The HIPAA Security Rule:The HIPAA Security Rule:Implications for Implications for

ResearchersResearchersand IRBsand IRBs

Daniel Masys, M.D.Daniel Masys, M.D.Director of Biomedical InformaticsDirector of Biomedical Informatics

Director, Human Research Protections Director, Human Research Protections ProgramProgram

Professor of MedicineProfessor of Medicine

UCSD School of MedicineUCSD School of Medicine

dmasys@ucsd.edudmasys@ucsd.edu

TopicsTopics

• Information security principlesInformation security principles• HIPAA basics: DefinitionsHIPAA basics: Definitions• Relationship of Privacy and Relationship of Privacy and

Security RulesSecurity Rules• Security Rule elementsSecurity Rule elements• Implications for ResearchImplications for Research• Impact on IRBsImpact on IRBs

““Universal” Universal” Information Security ElementsInformation Security Elements

• AuthenticationAuthentication -a person or system is who -a person or system is who they purport to be (preceded by they purport to be (preceded by Identification)Identification)

• Access ControlAccess Control - only authorized persons, - only authorized persons, for authorized usesfor authorized uses

• IntegrityIntegrity - Information content not alterable - Information content not alterable except under authorized circumstancesexcept under authorized circumstances

• Attribution/non-repudiationAttribution/non-repudiation - actions taken - actions taken are reliably traceableare reliably traceable

HIPAA, not HIPPA :-)HIPAA, not HIPPA :-)

““Misspelling is not a violation of the Rule”Misspelling is not a violation of the Rule” Director, US Office of Civil RightsDirector, US Office of Civil Rights Speaking at UCSD, 2/5/03Speaking at UCSD, 2/5/03

HIPAA DefinitionsHIPAA Definitions• Health informationHealth information means any means any

information, whether oral or recorded in information, whether oral or recorded in any form or medium, that:any form or medium, that:1) Is 1) Is created or receivedcreated or received by a health care by a health care provider…, and;provider…, and;2) 2) Relates to past, present, or future Relates to past, present, or future physical or mental health or condition of physical or mental health or condition of an individualan individual…or provision of health …or provision of health care..or payment for provision of health care..or payment for provision of health care.care.

HIPAA definitionsHIPAA definitions• ““Covered entity” - organization responsible Covered entity” - organization responsible

for HIPAA compliance. for HIPAA compliance. • Protected Health Information (PHI) - Protected Health Information (PHI) -

information generated in the course of information generated in the course of providing healthcare that can be uniquely providing healthcare that can be uniquely linked to themlinked to them

• Information “use” = use within organizationInformation “use” = use within organization• Information “disclosure” = release outside of Information “disclosure” = release outside of

organizationorganization

Security Rule: Basic Security Rule: Basic ConceptsConcepts

• Applies security principles well established Applies security principles well established in other industriesin other industries

• Like Privacy Rule, affects Covered Entities Like Privacy Rule, affects Covered Entities that create, store, use or disclose that create, store, use or disclose Protected Health Information (PHI)Protected Health Information (PHI)

• Unlike the Privacy Rule, affects only PHI in Unlike the Privacy Rule, affects only PHI in electronic format (not oral or paper-electronic format (not oral or paper-based)based)

• Like the Privacy Rule, written for health Like the Privacy Rule, written for health care; research not the principal focus care; research not the principal focus

• Scalable: burden relative to size and Scalable: burden relative to size and complexity of organizationcomplexity of organization

Two types of Rule Two types of Rule elementselements

1.1. Required standardsRequired standards2.2. ““Addressable” standardsAddressable” standards

– CE must decide whether the standard CE must decide whether the standard is is reasonable and appropriatereasonable and appropriate to the to the local setting, and cost to implementlocal setting, and cost to implement

– Can eitherCan either1.1. Implement the standard as publishedImplement the standard as published2.2. Implement some alternative (and Implement some alternative (and

document why)document why)3.3. Not implement the standard at all (and Not implement the standard at all (and

document why)document why)

Three Categories of Three Categories of StandardsStandards

• Administrative safeguardsAdministrative safeguards– Policies and procedures to prevent, detect, Policies and procedures to prevent, detect,

contain and correct information security contain and correct information security violationsviolations

• Physical SafeguardsPhysical Safeguards– IT equipment and media protectionsIT equipment and media protections

• Technical SafeguardsTechnical Safeguards– Controls (mostly software) for access, Controls (mostly software) for access,

information integrity, audit trailsinformation integrity, audit trails

Administrative SafeguardsAdministrative Safeguards• Required Required

1.1. Risk AnalysisRisk Analysis

2.2. Risk Management PlanRisk Management Plan

3.3. Sanctions PolicySanctions Policy

4.4. Information System Activity Review (audits)Information System Activity Review (audits)

5.5. Security Incident Response & ReportingSecurity Incident Response & Reporting

6.6. Data Backup PlanData Backup Plan

7.7. Disaster Recovery PlanDisaster Recovery Plan

8.8. Emergency Mode OperationsEmergency Mode Operations

9.9. Periodic Evaluations of Standards CompliancePeriodic Evaluations of Standards Compliance

Administrative SafeguardsAdministrative Safeguards

• AddressableAddressable1.1. Workforce security authorizationsWorkforce security authorizations2.2. Workforce clearance procedureWorkforce clearance procedure3.3. Information access authorization proceduresInformation access authorization procedures4.4. Procedures for establishing and modifying Procedures for establishing and modifying

access privilegesaccess privileges5.5. Security trainingSecurity training6.6. Log-in managementLog-in management7.7. Password managementPassword management8.8. Virus protectionVirus protection9.9. Security remindersSecurity reminders

Physical SafeguardsPhysical Safeguards

• RequiredRequired1.1. Workstation Use AnalysisWorkstation Use Analysis

2.2. Workstation SecurityWorkstation Security

3.3. Disposal of mediaDisposal of media– deletion of PHI prior to disposal, ordeletion of PHI prior to disposal, or– Secure disposal so data nonrecoverableSecure disposal so data nonrecoverable

4.4. Media Reuse Media Reuse – Deletion of PHI prior to re-useDeletion of PHI prior to re-use

Physical SafeguardsPhysical Safeguards

• AddressableAddressable1.1. Facility access contingency plansFacility access contingency plans

2.2. Facility security planFacility security plan

3.3. Physical access control and validationPhysical access control and validation

4.4. Accountability for physical accessAccountability for physical access

5.5. Data Backup and StorageData Backup and Storage

Technical SafeguardsTechnical Safeguards

• RequiredRequired1.1. Unique User IdentificationUnique User Identification

– No shared loginsNo shared logins

2.2. Emergency access proceduresEmergency access procedures

3.3. Audit controlsAudit controls– Logs of who created, edited or viewed PHILogs of who created, edited or viewed PHI

4.4. Person and/or Entity AuthenticationPerson and/or Entity Authentication– No systems without access controlNo systems without access control

Technical SafeguardsTechnical Safeguards

• AddressableAddressable1.1. Automatic logoffAutomatic logoff

2.2. Encryption Encryption

3.3. Authentication of the integrity of Authentication of the integrity of stored and transmitted PHIstored and transmitted PHI

Implications for ResearchImplications for Research

• Avoid HIPAA Security Rule Avoid HIPAA Security Rule entanglements if possible by:entanglements if possible by:– Thoughtful definition of Covered Entity Thoughtful definition of Covered Entity

with respect to research activitieswith respect to research activities• E.g., University of California is Hybrid E.g., University of California is Hybrid

Covered Entity; research not a covered Covered Entity; research not a covered function except for research that uses or function except for research that uses or creates medical recordscreates medical records

– Use of de-identified data and/or Limited Use of de-identified data and/or Limited Data Sets wherever possibleData Sets wherever possible

– Not storing PHI in electronic format in Not storing PHI in electronic format in research settingsresearch settings

……Researchers who are members of a covered Researchers who are members of a covered entity’s work force may be covered by the security entity’s work force may be covered by the security standards as part of the covered entity. standards as part of the covered entity. See See the the definition of ‘‘workforce’’ at 45 CFR 160.103. Note, definition of ‘‘workforce’’ at 45 CFR 160.103. Note, however, that a covered entity could, under however, that a covered entity could, under appropriate circumstances, exclude a researcher or appropriate circumstances, exclude a researcher or research division from its health care component or research division from its health care component or components (components (see see § 164.105(a)). Researchers who § 164.105(a)). Researchers who are not part of the covered entity’s workforce and are not part of the covered entity’s workforce and are not themselves covered entities are not subject are not themselves covered entities are not subject to the standards.to the standards.

Excerpt from Text of HIPAA Security RuleExcerpt from Text of HIPAA Security Rule8338 Federal Register 8338 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations/ Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations

The term ‘‘covered entity’’ is defined at § 160.103 The term ‘‘covered entity’’ is defined at § 160.103 as one of the following: (1) A health plan; (2) a as one of the following: (1) A health plan; (2) a health care clearinghouse; (3) a health care health care clearinghouse; (3) a health care provider who transmits any health information in provider who transmits any health information in electronic form in connection with a transactionelectronic form in connection with a transaction

If a research project If a research project maintains e-PHI…maintains e-PHI…

• Responsible group must designate a Security Responsible group must designate a Security Officer who has responsibility for implementing Officer who has responsibility for implementing HIPAA-compliant policies and procedures for HIPAA-compliant policies and procedures for research use of e-PHIresearch use of e-PHI

• Must do and document a risk analysisMust do and document a risk analysis• Must create risk management plan based on the Must create risk management plan based on the

risk analysisrisk analysis• Must create and keep current a HIPAA Security Must create and keep current a HIPAA Security

Rule compliance document that includes Rule compliance document that includes description of how 17 Required elements are met, description of how 17 Required elements are met, and decisions regarding Addressable elementsand decisions regarding Addressable elements

HIPAA Risk Analysis HIPAA Risk Analysis ElementsElements

1.1. Inventory of all sources of e-PHIInventory of all sources of e-PHI

2.2. Listing of who has access, when and Listing of who has access, when and where (including home)where (including home)

3.3. Outline flow of e-PHIOutline flow of e-PHI

4.4. Listing of storage locations and Listing of storage locations and capcitiescapcities

5.5. Listing of current security measuresListing of current security measures

6.6. Analysis of potential confidentiality Analysis of potential confidentiality breachesbreaches

Widespread current Widespread current research practices that research practices that

don’t meet the standarddon’t meet the standard• Research workgroups that create or use Research workgroups that create or use

PHI in electronic format but have no PHI in electronic format but have no written security procedures, policies or written security procedures, policies or trainingtraining

• Workstations with no login security (e.g., Workstations with no login security (e.g., Windows98)Windows98)

• Data management and analysis Data management and analysis applications used to store PHI that have applications used to store PHI that have no ability to generate audit trailsno ability to generate audit trails– E.g., Excel spreadsheets with PHI in themE.g., Excel spreadsheets with PHI in them

Implications for IRBsImplications for IRBs

• Include separate research plan element Include separate research plan element entitled “Data Management Procedures” in entitled “Data Management Procedures” in IRB research plan submission, that IRB research plan submission, that addressesaddresses– Whether project includes PHI, and if so whether Whether project includes PHI, and if so whether

it is kept as e-PHIit is kept as e-PHI– Whether PI and staff are aware of HIPAA Whether PI and staff are aware of HIPAA

Security Rule and agree to comply with itSecurity Rule and agree to comply with it– Whether physical and technical safeguards for Whether physical and technical safeguards for

person-identifiable research data appear person-identifiable research data appear reasonable and adequatereasonable and adequate

Implications for IRBsImplications for IRBs

• Committee educational programs Committee educational programs needed onneeded on– General principles of information securityGeneral principles of information security– Specific Requirements of HIPAA Security Specific Requirements of HIPAA Security

Rule effective April, 2005Rule effective April, 2005

• Possible use of ad hoc IT security Possible use of ad hoc IT security consultants for review of projects with consultants for review of projects with high information management high information management complexity or high IT security riskcomplexity or high IT security risk

ConclusionsConclusions• Compared to the Privacy Rule, the Security Compared to the Privacy Rule, the Security

Rule is potentially far more disruptive and Rule is potentially far more disruptive and costly for clinical researcherscostly for clinical researchers

• Decisions made for the Privacy Rule Decisions made for the Privacy Rule regarding Covered Entity definition and regarding Covered Entity definition and covered functions have profound impacts covered functions have profound impacts on Security Rule implementation on Security Rule implementation

• IRBs will need to begin education for IRBs will need to begin education for committee members and investigators committee members and investigators soon in order to reduce instances of soon in order to reduce instances of noncompliance by April 2005noncompliance by April 2005

For More Information on For More Information on the HIPAA Security Rulethe HIPAA Security Rule

• HHS HIPAA website: HHS HIPAA website: aspe.hhs.gov/admnsimpaspe.hhs.gov/admnsimp

• Centers for Medicare & Medicaid Centers for Medicare & Medicaid Services (CMS) HIPAA website: Services (CMS) HIPAA website: www.cms.hhs.gov/hipaawww.cms.hhs.gov/hipaa

• Phoenix Health Systems HIPAA Phoenix Health Systems HIPAA Advisory Site:Advisory Site:http://www.hipaadvisory.com/action/models.htmhttp://www.hipaadvisory.com/action/models.htm

This PowerPoint presentation is available online at:http://irb.ucsd.edu/operations.shtml