How HIPAA's security rule could affect IT

April 30, 2003 (Computerworld) In late February, the Department of Health and Human Services released a new rule under HIPAA (the Health Insurance Portability and Accountability Act) called the final rule on security standards. This rule extends HIPAA's reach beyond the health care industry and could affect technology and software vendors. Under this security rule, the level of security required to protect personal health data contained in software or hosted in facilities is no longer a matter of customer preference. Now it's a matter of federal law.

The security rule directly governs "covered entities," which include health plans, health care clearinghouses and health care providers. It mandates that electronically stored personal health information be kept confidential and protected against unauthorized users and any threats to its security or integrity.

To accomplish this mandate, the rule outlines three categories of safeguards to establish a minimum level of protection:

1. Administrative safeguards: Designed to ensure that formal policies for overseeing the implementation and management of security measures are established and implemented.


2. Physical safeguards: To ensure that the facilities where electronic information systems are stored are protected from intrusions and other hazards.


3. Technical safeguards: To ensure that only authorized access to electronic personal health information is permitted, through the creation of firewalls and passwords, among other things.

So what's the catch for technology and software vendors? Due to this new security rule, technology companies servicing customers in the health care industry may be deemed "business associates" of their customers and may end up with new obligations to HIPAA-covered customers and business partners.

	Deborah S. Birnbach is a partner in the litigation group at Boston-based Testa, Hurwitz & Thibeault LLP, and Mayeti Gametchu is an associate at the firm.

The Security Rule's impact on business associate agreements

The safeguards described above don't affect only covered entities. Through contracts with its customers, any company that provides services to the health care industry, including a technology vendor, may have to adhere to many, if not all, of these safeguards and may be asked by customers to contractually represent that such safeguards are in place.

For instance, if your company is a business associate under HIPAA, it will be asked to enter into a business associate agreement with the covered entity before it can gain access to personal health information. In addition to other contractual obligations under the business associate agreement, the security rule mandates that business associates provide the following security measures:

• Implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic personal health information that they access on behalf of the covered entity.


• Ensure that anyone else to whom they provide electronic personal health information agrees to implement reasonable and appropriate safeguards.


• Report to the covered entity any security incident of which they become aware.


• Make their policies, procedures and required documentation relating to the safeguards available to the secretary of the Department of Health and Human Services to determine the covered entity's compliance with the security rule.


• Authorize termination of the business associate contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract.

In addition to requiring business associates to comply with the safeguards outlined by the rule, a covered entity may attempt to require a business associate to meet even higher security standards. For this reason, technology or software companies that provide services to organizations in the health care industry should familiarize themselves with the HIPAA security rule and prepare to negotiate their business associate agreements accordingly.

By virtue of the nature of their products and services, technology and software vendors should be prepared and expect to field questions from customers seeking help in complying with the security rule. Business associates should take care to recognize that there's a fine line to walk in playing this role, since they could face liability exposure stemming from potential breach-of-contract actions brought by covered entities. Certainly, business associates should avoid representations that their products and services are "HIPAA-compliant," when in fact only entities can be considered HIPAA-compliant. In general, a good remedy for avoiding liability risks is for business associates to instead stick to their knitting and simply explain their security standards and what their products and services provide.