CMS's final HIPAA Security Standards rule (Security Rule), published February 20, 2003, establishes security standards and implementation specifications to guide covered entities toward compliance with the mandated security requirements under HIPAA. 68 Fed. Reg. 8334 (Feb. 20, 2003). CMS notes in the final Security Rule that the proposed rule, 63 Fed. Reg. 43,242 (Aug. 12, 1998), elicited approximately 2,300 timely public comments, many of which CMS responds to in the final rule.

According to CMS, the proposed security standards were, and, indeed, the final security standards themselves are, based on three concepts derived from the Administrative Simplification Provisions of HIPAA, which call for the standards to be (1) comprehensive and coordinated to address all aspects of security; (2) designed to be effectively implemented by covered entities of all types and sizes; and (3) independent of specific technologies, permitting covered entities to make use of future technological advances. The comments received in response to the proposed rule, CMS believes, validate CMS's assumptions that entities affected by the security standards are so varied in terms of technology, size, resources, and relative risk that it would have been impossible to dictate a specific solution or set of solutions that would apply to all covered entities. Consequently, the final Security Rule adopts both "required" and "addressable" implementation specifications. CMS has introduced the concept of addressable implementation specifications to provide covered entities flexibility with respect to compliance with certain security standards.

Before discussing the specifics of the final security rule, it is worth taking a closer look at the difference between the Security Rule and the Privacy Rule. Although security and privacy are inextricably linked, the security standards prescribe administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule, on the other hand, sets standards for handling protected health information by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their protected health information. Specifically then, the Security Rule addresses only protected health information in electronic form, whereas the Privacy Rule addresses protected health information in any form.

The Security Rule's provisions can be broken down into six substantive categories: security standards, administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and policies and procedures and documentation requirements.

The general Security Standards provisions at 45 C.F.R. § 164.306 require covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits. CMS provides explicitly for a "flexibility of approach" to these standards, discussing various factors covered entities must consider in complying with them, including the size, complexity, and capabilities of the covered entity. In the preamble, CMS notes that an entity's risk analysis and risk management measures must be designed to lead to the implementation of security measures that will comply with the general provisions of the Security Rule. CMS notes that implementation of reasonable and appropriate security measures supports compliance with the privacy standards, just as the lack of adequate security can increase the risk of violations of the privacy standards. The general provisions, further, explain the differences between required and addressable implementation specifications, providing that covered entities must meet required implementation specifications, while, with respect to addressable implementation specifications, covered entities must "assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information." 45 C.F.R. § 306(d)(3). Thus, covered entities will be required to make individualized determinations regarding whether these addressable specifications should be implemented given the entity's size, operations, systems, etc.

The Administrative Safeguards provisions at 45 C.F.R. § 164.308 of the Security Rule require covered entities to establish a formal security management process involving the creation, administration, and oversight of policies to address a full range of security issues in order to ensure the prevention, detection, containment, and correction of security violations. By design, this process requires an assessment of risk analysis and implementation of systems to reduce risk including sanctions and processes to review system activity. The final Security Rule does not contain the internal audit requirements that had been proposed in the August 12, 1998 rule, but instead adopts an "information system activity review" provision that requires covered entities to implement procedures to regularly review records of information system activity, "such as" audit logs, access reports, and security incident tracking reports. The Administrative Safeguards provisions also require assignment of final responsibility for a covered entity's security to one official in the organization; implementation of work force security provisions, including maintaining records of access authorization; establishment of personnel clearance procedures; maintenance of personnel security policies and procedures; implementation of a security awareness and training program for all members of the work force, including management; implementation of policies and procedures to address security incidents; and development of a contingency plan for establishing and implementing, as needed, policies and procedures for responding to emergency or other incidents such as fire, vandalism, system failure, or natural disaster. The requirements specific to Physical Safeguards, 45 C.F.R. § 164.310, address contingency operations, security plan, media controls, physical access controls, disposal of media and media re-use, policies and guidelines on workstation use, and secure workstation locations. Consistent with CMS's stated intention to make these requirements reasonable depending on the nature of the covered entity, some of these provisions are required while the majority are addressable.

The Technical Safeguards section of the Security Rule, 45 C.F.R. § 164.312, addresses access control, including requirements for unique user identification, emergency access procedures, automatic logoffs, and encryption and decryption capabilities. The Technical Safeguards provisions also include specific requirements for audit controls; integrity, i.e., implementing policies and procedures to protect electronic protected health information from improper alteration or destruction; entity or person authentication; and transmission security. Again, some of these provisions are required while the rest are addressable.

The Organizational Requirements, at 45 C.F.R. § 164.314, direct covered entities to assure that their business associates, through business associate contracts, have implemented administrative, physical, and technical safeguards that will reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that the business associate, creates, receives, maintains, or transmits on behalf of the covered entity.

Under the Security Rule's Policies and Procedures and Documentation Requirements, at 45 C.F.R. § 164.316, a covered entity must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the Security Rule.

This overview of the final Security Rule's provisions should shed some light on CMS's inclinations with respect to what it will be expecting covered entities to comply with when the Security Rule goes into effect. As noted in the preamble, while the effective date for the final Security Rule was April 21, 2003, covered entities, with the exception of small health plans, must comply with the requirements of the rule by April 21, 2005. Small health plans have an additional year, until April 21, 2006, in which to achieve compliance. Although two to three years may sound like a lot of time, covered entities are well advised to begin thinking about compliance issues soon, because many of the required systems and processes will demand substantial amounts of lead time for appropriate planning, development, and implementation. Faced with such a task, April 21, 2005, does not seem all that far away.