SECURITY REQUIREMENTS UNDER HIPAA AND STATE LAWS Bart A. Lazar, Seyfarth Shaw, LLP The HIPAA Security Rule Standards and Implementation Specifications establish security guidelines for treating Protected Health Information. However, HIPAA is not the only law applicable to the security of personal data. There are numerous state laws that require the secure destruction of documents containing personal information, and several state laws, particularly in Massachusetts, that require reasonable or specific security measures that also would likely apply to Electronic Protected Health Information (“EPHI”) that is collected from residents of particular states to the extent the EPHI includes “personal information” as defined under the applicable state law (e.g. an individual’s name and Social Security Number, driver’s license number or credit card or banking information). The Massachusetts law also differs in that it applies specifically to information in non-electronic (i.e. paper) form. In this memo we set out the HIPAA security requirements, and have also identified where Massachusetts (MA) or other states provide for the securing of personal data. A.

HIPAA Security Rule Standards and Implementation Specifications

The Security Rule sets out four categories of standards to be met by Covered Entities and Business Associates. Upon becoming compliant with the four standards categories, one will essentially meet the five requirements above. The standards categories are: (1) administrative safeguards, (2) physical safeguards, (3) technical security services, and (4) technical mechanisms. Each one of these standards categories contains several subparts. Each subpart contains its own implementation specifications which are defined as either “required” or “addressable.” While perhaps they are self-explanatory, “required” specifications must be implemented, while “addressable” specifications must be assessed to ensure that the specification is reasonable and appropriate for its environment. If it is reasonable and appropriate, the specification must be implemented. If it is not reasonable and appropriate, one must document why it is not reasonable and appropriate and either implement an alternative that accomplishes the same purpose as the addressable implementation specification or document how the standard is being met without adoption of the implementation specification. Both required and addressable specifications actually require self-assessment. It is important to note that the Security Rule is technology-neutral, meaning that it does not require Covered Entities to implement a specific security technology (such as one type of firewall). Each Covered Entity and Business Associate must choose the appropriate technology within its budgetary constraints to protect its EPHI, consistent with the Security Rule, and with the requirements imposed by contract. We have also noted where Massachusetts requires items that are deemed “addressable” under HIPAA. B.

Steps Toward Security Compliance

Compliance with the HIPAA Security Rule can seem unduly burdensome. Most of our clients have already implemented some of the administrative, technical and physical safeguards,

21140440v.3- ©2015 Bart A. Lazar

such as locks on doors, passwords to log onto its systems, receptionist at the front door, procedures to inactivate passwords when an employee is terminated, etc. We suggest taking the following actions to evaluate the reasonable and appropriate safeguards you should take to protect EPHI: 1. Conduct an Initial Assessment and Detailed Risk Analysis It is important to identify and document the projected flow of EPHI in, out and stored within your organization. Evaluate the probability and criticality of potential risks to the EPHI and vulnerable spots, particularly points of receiving or transferring information. For Massachusetts compliance, this would also include paper and electronic data that contain Personal Information. 2. Determine What Security Measures are Appropriate and Reasonable The Security Rule does not require Covered Entities – and by extension Business Associates - to protect EPHI against all possible risks. Furthermore, the Security Rule does not assume that Covered Entities have unlimited access to resources to implement security methods. Instead, the Security Rule requires protection against reasonably anticipated risks to the EPHI after evaluating the entity’s capabilities to develop adequate security measures. By documenting the decisions it makes in terms of which measures it can reasonably implement, COMPANY can help meet the Security Rule standards. For Massachusetts, this is required as well for Personal Information. 3. Develop, Implement and Document Security Policies and Procedures The Security Rule requires systematic documentation of a number of policies, procedures and decisions, including addressable implementation specification decisions made by an organization. For example, if an entity determines that it is not necessary to encrypt EPHI when sending it over the Internet, the decision needs to be formally documented and approved by the company. Typically, all documentation (e.g., policies and procedures) required under the Security Rule must be maintained for a period of six years from the date of its creation or the date it was last in effect, whichever is later. While some of our clients have made the determination that it is too expensive to encrypt EPHI or have chosen to password protect files containing EPHI when sent through Internet email, we recommend utilizing 128-bit encryption under such circumstances as a standard practice. For Massachusetts, this is required as well for Personal Information. There is more specificity as to the policies and procedures to adopt, which will be described further below.

2 21140440v.3

4. Training and Evaluation Effective security policies and procedures need to be coupled with effective training in order to achieve maximum effectiveness and value. This training should be tailored to your specific security policies and procedures and should educate all workforce members about the requirements of the Security Rule, why it is important to protect EPHI and the policies adopted by your entity to comply with the rule. Compliance with the Security Rule is an evolving process rather than a one-time analysis. Security policies, procedures and controls should be regularly reviewed and modified as necessary to take into account changing business processes and technological modifications. Although largely unchanged since its inception, the Security Rule is also subject to modification by Centers for Medicare and Medicaid Services (“CMS”) or the courts. For Massachusetts, training is required as well for any individuals who have access to Personal Information. C.

Description of Safeguards and Implementation Specifications 1.

Administrative Safeguards – Require administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect EPHI and to manage the conduct of COMPANY’s workforce in relation to the protection of that information. Massachusetts requires that the comprehensive written security program be in writing and be in one place. a. Security Management Process – Prevent, detect, contain and correct security violations. i. Risk Analysis (Required)- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI held by COMPANY. Massachusetts requires identifying and assessing the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Personal Information, and evaluate current safeguards and means for detecting and preventing security system failures ii. Risk Management (Required) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA security regulations. iii. Sanction Policy (Required) - Apply appropriate sanctions against employees who have access to EPHI and/or members of the workforce who fail to comply with Policies and Procedures. Massachusetts requires implementation and evaluation of employee compliance with policies and procedures.

3 21140440v.3

iv. Information System Activity Review (Required) – Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. v. Security Policy Re: Access and Use Outside of Business (MA) – Massachusetts requires the development of security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises b. Assigned Security Responsibility – Designate a Security Official who will be responsible for developing and implementing a HIPAA Security Policy. Massachusetts permits one or more people to have responsibility. c. Workforce Security – Ensure that all Responsible Persons have appropriate access to EPHI and prevent access by other members of the workforce. i. Authorization and/or Supervision (Addressable) – Implement procedures for the authorization and/or supervision of Responsible Persons who work with EPHI or in locations where EPHI might be accessed. ii. Workforce Clearance Procedure (Addressable)– Determine that the access of a workforce member to EPHI is appropriate. iii. Termination Procedure (Addressable, MA Required) – Implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required by workforce clearance procedures. Under Massachusetts, must prevent terminated employees from accessing records containing personal information by terminating their physical and electronic access to such records, including deactivating their passwords and user names d. Information Access Management – Authorize access to EPHI, consistent with HIPAA security regulations. i. Access Authorization (Addressable) – Grant access to EPHI, for example, through access to a workstation, transaction, program, process or other mechanism. ii. Access Establishment and Modification (Addressable) – Implement policies and procedures to establish, document, review and modify access. e. Security Awareness and Training – Implement a security awareness and training program for all people who have access to EPHI (“Responsible Persons”). Massachusetts requires the implementation and evaluation of ongoing employee training (which must include temporary and contract employees).

4 21140440v.3

Training must include the proper use of the computer security system and the importance of personal information security. i. Security Reminders (Addressable) – Provide periodic security updates. ii. Protection from Malicious Software (Addressable, MA Required) – Guard against, detect and report malicious software. Usually one person at IT is given responsibility for this aspect, and regularly scheduled sweeps are performed (our experience is daily or weekly). Massachusetts requires providing reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-todate patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis iii. Log-in Monitoring (Addressable) – Monitor log-in attempts and report discrepancies. iv. Password Management (Addressable, MA Required) – Provide procedures for creating, changing and safeguarding passwords. Typically, a password complexity policy is adopted, with 9 or 10 characters, alphanumeric and symbols required, no names or e-mail addresses permitted, and the passwords need to change every 3-6 months. Massachusetts requires providing a reasonably secure method of assigning and selecting passwords (or use an alternative authentication technology such as biometrics or token devices). Massachusetts also requires that passwords be unique and not be vendor supplied default passwords. v. Password Security (MA) – Massachusetts requires control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect. f. Security Incident Procedures – Address security incidents (the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations). i. Response and Reporting (Required) – Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to COMPANY; and document security incidents and their outcomes. This means adopting an incident response protocol. ii. Document Responses (MA) – Massachusetts requires the documentation of responsive actions taken in connection with any incident involving a breach of security, as well as mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. 5 21140440v.3

g. Contingency Plan – Establish policies and procedures for responding to an emergency or other occurrence that damages systems containing EPHI. i. Data Backup Plan (Required) – Create and maintain retrievable exact copies of EPHI. Most of our clients do daily back-ups, with off-site storage of back-up tapes in a secure facility. ii. Disaster Recovery Plan (Required) – Provide procedures to restore loss of data. iii. Emergency Mode Operation Plan (Required) – Enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode. iv. Testing and Revision Procedure (Addressable) – Provide for procedures for periodic testing and revision of contingency plans. v. Applications and Data Criticality Analysis (Addressable) – Determine the criticality of all application based components and the potential losses which may be incurred if these components were not available for a period of time. This enables the formulation of alternative processing strategies, solutions and systems/data recovery plans. h. Evaluation (Required) – Perform a periodic, technical and non-technical evaluation, based initially on the standards implemented under the adopted policies and procedures and subsequently in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which the adopted policies and procedures meet the requirement of the HIPAA Security Rule. We have seen companies handle these evaluations themselves or outsource to law firms or technology or HIPAA consultants. Massachusetts law is comparable requiring regular monitoring to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. Massachusetts requires that the review or evaluation be performed on at least an annual basis or whenever there is a change in business practices. i. Subcontractor Contracts and Other Arrangements – A Business Associate is required to impose obligations on any sub-contractor in the same way Covered Entities must impose obligations on Business Associates. Therefore, Business Associate will need to obtain satisfactory assurances that any subcontractor to who it contracts to create, receive, maintain or transmit EPHI on a customer’s behalf shall appropriately safeguard the EPHI in accordance with the HIPAA regulations. j. Written Contract (Required) – Obtain assurances in a written, legally enforceable contract. 6 21140440v.3

Similarly, Massachusetts requires taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including, selecting and retaining service providers that are capable of maintaining safeguards for personal information; and contractually requiring service providers to maintain such safeguards. Illinois law also requires contracts with third party service providers disposing of information. Anyone contracting with a third party to dispose records must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. Maryland and Rhode Island law requires contracts with third parties to include reasonable security procedures. 2.

Physical Safeguards – Require security measures to protect Covered Entities’ electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. a. Facility Access Controls – Limit physical access to COMPANY’s electronic information systems and the facilities in which they are housed, while allowing authorized access. Typically this involves instituting keycards or locked doors, and having numerical locks on doors that connect to locations where servers are located. Visitors in secure locations should be accompanied. i. Contingency Operations (Addressable) – Establish and implement as needed, procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. ii. Facility Security Plan (Addressable) – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized access, tampering and theft. iii. Access Control and Validation (Addressable) – Control and validate an employee’s access to facilities based on his or her role or function, including visitor control, and control of access to software programs for testing and revision. iv. Maintenance Records (Addressable) – Document repairs and modifications to the physical components of a facility which is related to security. Do not permit laptops or other media with EPHI to be serviced outside of the physical plant of the company or make sure that the servicing company has reasonable security measures to prevent theft. b. Workstation Use (Required) – Specify the proper functions to be performed on a workstation, the manner in which they are to be performed, and the physical attributes of the surroundings of a workstation or specific class of workstation that can access EPHI. This should also apply to laptops or other mobile devices. Placement of computers so that others cannot see screens. 7

21140440v.3

c. Workstation Security (Required) – Implement physical safeguards for all workstations (including wireless devices, laptops and items not onsite) that access EPHI to restrict access to authorized users. This should also apply to laptops or other mobile devices. Many of our clients have adopted clean desk policies. d. Device and Media Controls – Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility and movement within the facility. i. Disposal (Required) – Address the final disposition of EPHI and/or hardware or electronic media on which EPHI is stored. ( ii. Media Re-use (Required) – Provide for removal of EPHI from electronic media before the media is available for re-use. iii. Accountability (Addressable) – Maintain a record of the movements of hardware and electronic media and any person responsible therefore. iv. Data Backup and Storage (Addressable) – Create a retrievable, exact copy of EPHI, when needed, before movement of equipment. e. Written Procedures (MA) In addition to what is required above, Massachusetts law requires implementing reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas, or containers. f. Disposal (Many states) Many states require disposal of personal information and/or records/media containing same when they are no longer needed and that such disposal take place in a manner that renders the personal information unreadable, unusable, and undecipherable. This applies to electronic media as well as paper documents. 3.

Technical Safeguards – Require technology and the policy and procedures for its use that protect EPHI and control access to it. a. Access Control – Implement technical policies and procedures for electronic information systems that maintain EPHI and allow access only to those persons or software programs that have been granted access. Massachusetts requires restricting system access to active users and active user accounts only and restricting access to records and files containing personal information to those who need such information to perform their job duties i. Unique User Identification (Required) – Assign a unique name and/or number for identifying and tracking user identity. ii. Emergency Access Procedure (Required) – Establish and implement, as needed, procedures for obtaining necessary EPHI during an emergency. 8

21140440v.3

iii. Automatic Logoff (Addressable) – Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Usually computers logoff after 3-5 minutes of non-use. iv. Encryption and Decryption (Addressable, MA/NV Required) – Implement a mechanism to encrypt and decrypt EPHI. Massachusetts requires encryption (to the extent technically feasible) all transmitted records and files containing personal information that will travel across public networks, and encryption of all personal data to be transmitted wirelessly. In Nevada, if a company accepts credit card payments, transmissions related to the credit card must be encrypted. v. Blocking Access (MA) Massachusetts requires blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system b. Audit Controls (Required) – Implement hardware, software, and/or procedural mechanisms that record and examine activity in systems that contain or use EPHI. c. Integrity – Implement policies and procedures to protect EPHI from improper alteration or destruction. i. Mechanism to Authenticate EPHI (Addressable) – Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. d. Person or Entity Authentication (Required) – Verify that a person or entity seeking access to EPHI is the one claimed. Massachusetts requires control over user IDs and other identifiers. e. Transmission Security – Implement procedures to guard against unauthorized access to EPHI transmitted over an electronic communications network. i. Integrity Controls (Addressable) – Implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of. ii. Encryption (Addressable, MA Required) – Implement a mechanism to encrypt EPHI whenever deemed appropriate. Massachusetts requires encryption (to the extent technically feasible) of all transmitted records and files containing personal information that will travel across public networks, encryption of all personal data to be transmitted wirelessly and encryption of all personal information stored on laptops or other portable devices. f. System Monitoring (MA) Implement reasonable monitoring of systems, for unauthorized use of or access to personal information.

9 21140440v.3

g. Firewall Protection (MA) Provide reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, designed to maintain the integrity of the personal information.

10 21140440v.3