The HIPAA Security Rule:
Implications for Researchers
and IRBs
Daniel Masys, M.D.
Director of Biomedical Informatics
Director, Human Research Protections Program
Professor of Medicine
UCSD School of Medicine
dmasys@ucsd.edu
Topics
• Information security principles
• HIPAA basics: Definitions
• Relationship of Privacy and Security
Rules
• Security Rule elements
• Implications for Research
• Impact on IRBs
“Universal”
Information Security Elements
• Authentication -a person or system is who they
purport to be (preceded by Identification)
• Access Control - only authorized persons, for
authorized uses
• Integrity - Information content not alterable
except under authorized circumstances
• Attribution/non-repudiation - actions taken are
reliably traceable
HIPAA, not HIPPA :-)
“Misspelling is not a violation of the Rule”
Director, US Office of Civil Rights
Speaking at UCSD, 2/5/03
HIPAA Definitions
• Health information means any information,
whether oral or recorded in any form or
medium, that:
1) Is created or received by a health care
provider…, and;
2) Relates to past, present, or future physical
or mental health or condition of an
individual…or provision of health care..or
payment for provision of health care.
HIPAA definitions
• “Covered entity” - organization responsible for
HIPAA compliance.
• Protected Health Information (PHI) information generated in the course of
providing healthcare that can be uniquely
linked to them
• Information “use” = use within organization
• Information “disclosure” = release outside of
organization
Security Rule: Basic Concepts
• Applies security principles well established in
other industries
• Like Privacy Rule, affects Covered Entities that
create, store, use or disclose Protected Health
Information (PHI)
• Unlike the Privacy Rule, affects only PHI in
electronic format (not oral or paper-based)
• Like the Privacy Rule, written for health care;
research not the principal focus
• Scalable: burden relative to size and complexity
of organization
Two types of Rule elements
1. Required standards
2. “Addressable” standards
– CE must decide whether the standard is
reasonable and appropriate to the local
setting, and cost to implement
– Can either
1. Implement the standard as published
2. Implement some alternative (and document
why)
3. Not implement the standard at all (and
document why)
Three Categories of Standards
• Administrative safeguards
– Policies and procedures to prevent, detect, contain
and correct information security violations
• Physical Safeguards
– IT equipment and media protections
• Technical Safeguards
– Controls (mostly software) for access, information
integrity, audit trails
Administrative Safeguards
•
Required
1.
2.
3.
4.
5.
6.
7.
8.
9.
Risk Analysis
Risk Management Plan
Sanctions Policy
Information System Activity Review (audits)
Security Incident Response & Reporting
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operations
Periodic Evaluations of Standards Compliance
Administrative Safeguards
•
Addressable
1.
2.
3.
4.
5.
6.
7.
8.
9.
Workforce security authorizations
Workforce clearance procedure
Information access authorization procedures
Procedures for establishing and modifying access
privileges
Security training
Log-in management
Password management
Virus protection
Security reminders
Physical Safeguards
•
Required
1. Workstation Use Analysis
2. Workstation Security
3. Disposal of media
– deletion of PHI prior to disposal, or
– Secure disposal so data nonrecoverable
4. Media Reuse
– Deletion of PHI prior to re-use
Physical Safeguards
• Addressable
1.
2.
3.
4.
5.
Facility access contingency plans
Facility security plan
Physical access control and validation
Accountability for physical access
Data Backup and Storage
Technical Safeguards
•
Required
1. Unique User Identification
– No shared logins
2. Emergency access procedures
3. Audit controls
– Logs of who created, edited or viewed PHI
4. Person and/or Entity Authentication
– No systems without access control
Technical Safeguards
• Addressable
1. Automatic logoff
2. Encryption
3. Authentication of the integrity of stored and
transmitted PHI
Implications for Research
• Avoid HIPAA Security Rule entanglements
if possible by:
– Thoughtful definition of Covered Entity with
respect to research activities
• E.g., University of California is Hybrid Covered
Entity; research not a covered function except for
research that uses or creates medical records
– Use of de-identified data and/or Limited Data
Sets wherever possible
– Not storing PHI in electronic format in
research settings
Excerpt from Text of HIPAA Security Rule
8338 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regu
The term ‘‘covered entity’’ is defined at § 160.103 as one of
the following: (1) A health plan; (2) a health care
clearinghouse; (3) a health care provider who transmits
any health information in electronic form in connection with
a
…transaction
Researchers who are members of a covered entity’s work
force may be covered by the security standards as part of
the covered entity. See the definition of ‘‘workforce’’ at 45
CFR 160.103. Note, however, that a covered entity could,
under appropriate circumstances, exclude a researcher or
research division from its health care component or
components (see § 164.105(a)). Researchers who are not
part of the covered entity’s workforce and are not
themselves covered entities are not subject to the
standards.
If a research project maintains
e-PHI…
• Responsible group must designate a Security
Officer who has responsibility for implementing
HIPAA-compliant policies and procedures for
research use of e-PHI
• Must do and document a risk analysis
• Must create risk management plan based on the
risk analysis
• Must create and keep current a HIPAA Security
Rule compliance document that includes
description of how 17 Required elements are met,
and decisions regarding Addressable elements
HIPAA Risk Analysis Elements
1. Inventory of all sources of e-PHI
2. Listing of who has access, when and
where (including home)
3. Outline flow of e-PHI
4. Listing of storage locations and capcities
5. Listing of current security measures
6. Analysis of potential confidentiality
breaches
Widespread current research
practices that don’t meet the
standard
• Research workgroups that create or use PHI in
electronic format but have no written security
procedures, policies or training
• Workstations with no login security (e.g.,
Windows98)
• Data management and analysis applications
used to store PHI that have no ability to
generate audit trails
– E.g., Excel spreadsheets with PHI in them
Implications for IRBs
• Include separate research plan element entitled
“Data Management Procedures” in IRB research
plan submission, that addresses
– Whether project includes PHI, and if so whether it is
kept as e-PHI
– Whether PI and staff are aware of HIPAA Security
Rule and agree to comply with it
– Whether physical and technical safeguards for
person-identifiable research data appear reasonable
and adequate
Implications for IRBs
• Committee educational programs needed on
– General principles of information security
– Specific Requirements of HIPAA Security Rule
effective April, 2005
• Possible use of ad hoc IT security
consultants for review of projects with high
information management complexity or high
IT security risk
Conclusions
• Compared to the Privacy Rule, the Security Rule
is potentially far more disruptive and costly for
clinical researchers
• Decisions made for the Privacy Rule regarding
Covered Entity definition and covered functions
have profound impacts on Security Rule
implementation
• IRBs will need to begin education for committee
members and investigators soon in order to
reduce instances of noncompliance by April 2005
For More Information on the
HIPAA Security Rule
• HHS HIPAA website:
aspe.hhs.gov/admnsimp
• Centers for Medicare & Medicaid
Services (CMS) HIPAA website:
www.cms.hhs.gov/hipaa
• Phoenix Health Systems HIPAA Advisory
Site:
http://www.hipaadvisory.com/action/models.htm
This PowerPoint presentation is available online at:
http://irb.ucsd.edu/operations.shtml