and April. In particular, make sure that your physician and employer clients are aware of their HIPAA compliance responsibilities as these kinds of clients are least likely to be adequately informed.

What to do, Spec-by-Spec. Before we start a "to-do" list, let’s get some perspective on the Security Rule landscape. In general, the Security Rule requires your covered entity clients to implement safeguards to ensure the confidentiality, integrity, and availability of e-PHI; to protect against reasonably anticipated security breaches of e-PHI; and to ensure compliance by its workforce. Think of the Security Rule as having multiple layers. First, there are three categories of safeguards: (1) Administrative safeguards include the covered entity’s policies and procedures on electronic information access and management, contingency planning, and workforce training. (2) Physical safeguards include those measures that restrict physical access to buildings, individual offices, and desks and files where e-PHI is stored or accessible. (3) Technical safeguards include password protection, encryption, and electronic tracking of access to e-PHI. Are you still with me? Under each of the three categories, the regulations set forth general standards and, finally, the regulations provide specifications for implementing those standards.

Some of the implementation specifications are labeled "required" and others are "addressable." If the specification is labeled "required," then your covered entity client must implement it as it is described in the regulations. If, on the other hand, the specification is labeled "addressable," your client can (a) implement it as described, (b) implement an alternative, or (c) do nothing at all. Isn’t that neat?! Of course, as you might suspect, to "do nothing at all" really doesn’t mean to do nothing at all…at all. At the very least, your client will have to make a record of the evaluation of options and the rationale for its decisions. In addition to the implementation specifications the Security Rule sets forth requirements for contracts with a covered entity’s business associates, health plan document requirements (pertinent to your employer clients), and other documentation and organizational requirements.

Many of the items and systems mentioned in various implementation specifications actually overlap in the real world. This reality might tempt some clients (especially those that are sophisticated about their information technology systems) to approach HIPAA security compliance in a way that makes sense in the real world. However, because the Security Rule requires a covered entity to document its considerations, decisions, and activities in connection with each implementation specification, most clients approach HIPAA security compliance in a ‘spec-by-spec’ fashion.

Table 1 on page 11, adapted from the Security Rule, shows the implementation specifications under each standard.6

For most clients, HIPAA security compliance can’t be accomplished without the involvement of the client’s information technology guru, whether that is an employee or vendor. An information technology professional can assist at each step on the spec-by-spec to-do list: assessment, planning, and implementation. Thankfully, HHS recognizes that different covered entities have different amounts and kinds of e-PHI, different levels of risk associated with the security of that e-PHI, and different resources available for safeguarding e-PHI. Thus, the Security Rule provides for "flexibility of approach" in connection with compliance.7

Assessment. Starting with a table or matrix that lists each implementation specification under each standard, your covered entity client should identify the e-PHI, data sources and systems, and workforce members or vendors involved. Additionally, your client should describe the current security measures in place that relate to each specification. Many clients already will have safeguards in place that may meet some of the implementation specifications. Where current security measures do not meet a "required" Security Rule specification, the client will need to move on to the steps below, i.e., plan how it is going to close the gap, implement the gap-closing measure, and repeat the assessment to test the effectiveness of that measure. (Oh, and – document, document, document!) Where current security measures do not meet an "addressable" Security Rule specification, the client will need to assess whether the specification is reasonable and appropriate in light of the likelihood that it will protect e-PHI in the client’s environment8…and document that assessment. If, in the client’s assessment, the Security Rule specification is reasonable and appropriate, then the client will need to plan and implement gap-closing measures necessary to meet the specification. If, on the other hand, the Security Rule specification is not reasonable and appropriate (and the client has documented this), the client will need to assess alternatives and select one that is equivalent to the Security Rule specification, "if reasonable and appropriate" to do so. Documentation must substantiate the assessment. Do you see paper piling up?

Plan. How will your client close the gap between the status quo and a Security Rule specification or alternative security measure? Under HHS’s "flexibility of approach," your client is to select security measures that allow it to "reasonably and appropriately implement the…specifications as specified…"9 (it really says that!), taking into account (i) the client’s size, complexity, and capabilities; (ii) its technical infrastructure, hardware, and software capabilities; (iii) the costs associated with the security measure under consideration; and (iv) the "probability and criticality of potential risks" to its e-PHI. When will the gap-closing measures be implemented and by whom? What interim steps must be taken? The details of the clients gap-closing plan need to be documented.

Implement. Once gap-closing measures have been selected (and documented!) and decisions have been made about how, when, and who will be responsible, (and all that’s documented) your client should implement those measures and document the implementation steps and pertinent dates.

Repeat. The Security Rule imposes an ongoing requirement to ensure that security measures remain effective. As new technology becomes available or more affordable, the "reasonable and appropriate" standard may apply differently to a given Security Rule specification than it did when first assessed.

And did I mention the importance of documenting? Obviously, a key to compliance with the Security Rule is meeting the documentation requirements. It begins in the assessment stage and is essential throughout the ongoing compliance program.

What can happen if your client ignores HIPAA. The penalties for general noncompliance with the Security Rule are the same as they are for noncompliance with the Privacy and Transactions Rules. HIPAA provides for civil and monetary penalties of $100.00 per violation and up to $25,000.00 per person for identical violations in a calendar year. A fine of up to $250,000.00 and imprisonment of up to 10 years may be imposed under criminal sanctions. Despite the penalties and sanctions available, HHS seems to have taken the position that the carrot will be more useful than the stick when it comes to HIPAA enforcement. At this point, HHS intends to provide covered entities with guidance and opportunities to correct compliance failures in most, presumably non-egregious, cases.10 Nevertheless, your clients should not be complacent about getting their security compliance programs in place before the April deadline. HHS is not likely to treat those covered entities that make no effort to comply with kid gloves.

1 29 C.F.R. Part 2590, 26 C.F.R. Part 45, and 45 C.F.R. Part 146

2 Most of the public remains unaware of another slice of the HIPAA regulatory pie, the Transactions Rule, which requires covered entities to use specific codes when electronically transmitting health-related data.

3 Pub. L. 104-191, amending the Social Security Act

4 45 C.F.R. § 160.103

5 Id.

6 45 C.F.R. App. A to Subpart C of Part 164

7 45 C.F.R. § 164.306(b)

8 45 C.F.R. § 164.306(d)(3)(i)

9 45 C.F.R. § 164.306(b)(1)

10 See, e.g., October 15, 2002 Press Release available at

Monique Warren practices in the area of Employee Benefits Law, including HIPAA and ERISA compliance for employers, QDRO drafting for marital settlements, and employee benefit plan due diligence in Mergers and Acquisitions. She received her undergraduate degree from Texas A&M University and her J.D. from Loyola University Chicago School of Law. Prior to establishing her practice in Wheaton, Illinois, Monique was a member of the Employee Benefits Group of Seyfarth Shaw, LLP, in Chicago.

DCBA Brief