Summary of Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

May 1, 2024 (7mo ago)

NIST SP 800-66r2, with all the tables and annexes is over 100 pages long. It is a great guide, but I needed something a little simpler to work with and ended up with a much shorter version. When implementing the Security Rule, you are highly encouraged to refer to the full guide which contains a lot more information.

All credits of course to the original author, Jeffrey A. Marron.

Executive Summary

SP 800-66r2 aims to help educate readers about the security standards included in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as amended by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH] and the Genetic Information Nondiscrimination Act and Other Modifications to the HIPAA Rules [OMNIBUS], in their implementation of the Security Rule.

The HIPAA Security Rule specifically focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

The Security Rule is flexible, scalable and technology-neutral. For that reason, there is no single compliance approach that will work for all regulated entities.

The HIPAA SecRule focuses on safeguarding confidentiality, integrity and availability of ePHI. All regulated entities must comply with the Security Rule

The security rule is separated into 6 main sections, each including several standards that a regulated entity must meet. Many of the standards contain implementation specifications.

An implementation specification is a more detailed description of the method or approach to meet a given standard.

Implementation specifications are either required or addressable. Entities must perform an assessment to determine which of the addressable is a reasonable and appropriate safeguard.

The Assessment, Analysis and management of risk to ePHI provides the foundation for a regulated entity Security Rule compliance efforts and the protection of ePHI.

The publication includes mappings of the Security Rule’s standards and implementation specifications to the Security Rule to NIST Cybersecurity Framework (CSF) and NIST 800-53r5 (Security and privacy controls for Information Systems and Organizations).

1. Introduction

“A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Business associates maintain their own direct liability under the HIPAA Privacy, Security, and Breach Notification Rules (collectively, the “HIPAA Rules”)

Business associates are required to comply with the Security Rule in its entirety; business associate breach notification obligations differ from that of a covered entity; and business associates are subject to liability for only certain provisions of the Privacy Rule.

WARNING: This document does not directly address provisions in the HIPAA Privacy, Breach Notification, or Enforcement Rules.

2. HIPAA Security Rule

The Security Rule applies to the following regulated entities:

  • Healthcare provider (supplies or transmits health information)
  • Health Plans - provides or pays the cost of modecla care (eg: insurances)
  • Healthcare clearinghouses - process healthcare transactions of another entity, transforming data
  • Business Associate - entity that performs activities that involve the use or disclosure of ePHI, on behalf of or provides services to a covered entity. A BA is liable for it sown HIPAA Security Rules violations.

2.1 Security Rule Goals and Objectives

  • Ensure the confidentiality, integrity, and availability of all ePHI that it creates, receives, maintains, or transmits;

  • Protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI;

  • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule; and

  • Ensure compliance with the Security Rule by its workforce.

Definitions

  • Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
  • Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.”
  • Availability is “the property that data or information is accessible and usable upon demand by an authorized person.”

2.2. Security Rule Organization

The Security Rule is separated into six main sections that each include several standards and implementation specifications that a regulated entity must address.

  1. Security Standards: General Rules — Includes the general requirements that all regulated entities must meet, establishes flexibility of approach, identifies standards and implementation specifications (both required and addressable), outlines decisions that a regulated entity must make regarding addressable implementation specifications, and requires the maintenance of security measures to continue reasonable and appropriate protection of ePHI
  2. Administrative Safeguards — Defined in the Security Rule as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”
  3. Physical Safeguards — Defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion”
  4. Technical Safeguards — Defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it”
  5. Organizational Requirements — Includes standards for business associate contracts and other arrangements between a covered entity and a business associate and between a business associate and a subcontractor, as well as requirements for group health plans
  6. Policies and Procedures and Documentation Requirements — Requires the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Rule; the maintenance of written (may be electronic) documentation and/or records that include the policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability, and update requirements related to the documentation

A regulated entity is required to comply with all of the standards of the Security Rule with respect to all of its ePHI. Many of the standards contain implementation specifications (see Table 1). An implementation specification is a more detailed description of the method or approach that regulated entities can use to meet a particular standard.

Implementation specifications are either required or addressable. However, regardless of whether a standard includes implementation specifications, regulated entities must comply with each standard.

  • A required implementation specification is similar to a standard in that a regulated entity must comply with it.

  • To meet the addressable implementation specifications, a regulated entity must (i) assess whether each implementation specification is a reasonable and appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting the ePHI and (ii) as applicable to the regulated entity:

    • Implement the implementation specification if reasonable and appropriate; or
    • If implementing the implementation specification is not reasonable and appropriate, (1) document why it would not be reasonable and appropriate to implement the implementation specification, and (2) implement an equivalent alternative measure that is reasonable and appropriate.

Regulated entities are required to document these assessments and all decisions

Where there are no implementation specifications identified in the Security Rule for a particular standard, such as for the “Assigned Security Responsibility” and “Evaluation” standards, compliance with the standard itself is required.

Table 1. Security Rule standards and implementation specifications

I don't want to play with you anymore

3. Risk Assessment Guidance

Risk assessment and risk management processes are foundational to a regulated entity’s compliance with the Security Rule and the safeguarding of ePHI.

The purpose of a risk assessment is to identify conditions where ePHI could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. The results of the risk assessment are used to make risk management decisions on the implementation of security measures required by the Security Rule to bring risk to ePHI into an organizationally established risk tolerance range (i.e., reasonable and appropriate level) or if additional security controls are necessary.

Key Terms Defined

  • Threat events are circumstances or events that can have a negative impact on ePHI (either intentional or unintentional, including misconfigurations, errors, etc.)
  • Threat sources refer to the intent and method targeted at causing harm to ePHI (natural, human, environmental)
  • Vulnerabilities are flaws or weaknesses in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat event.
  • Likelihood refers to the probability that a given threat event is capable of exploiting a given vulnerability to cause harm.
  • Impact refers to the magnitude of harm that can be expected to result from the loss of confidentiality, integrity, and/or the availability of ePHI.
  • Risk refers to the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of the likelihood and impact calculations.

3.1. HIPAA Risk Assessment Requirements

Standard 164.308(a)(1)(i), Security Management Process, requires regulated entities to:

Implement policies and procedures to prevent, detect, contain, and correct security violations.

The Security Management Process standard includes four required implementation specifications. Two of these specifications deal directly with risk analysis and risk management:

  1. Risk Analysis (R) — 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

  2. Risk Management (R) — 164.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a).

3.2. How to Conduct the Risk Assessment

Risk assessment methodology described in [IR 8286A] and [SP 800-30].

These steps should be customized to effectively identify risk for a regulated entity. The steps listed are not prescriptive in the order that they should be conducted. Some steps could be conducted simultaneously rather than sequentially.

1. Prepare for the assessment.

Determine where ePHI is created, received, maintained, processed, and transmitted. Identify where ePHI is generated within the organization, where and how it enters the organization (e.g., web portals), where it moves and flows within the organization (e.g., to specific information systems), where it is stored, and where it leaves the organization. Determine whether ePHI is transmitted to external third parties, such as cloud service providers or other service providers. The regulated entity can also note how access to ePHI is controlled and whether ePHI is encrypted in storage and in transit.

Include both physical and logical boundaries.

2. Identify reasonably anticipated threats.

The regulated entity identifies the potential threat events and threat sources that are applicable to it and its operating environment.

3. Identify potential vulnerabilities and predisposing conditions

For any of the various threats identified above to result in an impactful risk, each needs a vulnerability or predisposing condition that can be exploited. A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. A predisposing condition is a condition that exists within an organization, a mission/business process, or information system that contributes to (i.e., increases or decreases) the likelihood that a threat event will result in adverse impacts once initiated.

The regulated entity develops a list of vulnerabilities (i.e., flaws or weaknesses) that could be exploited by potential threat sources.

4. Determine the likelihood that a threat will exploit a vulnerability.

The regulated entity determines the likelihood of a threat successfully exploiting a vulnerability. For each threat event/threat source identified in Step 2, consider:

  • The likelihood that the threat will occur
  • The likelihood that an occurred threat would exploit a vulnerability identified in Step 3 and result in an adverse impact

A regulated entity might consider assigning a likelihood value (e.g., very low, low, moderate, high, or very high) to each threat/vulnerability pairing

5. Determine the impact of a threat exploiting a vulnerability.

The regulated entity determines the impact that could occur to ePHI if a threat event were to exploit a vulnerability. e.g. Loss of Confidentiality, Loss of Integrity, Loss of Availability.

6. Determine the level of risk.

Assess level of risk to ePHI with information gathered and determinations made during the previous steps.

7. Document the risk assessment results.

Regulated entities may benefit from documenting the risk assessment results in a risk register

4. Risk Management Guidance

Based on IR 8286

4.1. HIPAA Risk Management Requirements

Standard 164.308(a)(1)(i), Security Management Process, requires regulated entities to:

Implement policies and procedures to prevent, detect, contain, and correct security

Violations.

The Security Management Process standard includes four required implementation specifications. Two of these specifications deal directly with risk analysis and risk management.

  1. Risk Analysis (R) – 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
  2. Risk Management (R) – 164.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a)

4.2. Determining Risks to ePHI in Accordance With Organizational Risk Tolerance

NIST IR 8286A presents two concepts — risk appetite and risk tolerance — that may be helpful to regulated entities in managing risk to ePHI.

Risk appetite regarding cybersecurity risks is declared at the enterprise (i.e., highest) level of the organization and provides a guidepost to the types and amount of risk that senior leaders are willing to accept in pursuit of mission objectives.

Risk tolerance represents the specific level of performance risk deemed acceptable within the risk appetite set by senior leadership.

Regulated entities may choose to express risk tolerance qualitatively (e.g., Very Low, Low, Moderate, High, or Very High) in alignment with the guidance presented in Sec. 3.

Risk appetite and risk tolerance are related but distinct. Where risk appetite statements define the overarching risk guidance, risk tolerance statements define the specific application of that direction. This means that risk tolerance statements are always more specific than the corresponding risk appetite statements. Together, risk appetite and risk tolerance statements represent risk limits that can assist regulated entities in managing risk to ePHI.

4.3. Selecting Additional Security Controls to Reduce Risk to ePHI

A regulated entity may determine that there are identified risks to ePHI that cannot be brought within established risk tolerance by any standards, required implementation specifications, or addressable implementation specifications in the Security Rule. Regulated entities should consider implementing additional security controls to reduce the risk to ePHI to established risk tolerance.

4.4. Documenting Risk Management Activities

As with the risk assessment, risk management activities should be documented.

5. Considerations When Implementing the HIPAA Security Rule

This section presents security measures that are relevant to each standard of the Security Rule.

The listed key activities are illustrative and not all-inclusive.

This document does not discuss Section 164.105 of the HIPAA Security Rule, Organizational Requirements, in detail as it does not set out general security principles.

5.1 Administrative Safeguards

5.1.1. Security Management Process (§ 164.308(a)(1))

HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Identify all ePHI and relevant information systems
  • Conduct risk assessment
  • Implement a Risk Management Program
  • Acquire IT Systems and Services
  • Create a dn Deploy Policies and Procedures
  • Develop and Implement a Sanction Policy
  • Develop and Deploy the IS Activity Review Process
  • Develop Appropriate Standard Operating Procedures
    • eg : audit trails and monitoring procedures

5.1.2. Assigned Security Responsibility (§ 164.308(a)(2))

HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

  • Select a Security Official to be assigned for HIPAA Security
  • Assign and Document the Individual Responsibility

5.1.3. Workforce Security (§ 164.308(a)(3))

HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

  • Implement Policies and Procedures for Authorization and/or Supervision
  • Establish clear Job Description and Responsibilities
  • Establish Criteria and Procedures for Hiring and Assigning Tasks
    • Staff must possess skills, abilities to fulfill roles
  • Establish a workforce clearance procedure
  • Establish termination procedures

5.1.4. Information Access Management (§ 164.308(a)(4))

HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

  • Isolate healthcare Clearinghouse functions (segment)
  • Implement Policies and Procedures for Authorizing access (to ePHI)
  • Implement Policies and Procedures for Access Establishment and Modification (CRUD)
  • Evaluate existing security measures related to access Control

5.1.5. Security Awareness and Training (§ 164.308(a)(5))

HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management).

  • Conduct a training Needs assessment
  • Develop and Approve a Training Strategy and Plan
  • Protection from Malicious Software, Login Monitoring and Password Management
  • Develop appropriate Awareness and Training content, material and methods
  • Implement the training
  • Implement security reminders
  • Monitor and evaluate the training plan

5.1.6. Security Incident Procedures (§ 164.308(a)(6))

HIPAA Standard: Implement policies and procedures to address security incidents.

  • Determine the goals of an IR procedure
  • Develop and Deploy an OR team (or similar)
  • Develop and Implement Policy and Procedures to respond to and report security incidents
  • Incorporate post-incident analysis into updates and revisions

5.1.7. Contingency Plan (§ 164.308(a)(7))

HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

  • Develop a contingency planning policy
  • Conduct an application and data criticality analysis
  • Identify Preventive measures
  • Develop recovery strategy
  • Data backup and disaster recovery plan
  • Develop and implement an emergency mode operation plan
  • Testing and revision procedures

5.1.8. Evaluation (§ 164.308(a)(8))78

HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.

  • Determine whether external or internal evaluation is most appropriate
  • Develop standards for measurements and reviewing all specifications of the security rule
  • Conduct evaluation
  • Document Results
  • Repeat Evaluation Periodically

5.1.9. Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))

HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

However,to the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a business associate agreement (BAA). These requirements would need to be agreed upon by both the covered entity and the business associate.

  • Identify entities that are HIPAA Business Associates
  • Establish a process for measuring contract performance and terminating
  • Written contract or other arrangement

5.2. Physical Safeguards

5.2.1. Facility Access Controls (§ 164.310(a))

HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

  • Conduct an Analysis of Existing Physical Security Vulnerabilities
    • Data centers, workstations,
  • Identify Corrective Measures
  • Develop a Facility Security Plan
  • Develop Access Control and Validation Procedure
  • Establish contingency operations
    • Restoration of lost data
  • Maintain Maintenance Records

5.2.2. Workstation Use (§ 164.310(b))

HIPAA Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

  • Identify Workstation and Device Types and Functions or Users
    • Inventory
    • Policies per each type of devices
  • Identify the Expected Performance of Each Type of Worksation and Device
    • Proper use and performance
  • Analyze Physical Surroundings for Physical Attribute

5.2.3. Workstation Security (§ 164.310(c))

HIPAA Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

  • Identify All Methods of Physical Access to Worksatations and Devices
  • Analysis the Risk Associated with Each Type of Access
  • Identityfy and Implement Physical Safeguards for Workstations and Sevices
    • Limit access
    • Encryption
    • MfA
    • Screen lock

5.2.4. Device and Media Controls (§ 164.310(d))

HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

  • Implement Methods for the Final Disposal of ePHI
  • Develop and Implement Procedures for the Reuse of Electronic Media
  • Maintain Accountability for Hardware and Electronic Media
    • eg: Record of movement
  • Develop Data backup and Storage Procedures
    • Require retrievable exact copy of ePHI
    • Ensure integrity of ePHI during relocation

5.3. Technical Safeguards

5.3.1. Access Control (§ 164.312(a))

HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

  • Analyze Workloads and Pperations to Identify the Access Needs of All Users
  • Identify Technical Access Control Capabilities
    • Include network segmentation
  • Ensure All Users Have Been Assigned a Unique Identifier
  • Develop Access Control Policy and Procedures
  • Implement Access Control Procedures Using Selected Hardware and Software
  • Review and Update Access for Users and Processes
  • Establish an Emergency Access Procedure
    • Procedures for obtaining ePHI during an emergency
    • Identitfy methoods to support business continuity
  • Automatic Logoff and Encryption/Decryption
  • Terminate Access if it is No Longer Required
    • Eg: user recertification to ensure least privilege

5.3.2. Audit Controls (§ 164.312(b))

HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  • Determine the Activities That Will be Tracked or Audited
  • Select the Tools That Will Be Deployed for Auditing and System Activity Reviews
  • Develop and deploy Information System Activity Review/Audit Policy
    • Document and inform workforce
  • Develop Appropriate Standard Operating Procedures
  • Implement the Audit/System Activity Review Process

5.3.3. Integrity (§ 164.312(c))

HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

  • Identify All Users Who Have Been Authorized to Access ePHI
  • Identify Any Possible Unauthorized Sources That May Be Able to Intercept or Modify it
  • Develop the Integrity Policy Requirements
    • Formal written set of integrity requirements
  • Implement Procedures to Address These Requirements
  • Implement a Mechanism to Authenticate ePHI
  • Establish a Monitoring Process to Asses How the Implemeneted Process is Working

5.3.4. Person or Entity Authentication (§ 164.312(d))

HIPAA Standard: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  • Determine Authentication Applicability to Current Systems/Applications
  • Evaluate Available Authentication Options
  • Select an Implement Authentication Options

5.3.5. Transmission Security (§ 164.312(e)(1))

HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

  • Identify Any Possible Unauthorized Sources That May Be Able to Intercept and/or Modify the Information
  • Develop and Implement Transmission Security Policy and Procedures
  • Implement Integrity Controls
  • Implement Encryption

5.4. Organizational Requirements

5.4.1. Business Associate Contracts or Other Arrangements (§ 164.314(a))

HIPAA Standard:

(i) The contract or other arrangement between the covered entity and its business associate required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.

(ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3).

(iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

Covered entities need to be cognizant of differentiating between best practices versus what the Security Rule requires. Vendor management and supply chain risks are important topics due to the potential they have to introduce new threats and risks to organizations. To the extent that such vendors and service providers are business associates, HIPAA treats them the same as covered entities with respect to Security Rule compliance. Covered entities and business associates are required to obtain written satisfactory assurances from business associates that PHI will be protected. Covered entities and business associates are permitted to require more of their business associates and even include more stringent cybersecurity requirements in a BAA. These requirements would need to be agreed upon by both the covered entity and the business associate.

  • Contract Must Provide That Business Associates Will Comply With the Applicable Requirements of the Security Rule
  • Contract Must Provide that the Business Associates Enter into Contracts With Subcontractors to Ensure the Protection of ePHI
  • Contract Must Provide that Business Associates Will Report Security Incidents

5.4.2. Requirements for Group Health Plans (§ 164.314(b))

HIPAA Standard: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.

  • Amend Plan Documents of the Group Health Plan to Address the Plan Sponsor’s Security of ePHI
  • Amend Plan Documents of the Group Health to Address Adequate Separation
    • Separation between the group health plan and plan sponsor
  • Amend Plan Documents of the Group Health to Address the Security of ePHI Supplied to the plan Sponsor’s Agent and Subcontractors
  • Amend Plan Documents of the Group Health to Address the Reporting of Security Incidents

5.5. Policies and Procedures and Documentation Requirements

5.5.1. Policies and Procedures (§ 164.316(a))

HIPAA Standard: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv).

This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

  • Create and Deploy Policies and Procedures
  • Update the Documentation of the Policy and Procedures

5.5.2. Documentation (§ 164.316(b))

HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

  • Draft, Maintain and Update Required Documentation
  • Retain Documentation for at Least Six years
  • Ensure That Documentation is Available to those Responsible for Implementation
  • Update Documentation as Required