HIPAA/HITECH: A Guide for IT Service Providers

Transcription

1 HIPAA/HITECH: A Guide for IT Service Providers

2 Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing on your comfort zone. It s vague, but comes with hefty fines if not followed to the blurry letter, and those fines can run as high as $1.5 million. In fact, six of the 10 settlements announced by the U.S. Department of Health and Human Services (HHS) have exceeded $1 million dollars. i Don t panic. To help you through this transition, we ve developed this guide. Think of it as your towel. If you have this, you can make it through anything. This guide provides an easy-to-read overview of the new HIPAA legislation basics, and enables you to access more resources to further help you on your journey into HIPAA compliance. If you re a HHGTTG fan, you re going to like this. And even if you re not, you ll learn some valuable lessons about life, the universe and everything as it relates to the new HIPAA regulations that impact you. What s the story? Congress recently expanded the Health Information Technology for Economic and Clinical Health Act (HITECH) to include technology solution providers that service health care companies. How does the new HITECH legislation impact you? 1. You must now comply with certain HIPAA requirements 2. You can be audited for HIPAA compliance at any time 3. You can be fined up to $1.5 million per year for failing to comply Use the high-level overview in this guide to further familiarize yourself with the new requirements that went into full effect on September 23, Important notice: This resource was not written by lawyers. It is not legal advice, so please do not use it that way. It is intended as an overview written in everyday language. If you need legal advice about HIPAA/HITECH compliance, please consult an experienced attorney. No warranties. You are provided with this ebook Guide as a convenience. Much of its content is adapted from the HIPAA Administrative Simplification Regulation text issued by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), March You are encouraged to visit the OCR website for clarification and for updates. LabTech Software makes no representations or warranties of any kind, express or implied, regarding the accuracy, completeness, reliability or suitability of this Guide and the information it contains, or as to the availability of the ebook. LabTech Software and its affiliates disclaim any and all liability for injuries or damages that may arise from relying on the information contained in this Guide or the unavailability of the ebook.

3 1Why IT Service Providers Must Be HIPAA/HITECH Compliant Business Associates account for approximately 22.7% of all reported major breaches. ii Melamedia LLC The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to provide for the protection and confidential handling of protected health information (PHI). The intent was to ensure anyone who had access to or control of private or protected health care information would maintain certain requirements and duties for auditing and compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed by Congress in 2009 and expands on the original HIPAA standards. The most recent requirements, known as the HIPAA/HITECH Omnibus Final Rule, provide clarification of the regulations and extend the liability of protecting PHI beyond covered entities those that generate or directly process PHI as part of their regular business activities to Business Associates. Who is considered a Business Associate (BA)? As defined in the HITECH Act, a BA is anyone who may handle, touch or access PHI in any potential way. BAs are also subcontractors that create, receive, maintain or transmit PHI on behalf of a covered entity or on behalf of another BA. IT service providers and managed service providers (MSPs) are deemed BAs because they are performing functions on behalf of a covered entity that may require access to or result in accidental or inadvertent exposure to PHI while performing services for a covered entity. It s All About Access Even if you aren t made aware that you have potential access to or are storing PHI, you are still subject to the HITECH BA requirements for that PHI. If you have access to a covered entity s IT infrastructure, whether you use it or not, whether it s part of your function or not, whether it s part of your contracted services or not, you are considered a BA under HITECH and must comply with the regulations.

4 Why IT Service Providers Must Be HIPAA/HITECH Compliant And the regulatory requirements descend all the way down the chain to any and all entities that have access to the data, which means any of your subcontractors who may potentially or inadvertently be exposed are also considered BAs. Off-site storage, hosted , spam filtering and archiving providers all fit this bill, as do many others. Your Responsibilities Under the HIPAA/HITECH Omnibus Final Rule, BAs are now responsible for complying with certain HIPAA requirements. Specifically, BAs must comply with the following HIPAA subparts: If you have access to a covered entity s IT infrastructure, whether you use it or not, whether it s part of your function or not, whether it s part of your contracted services or not, you must comply with certain HIPAA requirements. Security Standards for the Protection of Electronic Protected Health Information Certain sections of Privacy of Individually Identifiable Health Information Certain sections of Notification of Breach of Unsecured Protected Health Information For the remainder of this ebook, these items will be referred to as the Security Rule, the Privacy Rule and the Breach Notification Rule. We will outline the requirements of each in the coming chapters.

5 The Security Rule: General Requirements 2The Security Rule applies to PHI that is in electronic form. The purpose of the Security Rule is to make certain anyone who has access to electronic protected health information (ephi) will: 1. Ensure the confidentiality, integrity and availability of all ephi it creates, receives, maintains or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi. 3. Protect against any reasonably anticipated uses or disclosures of ephi. 4. Ensure compliance by its workforce. To accomplish this, the Security Rule outlines specific safeguards and requirements that must be addressed by covered entities, BAs and any subcontractor of either that may have access or potentially be exposed to ephi. The requirements are divided into four categories: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Policies and Procedures and Documentation Requirements Each of the four categories includes specific standards that must be met and provides specifications for how each standard should be implemented.

6 The Security Rule: General Requirements Some of the implementation specifications outlined must be followed and others are considered addressable. And addressable doesn t mean optional. For specifications that are addressable, it is up to you to assess whether the specification is a reasonable and appropriate safeguard for your particular environment. If the specification is found to be reasonable and appropriate, you must proceed with the implementation. If deemed not reasonable and appropriate, you must document the reason and then implement an equivalent alternative measure, if reasonable and appropriate to do so. The Security Rule also includes a flexibility factor, so you can use any security measures you choose, so long as the security measures selected allow you to reasonably and appropriately address the standards and implementation specifications set forth. In deciding which security measures to use, you may take the following factors into account: The size, complexity and capabilities of your business Your technical infrastructure, hardware and software security capabilities The cost of security measures The probability and criticality of potential risks to ephi It is important to note that the flexibility factors must be considered as a whole. Cost alone is not an acceptable reason for not following the implementation standards outlined.

7 3The Security Rule: Administrative Safeguards The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s [business associate s] workforce in relation to the protection of that information. iii There are eight technical standards and one business standard that you must meet under the Administrative Safeguards section of the Security Rule. security policies and procedures. D. Information System Activity Review Implement procedures to regularly review information system activity records, such as audit logs, access reports and security incident tracking to determine if any ephi was used or disclosed in an inappropriate manner. 2. Assigned Security Responsibility Identify a security official within your business who will be responsible for the development and implementation of the required policies and procedures. About 76% of network intrusions involve weak credentials. iv InformationWeek Technical Standards 1. Management Process Implement policies and procedures to prevent, detect, contain and correct security violations. Required Implementation Specifications A. Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ephi. B. Risk Management Implement security measures sufficient to reduce risks and vulnerabilities. C. Sanction Policy Apply appropriate sanctions against employees who fail to comply with your 3. Workforce Security Implement policies and procedures to ensure all employees have appropriate access to ephi and prevent employees who do not have access from obtaining access to ephi. Addressable Implementation Specifications A. Authorization and/or Supervision Implement procedures for the authorization and/or supervision of employees who work with ephi or who work in locations where ephi could be accessed. B. Workforce Clearance Procedure Implement procedures to determine whether access to ephi by an employee is appropriate.

8 The Security Rule: Administrative Safeguards C. Termination Procedures Implement procedures for terminating access to ephi when employment is terminated or when an employee no longer needs access to ephi. 4. Information Access Management Implement policies and procedures for authorizing access to ephi. Required Implementation Specifications A. Isolating Health Care Clearinghouse Functions If your business is part of a larger organization, you must implement policies and procedures that protect ephi against unauthorized access by the larger organization. Addressable Implementation Specifications A. Access Authorization Implement policies and procedures for granting access to ephi, for example, through access to a workstation, transaction, program, process or other mechanism. B. Access Establishment and Modification Implement policies and procedures that establish, document, review and modify a user s right of access to a workstation, transaction, program or process based upon your access authorization policies. 5. Security Awareness and Training Implement a security awareness and training program for all members of your workforce, including management. Addressable Implementation Specifications A. Security Reminders Provide periodic security updates to all members of your workforce. B. Protection From Malicious Software Implement policies and procedures for guarding against, detecting and reporting malicious software, including training employees on their role in protecting against malicious software. C. Log-in Monitoring Implement policies and procedures for monitoring log-in attempts and reporting discrepancies. D. Password Management Implement policies and procedures for creating, changing and safeguarding passwords. 6. Security Incident Procedures Implement policies and procedures to address security incidents. A security incident is defined as, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. iii Required Implementation Specifications A. Response and Reporting Identify and respond to suspected or known security incidents, mitigate harmful effects of known security incidents to the extent practicable, and document security incidents and outcomes. 7. Contingency Plan Establish policies and procedures for responding to an emergency or other occurrence that could damage systems containing ephi such as fire, vandalism, system failure or natural disaster and implement as needed. Required Implementation Specifications A. Data Backup Plan Establish and implement procedures to create and maintain retrievable exact copies of ephi. B. Disaster Recovery Plan Establish procedures to restore any loss of data and implement as needed. C. Emergency Mode Operation Plan Establish procedures to enable continuation of critical business processes to protect the security of ephi while operating in emergency mode and implement as needed. Addressable Implementation Specifications A. Testing and Revision Procedures Implement procedures for periodic testing and revision of contingency plans. B. Applications and Data Criticality Analysis Assess the relative criticality of specific applications and data and develop a prioritized list of the applications and information systems that need to be restored first or that must be available at all times. 8. Evaluation Perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of ephi that establishes the extent to which your security policies and procedures meet the requirements of the Administrative Safeguard standards. Business Standards 1. Business Associate Contracts and Other Arrangements You may permit a subcontractor to create, receive, maintain or transmit ephi on your behalf only if you obtain satisfactory assurances that the subcontractor will appropriately safeguard the information. Required Implementation Specifications A. Written Contract or Other Arrangement Satisfactory assurances must be provided via a written agreement that meets the applicable requirements set forth by HIPAA. BA contract requirements are outlined in Chapter 9 of this ebook. Need assistance with your Risk Analysis? The National Institute of Standards and Technology (NIST) published a Guide for Conducting Risk Assessments that can help.

9 4The Security Rule: Physical Safeguards The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s [business associate s] electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. v There are four standards that must be met under the Physical Safeguards section of the Security Rule. 1. Facility Access Controls Implement policies and procedures to limit physical access to your electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Addressable Implementation Specifications A. Contingency Operations Establish procedures that allow facility access so that lost data can be restored in accordance with your disaster recovery and emergency mode operations plan and implement as needed. B. Facility Security Plan Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft. 80% of data breaches would have been stopped or forced to change tactics if a suitable replacement (such as multifactor authentication) to passwords had been used. iv InformationWeek

10 The Security Rule: Physical Safeguards C. Access Control and Validation Procedures Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. D. Maintenance Records Implement policies and procedures to document repairs and modifications to the physical components of a facility that relate to security, such as hardware, walls, doors and locks. 2. Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. or electronic media on which it is stored to ensure it is unusable or inaccessible. B. Media Re-use Implement procedures to remove ephi from electronic media before the media are made available for re-use. C. Accountability Maintain a record of the movements of hardware and electronic media and any person responsible for them. D. Data Backup and Storage Create a retrievable, exact copy of ephi, when needed, before movement of equipment. 3. Workstation Security Implement physical safeguards for all workstations that access ephi to restrict access to authorized users. 4. Device and Media Controls Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi into and out of a facility, and the movement of these items within the facility. Required Implementation Specifications A. Disposal Implement policies and procedures to address the final disposal of ephi and/or the hardware

11 The Security Rule: Technical Safeguards 5The Security Rule defines technical safeguards as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. vi There are five standards that must be met under the Technical Safeguards section of the Security Rule. 1. Access Control Implement technical policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs that have been granted access rights as specified in your Administrative Safeguards. Required Implementation Specifications A. Unique User Identification Assign a unique name and/or number for identifying and tracking user identity. B. Emergency Access Procedure Establish procedures for obtaining necessary ephi during an emergency and implement as needed. Addressable Implementation Specifications A. Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. B. Encryption and Decryption Implement a mechanism to encrypt and decrypt ephi.

12 The Security Rule: Technical Safeguards 2. Audit Controls Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. 3. Integrity Implement policies and procedures to protect ephi from improper alteration or destruction. Addressable Implementation Specifications A. Mechanism to Authenticate ephi Implement electronic mechanisms to verify that ephi has not been altered or destroyed in an unauthorized manner. 4. Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 5. Transmission Security Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Addressable Implementation Specifications A. Integrity Controls Implement security measures to ensure ephi is not improperly modified without detection. B. Encryption Implement a mechanism to encrypt ephi whenever deemed appropriate.

13 The Security Rule: Policies and Procedures and Documentation Requirements 6There are two standards that must be met under the Policies and Procedures and Documentation section of the Security Rule. 1. Policies and Procedures Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule, taking into account the flexibility factors outlined in Chapter 2 of this ebook. Policies and procedures can be changed at any time, provided the changes are documented and implemented in accordance with the Security Rule. 2. Documentation Maintain the policies and procedures implemented to comply with this section of the Security Rule in written form. If an action, activity or assessment is required to be documented, maintain a written record of the action, activity or assessment. Written records may be kept in electronic format. Required Implementation Specifications A. Time Limit Retain the required documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later. B. Availability Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. C. Updates Review your documentation periodically and update as needed in response to environmental or operational changes affecting the security of ephi.

14 The Privacy Rule 7The Privacy Rule is pretty straightforward: You are not allowed to use or disclose PHI except as required by your BA agreement, as required by law when part of an investigation, or as part of an audit to determine compliance. An exception is subcontractors. BAs are permitted to disclose PHI to another BA that is acting as a subcontractor, provided a BA agreement that meets the criteria outlined in chapter 9 of this ebook is in place. In addition, when using or disclosing PHI or when requesting PHI from another covered entity or BA, you must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended use, disclosure or request. This is referred to as minimum necessary. And, as you ve probably guessed, you are never permitted to sell PHI. While not explicitly required, consider creating an internal privacy policy for employees. Include the privacy policy in your documentation, along with the process you used to create, distribute and verify that the policy was received and understood by your employees.

15 8Breach Notification Rule According to HIPAA, breach means the acquisition, access, use or disclosure of PHI in a manner that compromises the security or privacy of the PHI. A breach does not include: Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a BA, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure. Any inadvertent disclosure by a person who is authorized to access PHI to another person who is authorized to access PHI in the same organization, and the information received as a result of such disclosure is not further used or disclosed. A disclosure of PHI where a BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Except as provided above, any acquisition, access, use or disclosure of PHI is presumed to be a breach unless you can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that looks at the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made 26,898,943 patients were affected by major breaches (data breaches involving more than 500 patients) year-to-date through September 17, ii Melamedia LLC

16 Breach Notification Rule Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated Breach Notification Requirements of Business Associates Following the discovery of a breach of unsecured PHI PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or allowed methodology a BA must notify the covered entity of such breach without unreasonable delay and no later than 60 days after the breach is discovered. A breach is considered discovered as of the first day on which the breach is known or, by exercising reasonable diligence, would have been known to any employee, officer or other agent of the BA. The notification must include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during the breach. The BA must also provide the covered entity with any other information required if the information is available or as the information becomes available in the future, including: A brief description of what happened, including the date of the breach and the date the breach was discovered. A description of the types of unsecured PHI that were involved in the breach, such as full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information. Any steps individuals should take to protect themselves against potential harm resulting from the breach. A brief description of what you are doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches. Contact procedures for affected individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, website or postal address. Be sure to document all of the above, because in the event of a use or disclosure violation, you have the burden of demonstrating that all notifications were made as required, or that the use or disclosure did not constitute a breach.

17 Business Associate Agreements 9BAs must have a BA agreement in place with any covered entity that it does business with, as well as with any subcontractors that do work on its behalf and that may have access to PHI. A BA agreement must meet the following requirements: 1. Establish the permitted and required uses and disclosures of PHI by the BA. The contract may not authorize the BA to use or further disclose the information in a manner that would violate HIPAA requirements, except that: The contract may permit the BA to use and disclose PHI in its capacity as a BA. The contract may permit the BA to provide data aggregation services relating to the health care operations of the covered entity. 2. Provide that the BA will: Not use or further disclose the information other than as permitted by the agreement or as required by law.

18 Business Associate Agreements Use appropriate safeguards to prevent the use or disclosure of the information. Report to the covered entity any use or disclosure of the information that falls outside the scope of the agreement, including breaches of unsecured PHI. Ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA with respect to PHI. Make available PHI in accordance with an individual s right of access to inspect and obtain a copy of their own PHI. Make available PHI for amendment and incorporate any amendments to PHI in accordance with an individual s right to have a covered entity amend PHI or a record about the individual in a designated record set. Make available the information required to provide an accounting of disclosures in accordance with an individual s right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the request is made. To the extent the BA is to carry out a covered entity s obligation of this requirement, comply with the requirements that apply to the covered entity in the performance of such obligation. Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of the covered entity available for purposes of determining the covered entity s compliance. At termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the BA on behalf of the covered entity that the BA still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. 3. Authorize termination of the contract if it is determined that the material terms of the contract have been violated. Note that a BA is not in compliance if they knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor s obligation under the contract, unless reasonable steps were taken to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract, if feasible.

19 10 Additional Responsibilities of Business Associates In addition to meeting the requirements of the Security Rule, Privacy Rule and Breach Notification Rule, BAs are also required to comply with the following: 1. Provide Records and Compliance Reports You must keep all of your compliancy records, including documentation, and submit such records, in such time and manner and containing such information, as the Secretary or other agent of HHS may determine to be necessary to enable HHS to ascertain whether you have complied or are complying with the applicable requirements. 2. Cooperate with Compliancy Investigations and Compliance Reviews You must cooperate with HHS if HHS undertakes an investigation or compliance review of your policies, procedures or practices to determine whether you are complying with the applicable requirements. 3. Permit Access to Information You must permit access by HHS during normal business hours to your facilities, books, records, accounts and other sources of information, including PHI, that are pertinent to ascertaining compliance with the applicable requirements. If HHS determines that exigent circumstances exist, such as when documents may be hidden or destroyed, you must permit access by HHS at any time and without notice. If any information required of you is in the exclusive possession of any other agency, institution or person and the other agency, institution or person fails or refuses to furnish the information, you must certify and set forth what efforts you have made to obtain the information.

20 11 Penalties for Non-compliance A BA is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the BA, including a workforce member or subcontractor, acting within the scope of the agency. Monetary Penalties $ If you are unaware a violation occurred and, by exercising reasonable diligence, could not have known: $100 to $25,000 per violation, not to exceed $1.5 million per year If a violation occurs due to reasonable cause and not willful neglect: $1,000 to $50,000 per violation, not to exceed $1.5 million per year If a violation occurs due to willful neglect, but is corrected within 30 days of discovery: $10,000 to $50,000 per violation, not to exceed $1.5 million per year If a violation occurs due to willful neglect and is not corrected: $50,000 to $1.5 million per violation

21 Summary Now that you ve explored this guide, you re well on your way to becoming compliant with the requirements set forth in the HIPAA/HITECH Omnibus Final Rule. Keep this guide on hand, and start building out your strategy for bringing your team up to speed on HIPAA compliance. A little awareness can go a long way in helping you avoid hefty fines. Your action items: Build and implement a HIPAA compliance plan Document all compliance methods (in case of an audit) Give HIPAA compliance training to all employees Drive accountability to compliance standards Always know where your HIPAA/HITECH compliance guide is About LabTech Software LabTech Software is the brainchild of a managed service provider (MSP) that struggled with the usual challenges and inefficiencies of a reactive IT maintenance and support model. LabTech its flagship solution was born of the urgent need to eliminate technician inefficiencies and the desire to provide preventive and proactive service. Developed with cutting-edge, agent technology, LabTech is the only remote monitoring and management (RMM) platform created by system administrators for systems administrators to automate your IT services and eliminate inefficiencies. For more information, please visit labtechsoftware.com or call George Road, Suite 200 Tampa, Florida labtechsoftware.com i Mondaq. United States: 5 Critical To Do s Before The Next HIPAA Compliance Deadline. September 2013 ii Health Information Privacy/Security Alert. HIPAA & Breach Enforcement Statistics for October Melamedia LLC. iii HIPAA Security Series. Volume 2/Paper 2. Security Standards: Administrative Safeguards. Department of Health & Human Services. March iv The 8 Most Common Causes of Data Breaches and How You Can Prevent Them. InformationWeek. May v HIPAA Security Series. Volume 2/Paper 3. Security Standards: Physical Safeguards. Department of Health & Human Services. March vi HIPAA Security Series. Volume 2/Paper 4. Security Standards: Technical Safeguards. Department of Health & Human Services. March 2007.