The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required that the Department of Health and Human Services (HHS) establish methods of safeguarding protected health information (PHI). To that end, a series of four “rules” were developed to address the key areas of need directly. In this article, we’ll discuss the HIPAA Security Rule, and its required safeguards.
In this Article …
What does the HIPAA Security Rule require?
The HIPAA Security Rule requires covered entities to protect all electronic protected health information (ePHI) via administrative, physical, and technical safeguards. These security standards are to be designed to control access in a manner that reasonably anticipated threats related to unauthorized intrusion, use, or disclosure of individually identifiable health information are avoided. Furthermore, they should limit incidental uses or disclosures to just those permitted or required.
The Security Rule does not state exactly what security measures covered entities must take to protect ePHI. The US Department of Health and Human Services (HHS) recognizes that health information technology is a changing field that updates constantly. Further, depending on the size of the organization, different measures are needed. For example, the security measures for a small, single healthcare provider practice won’t be the same as what a large metropolitan hospital must follow.
Within the Security Rule Standards are two types of implementation specifications:
- Required – These, as the title suggests, are mandatory for all covered entities.
- Addressable – Unlike Required implementation specifications, these allow for flexibility in implementation. However, covered entities cannot ignore them. For example, they must keep ePHI secure, but HHS does not dictate the exact method for securing it.
Also, you can choose not to implement an addressable specification, but in its place, you must use an alternative method for safeguarding the data. Plus you need to document both what you’ve done as well as your reasons for doing so.
Required 3 safeguards of the HIPAA Security Rule
The three main categories of the required standards of the Security Rule include physical safeguards, technical safeguards, and administrative safeguards.
1. Physical safeguards for ePHI
What are your policies and procedures that limit physical access to your equipment, buildings, and electronic information systems by unauthorized persons? This is what encompasses the physical safeguards of the Security Rule.
- Security at individual workstations.
- Mobile device use outside of the workplace.
- Facility access control to computers, servers, or any other information system.
2. Technical safeguards for ePHI
This area can be challenging for healthcare providers to understand and usually requires assistance from third-party professionals or consultants. To simplify, technical safeguards cover how technology protects the data and who has access to it.
Examples of technical safeguards include:
- Access controls. System activity must be traced to a specific user.
- Audit controls. Covered entities need to implement procedures to view and record activity in information systems that deal with ePHI.
- Secure data transmission and data backup. When transmitting ePHI, it should be encrypted.
- Firewall security. This prevents access in an unauthorized manner from the outside by requiring identity-based authorization to access ePHI.
3. Administrative safeguards for ePHI
These safeguards ensure employee compliance with the Security Rule. They include established policies and procedures, and training on those policies and procedures when dealing with ePHI.
Administrative standards include:
- Information access management. Only required users have access to patient data.
- Security personnel. Covered entities must designate a compliance officer to implement and maintain HIPAA Security Rule procedures.
- Security management process. Security measures must be implemented and assessed.
- Workforce training. A covered entity’s workforce should receive annual training on HIPAA compliance. They must be informed of the policies and procedures, and what the sanctions are for violation.
Updates to HIPAA
In addition to the HIPAA Security Rule, it’s important to briefly discuss the HIPAA Privacy Rule. As the first significant addition to HIPAA, this rule defined protected health information (PHI) and set standards for dealing with sensitive patient data.
HIPAA defines PHI as identifiable health information. The keyword here is identifiable, meaning that research scientists can use patient data in their projects, as long as they keep the patient’s identity separate from the medical data.
The Security Rule complements the Privacy Rule. The main difference is that the Security Rule was enacted to cover the growing issue of electronic forms of patient data, known as ePHI.
ePHI is any type of patient data (PHI) that is transmitted, stored, or maintained in electronic form. The Security Rule focuses solely on ePHI.
The need for an annual risk assessment
The administrative safeguards of the Security Rule state that HIPAA risk assessments are required. Risk analyses can help your organization determine which of your security measures are robust and where your areas of weakness are.
Conduct assessments and analyses on an ongoing basis so that you can routinely track the effectiveness of your security measures, potential vulnerabilities, and security breaches that may have occurred.
Risk assessments help you maintain your security policies and procedures, and to avoid potential data leaks and breaches. Fines from the HHS can range from $100 per violation up to multi-million dollar settlements. Not to mention, the government may also enact long-term monitoring programs on the organization.
Achieve HIPAA Security Rule compliance
Complying with all of the HIPAA rules, regulations and addendums can be a lengthy and complex process. Even if you had the time to sit down and read the entire HIPAA Act and all of its updates, it would be challenging to understand and remember every last detail.
Assess where your organization falls with a HIPAA compliance checklist. Any time is a perfect time to go over this checklist carefully. It could mean the difference between operating in full compliance or suffering sanctions and loss of an excellent reputation you have built.