The HIPAA Security Rule: Questions and Answers
for Employer Group Health Plans

by Alden Bianchi

Just a few short years ago, employers and their vendors and advisors struggled to understand and implement the privacy rules mandated by the Health Insurance Portability and Accountability Act (HIPAA). The privacy rules took effect April 2003 for “large” group health plans—defined as plans with premiums (in the case of insured plans) or claims (in the case of self-funded plans) of $5,000,000 or more. The privacy rule effective date was April 2004 for all other group health plans. But privacy is only one part of a larger suite of “administrative simplification” rules. Administrative simplification refers, of course, to the streamlining of the U.S. health care system with a focus in the adoption of uniform standards for the electronic storage and transmission of medical records.

The administrative simplification rules apply to “covered entities,” which include health plans, health care providers, and health care clearing houses. As a practical matter, the focus is on hospitals and physicians. Employer-sponsored group health plans appear to be something of an afterthought, and they don’t always fit naturally with the rule’s basic concepts. For example, employers are treated as separate legal entities from their group health plans—an approach that is counterintuitive to say the least.

The rules governing the electronic transmission of medical data are referred alternatively as the “transactions and code set rules” or the rules governing “electronic date interchange” (EDI). For all but the largest group health plans, employers generally outsource compliance with the EDI rules. Compliance with the privacy rule, on the other hand, requires varying levels of employer involvement depending on whether the group health plan is self-funded or fully insured. The security rule is more like the privacy rule in this regard. It will be difficult if not impossible for affected employers to rely entirely on outside vendors for compliance.

Set out below, in question and answer format, is a primer for employers concerning their compliance with the HIPAA security rule.

QUESTION 1: Why should I even care about the HIPAA security rule?

Two reasons—first, it’s the law, and second, there are significant penalties for violating the rule.

NOTE: To date, the regulators have been in “education” mode, preferring to encourage voluntary compliance rather than imposing sanctions. But this is certain to change.

QUESTION 2: You mentioned that the employer and the plan are separate entities—what’s that all about and who is it that is really being regulated here?

Employer-sponsored group health plans are covered entities that are subject to the security rule, but employers are not covered entities. The final security rule acknowledges this saying:

“Consistent with the statute and the policy of the Privacy Rule, this final rule does not require non-covered entities to comply with the security standards.”1

This statement can be misleading. While it is true that employers in their capacity as such are not covered entities, employer-sponsored group health plans are covered entities that must comply. An employer’s group health plan does not run itself; rather, it relies on the employer to provide it with a “workforce,” and workforce members often need access to Protected Health Information (PHI).

QUESTION 3: When does the HIPAA security rule take effect?

The HIPAA security rule generally takes effect April 21, 2005. “Small” group health plans, however, have a delayed effective date. They need not comply until April 21, 2006. Small plans are those with less than $5 million in annual “receipts.” For insured plans, “receipts” means annual premiums. For self-funded plans, “receipts” means claims as reported on the plan’s annual report (but it does not include stop-loss premiums). The Center for Medicare and Medical Services (CMS) has provided guidance on this issue on its website (http://questions.cms.hhs.gov) in the form of a frequently asked question: “How should a health plan determine what receipts to use to decide if it is a ‘small health plan’?”

QUESTION 4: What is the purpose of the HIPAA security rule and how does it differ from the privacy rule?

While the privacy rule tells us which individuals may have access to medical information, when, and under what circumstances, the security rule prevents unlawful access to that information. The final security rule addresses only the security of information in electronic format—so called, “electronic Protected Health Information” (ePHI). But the privacy rule has its own “mini-security” requirements that address data stored in other than electronic format. It is because of these provisions, for example, that paper medical records are generally kept in locked file cabinets.

QUESTION 5: What is “electronic Protected Health Information?”

“Electronic protected health information” is the same as PHI as used under the privacy rule, except that is limited to PHI in electronic form. Under the final security rule, covered entities that engage in the electronic storage and transmission of health information are required to take reasonable and appropriate steps to secure ePHI while in their custody or in transit.

The final security rule establishes a series of 18 security “standards” covering administrative, physical and technical safeguards, which, according to the Department of Health and Human Services (HHS), are based on “generally accepted security procedures.” (All 18 standards are described in the appendix to this advisory.) The term “standard” for purposes of the final security rule means a baseline security requirement. For some but not all of these standards, the rule also prescribes “implementation features.” An implementation feature explains how to go about satisfying the standard.

Example: The “security awareness and training” standard requires the covered entity to “[i]mplement a security awareness and training program for all members of its workforce.” The corresponding “implementation specification” further mandates security reminders, protection from malicious software, login monitoring and password management.

The implementation specifications are further classified as “required” or “addressable.” While the covered entity must adopt those that are required, it can choose alternative ways to comply with those that are addressable, or it can choose not to comply so long as (in each case) the reason for the alternative or non-compliance is reasonable and documented. The implementation specifications of the security awareness and training standard, for example, are addressable. This means that they need not be followed to the letter if there is a good reason to deviate.

QUESTION 6: Basically, what does the security rule require?

The final security requires covered entities—which includes employer-sponsored group health plans—to:

• Ensure the confidentiality, integrity, and availability of all ePHI the covered entity creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the rule.
• Ensure compliance with the rule by its workforce.

QUESTION 7: Our group heath plan is with XYZ insurance company, and they take care of everything for us. Why should this be an exception?

One of the most difficult concepts to get across to employers when discussing their group health plan is this: the insurance company or HMO through which benefits are provided is not the group health plan. Rather, the insurance company or HMO is a vendor to the plan. According to the U.S. Supreme Court, the “plan” is the set of promises that the employer makes to its employees respecting health care, together with the supporting administrative scheme that enables the employer to make good on its promise. Lacking competence in plan operation, most employers hire an outside vendor, such as an insurer, to handle the particulars. What makes this confusing is that the terms of the insurance contract provide many of the material terms of the plan.

As noted above, it is the set of promises/administrative scheme that HIPAA regulates as a separate covered entity for which the employer is generally responsible. Where employees of the employer make up the plan’s workforce, and where these individuals get ePHI in the course of administering the plan, the HIPAA security rules are implicated and compliance is required. While an insurance company, consultant or broker might be able to lend assistance, compliance with the HIPAA security rule is usually the employer’s responsibility. (But see the Q&A 8 below regarding employers that do not have access to any ePHI.)

QUESTION 8: Our company never sees any PHI, so we don’t need to worry about this rule, right?

It depends.

If you are a small employer with an insured group health plan that is “community-rated,” then you generally don’t get PHI, so you may not be affected. Community-rated plans are usually plans with 50 or fewer participants, but some carriers will community-rate groups of 100 or even 250 participants.

If you sponsor an insured plan that is “experience rated,” then you have a choice of receiving or not receiving PHI. But most sponsors of experience rated plans want access to PHI since they usually want to understand why their premiums are going up 40% in a year.

NOTE: There is an exception under the privacy rule for so-called “summary health information,” with respect to which the compliance burden is substantially reduced. This exception carries over into the security rule.

If you sponsor a self-funded plan, then compliance with the security rule is required. This is so because, even if you rely on an administrative-services-only provider, the plan sponsor or someone associated with the sponsor generally has access to claims and payment data on an ongoing basis and usually has final claims adjudication authority.

Simply put—if you currently comply with the HIPAA privacy rule, and if you transmit or receive PHI electronically, then it’s a safe bet that you will need to comply with the security rule.

QUESTION 9: What if I just transmit enrollment and dis-enrollment information?

This is a tricky question. The security rules apply to covered entities, and (as indicated above) the employer is not a covered entity. So if the employer transmits enrollment information, the security rule does not apply. But some large plans (as opposed to employers) retain an outside enrollment firm to handle enrollment and dis-enrollment. These intra-plan transmissions are subject to the security rule.

QUESTION 10: Can’t we just rely on our insurer or our administrative-services-only provider to comply with the security rule?

If your plan is self-funded, then this is difficult, if not impossible. Even if you hire an insurance company to provide administrative services, the bottom line responsibility generally rests with the employer. The same issues arise for an insured plan where the employer needs or wants access to ePHI.

QUESTION 11: What if we only see PHI on paper and do not get anything electronically?

Then you are not subject to the security rule. But as electronic processing of data becomes the standard, it will become increasingly difficult to do this.

Where an employer does opt to use only paper, faxes will pose a challenge. Information transmitted via a telephone or paper-to-paper fax is not in electronic form before transmission and therefore is not subject to the security rule. But a request for information from a computer made via voice or telephone keypad input with the requested information returned as a fax is covered because they are used as input and output devices for computers.

QUESTION 12: So how much effort (and money) will this require?

The good news is that the rule at least claims to be flexible in this regard. Employer-sponsored health plans are permitted under the rule to “use any security measures that allow the covered entity to reasonably and appropriately implement” the rule, taking into account “such things as cost, size, complexity, technical infrastructure, other capabilities, and the likelihood of potential security risks when determining the scope and sophistication of its security compliance program.”

NOTE: This does not mean that you can use cost as an excuse to not comply at all. The regulators flatly rejected this reading of the rule: “While cost is one factor a covered identity [sic] may consider in determining whether to implement a particular implementation specification, there is nonetheless a clear requirement that adequate security measures be implemented....Cost is not meant to free covered entities from this responsibility.”2

The requirement that covered entities “ensure” integrity and confidentiality sets a very high bar. Compliance with the security rule is a risk management issue. According to the HHS, an entity’s risk analysis and risk management measures must be designed to lead to the implementation of measures that comply with the rule. The rule also places a great deal of emphasis on detecting security breaches (which it refers to as “security incidents”).

QUESTION 13: All right, you convinced me that my company plan’s is subject to the security rule, now what do we do?

There are five basic steps to HIPAA security compliance:

(A) Plan Amendment. An employer that needs or wants access to ePHI must amend its plan to conform to the rule in a manner similar to the privacy rule.

(B) Design and document a set of policies and procedures. Most corporate IT professionals have little trouble understanding the substance of the 18 security standards, and most employers’ IT infrastructure is up to the task of complying. But what is required is a standard-by-standard review of the security requirements with decisions as to how each will be dealt with. In the case of addressable standards, this might result in a decision to forgo complying altogether based on some supportable rationale. The decisions made with respect to implementation must be documented.

NOTE: It is here that the security rule diverges from the privacy rule in one very important practical respect. Many employers and plans were able to begin with and adapt model privacy procedures furnished by their vendors, trade associations or other third parties. But compliance with the security rule is far more dependent on the particular facts and circumstances of each case. It will be correspondingly more difficult, therefore, to prepare a useful model or template. This will require more custom drafting, with its attendant higher cost.

(C) Train the Workforce. As was the case with the privacy rule, the members of the plan’s workforce (and perhaps others) must be trained in security awareness.

(D) Update Business Associate Agreements. Business associate agreements with your plan vendors need to be amended to comply with the security rule. (Note that in an insured plan, the insurance company is itself a covered entity, so no business associate agreement is necessary. An insurance company that provides administrative services to a self-funded plan, however, is a business associate.)

(E) Appoint a Security Officer. Just as the privacy rule requires a privacy officer, the security rule requires the designation of a security officer. While the same person may occupy both posts, it may be difficult to find a single individual with the requisite skills to handle both jobs.

The security rule was written primarily with health care providers in mind, and when applied to group health plans it strikes a discordant note. Plan sponsors will find these rules burdensome and, as is the case with the privacy rule, will look to their vendors to shoulder the compliance burden. But as explained above, the security rule does not entirely lend itself to “outsourcing.” For employer’s facing the April 2005 compliance deadline, it’s time to begin compliance efforts in earnest.

* * * * *

We have assisted many plan sponsors with HIPAA compliance. If you need help with your HIPAA security compliance, please contact Alden Bianchi, Peter Marathas, Tom Greene, or Charles Grace at 617.542.6000, or visit us on the web at www.mintz.com. We would be delighted to work with you.

1 68 Fed. Reg. 34, p. 8358 (2003).

2 68 Fed. Reg. 34, p. 8343 (2003).

APPENDIX - Summary of the HIPAA Security Standards

Administrative Safeguards

• Security management process. Policies and procedures designed to prevent, detect, contain, and correct security violations, including (i) risk analysis, (ii) risk management, (iii) sanction policies, and (iv) information system activity review.
• Assigned security responsibility. Appointment of security official.
• Workforce security. Ensuring appropriate access to ePHI by workforce members. This includes authorization and/or supervision, workforce clearance procedures, and termination procedures.
• Information access management. Policies and procedures for granting access to ePHI, including (i) isolating the health care clearinghouse function, (ii) access authorizations, and (iii) access establishment and modification.
• Security awareness and training. Security training for workforce members. This includes (i) security reminders, (ii) protection from malicious software, (iii) log-in monitoring, and (iv) password management.
• Security incident procedures. Policies and procedures to address security incidents, including mitigating harmful effects of security breaches. This also includes response and monitoring functions.
• Contingency plan. Policies and procedures to respond to events (fire, system failure, etc.) that damage systems containing ePHI. These include (i) a data backup plan, (ii) a disaster recovery plan, (iii) an “emergency mode” operation plan, (iv) testing and revision procedure, and (v) an applications and data criticality analysis.
• Evaluation. Periodic review of security compliance.
• Business associate contracts. Ensure that service providers appropriately safeguard ePHI. This includes a written contract or other agreement.

Physical Safeguards

• Facility access controls. Policies and procedures to limit physical access to ePHI systems and the facility in which they are housed. This includes (i) contingency operation measures, (ii) a facility security plan, (iii) access controls and validation procedures, and (iv) maintenance records.
• Workstation use. Policies and procedures establishing how workstations are to be used and the physical attributes of workstations.
• Workstation security. Physical safeguards for workstations to restrict access to authorized users.
• Device and media controls. Policies and procedures governing receipt and removal of hardware and electronic media into and out of a facility, including (i) rules governing final disposition of hardware on which electronic protected health information is stored, (ii) media re-use, (iii) accountability, and (iv) back-up data and storage.

Technical Safeguards

• Access control. Technical policies and procedures allowing access only to those persons with access rights. This includes (i) unique user identification, (ii) emergency access procedures, (iii) automatic logoff, and (iv) encryption and decryption.
• Audit controls. Tracking activity in information systems containing ePHI.
• Integrity. Policies and procedures protecting ePHI from improper alteration or destruction, including a mechanism to authenticate ePHI.
• Person or identity authentication. Procedures to verify identity of person or entity accessing ePHI.
• Transmission security. Security measures to guard against unauthorized access when ePHI is being transmitted over an electronic communications network, including integrity and encryption.

Copyright © 2005 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The above has been sent as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C and may be considered an advertisement or solicitation under Federal law. The distribution list is maintained at Mintz Levin's main office, located at One Financial Center, Boston, Massachusetts, 02111. If you no longer wish to receive electronic mailings from the firm, please notify our marketing department at that mailing address or by sending a separate e-mail addressed to unsubscribe@mintz.com with “unsubscribe” in the subject.