HIPAA Security

These two standards, dealing with Business Associate agreements and Business Associate P&Ps, respectively, have been moved, with the language unchanged, to follow HS 4. The reason for the move is to improve the flow of the standards for Business Associate applicants. The standards are renumbered HS 5 and HS 6, respectively, and all subsequent standards renumbered accordingly (e.g., old HS 5 becomes the new HS 7).
The language of the standards remains the same:

HS 30 (new 5)

For each covered entity with which the business associate does business, the business associate executes a written agreement in which it agrees to: (Primary)
(a) Implement security safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity (Required); (Primary)
(b) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it (Required); (Primary)
(c) Report to the covered entity any security incident of which it becomes aware (Required); (Primary)
(d) make its policies and procedures and documentation required by this subpart relating to such safeguards, available to the Secretary for purposes of determining the covered entity’s compliance with the HIPAA Security Rule (Required); and (Primary)
(e) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract (Required). (Primary)

HS 31 (new 6)

The business associate organization has policies and procedures that implement the security protections necessary to meet the terms of each business associate contract. The following policies and procedures are addressable requirements for business associates: (Primary)
(a) Provide appropriate personnel training to ensure awareness of security policies and procedures, and protect the integrity and confidentiality of electronic protected health information (Addressable); (Primary)
(b) Ensure adequate personnel to carry out and meet these security requirements (Addressable); (Primary)
(c) Ensure appropriate backup and restore measures are in place (Addressable); (Primary)
(d) Implement appropriate disposal and re-use procedures and track final disposition of electronic protected health information and/or the hardware/media on which it is stored (Addressable); (Primary)
(e) Implement appropriate mechanisms to protect electronic protected health information transmissions over electronic communications networks to guard against unauthorized access, or, (Primary)
(f) Implement encryption techniques to protect electronic protected health information transmissions over communications networks whenever deemed appropriate (Addressable). (Primary)

(g) Administrative, physical and technical safeguards to ensure need-to-know access controls to reasonably and appropriately protect the integrity and confidentiality of electronic protected health information in any media (Addressable); (Primary)
(h) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (Addressable); (Primary)
(i) Implement appropriate audit control mechanisms to record and examine activity in information systems that contain or use electronic protected health information (Addressable); (Primary)
(j) Maintain procedures, where reasonable and appropriate, to regularly review records of information system activity such as internal audits, audit logs, access reports and incident tracking reports, to ensure that electronic protected health information in its possession has not been altered or destroyed in an unauthorized manner (Addressable); and (Primary)
(k) Ensure security of electronic protected health information accessible from workstations and the physical security of workstations where electronic protected health information is present (Addressable). (Primary)

This mandatory standard on security incident procedures, which in v. 1.0 applied only to Covered Entities, now applies to Business Associates, as well.  The standard still reads:

Security Incident Procedures (Required) - The organization implements policies and procedures to address security incidents.

(a) Response and Reporting (Required):

i. Identify and respond to suspected or known security incidents (Required);

ii. Mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity (Required); and

iii. Document security incidents and their outcomes (Required).

In upgrading its HIPAA Security standards from v. 1.0 to v. 1.1, URAC has amended its training standard, HS 10, to extend its requirement of training on security reminders and security updates to Business Associate applicants.  In v. 1.0, all of the subsections of this mandatory standard on security awareness and training applied only to Covered Entity applicants.

The language of the standard remains the same:

Security Awareness and Training (Required) – The organization implements a security awareness and training program for all members of its workforce (including management). The organization’s policies and procedures address:

(a) Security reminders (Addressable). Periodic security updates; (Applicable to Covered Entities and Business Associates)

(b) Protection from malicious software (Addressable). Procedures for guarding against, detecting and reporting malicious software;  (Applicable to Covered Entities only)

(c) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies; and (Applicable to Covered Entities only)

(d) Password management (Addressable). Procedures for creating, changing and safeguarding passwords. (Applicable to Covered Entities only)