Today, our focus is on the HIPAA Security Rule and how it addresses the protection of electronic medical records.
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to improve the US healthcare system by regulating patient privacy standards. Since then, there have been a few critical additions to the act, including the Privacy Rule, the HIPAA Security Rule, the Breach Notification Rule, and the Omnibus Final Rule.
What does the HIPAA Security Rule require?
First, let’s talk about what is not specified in the rule. The Security Rule does not state exactly what security methods organizations must take to protect ePHI. The US Department of Health and Human Services (HHS) recognizes that technology is a changing field that updates constantly. Further, depending on the size of the organization, different measures are needed.
The security requirements for a small rural clinic won’t be the same as what a large metropolitan hospital must follow.
Within the Security Rule are two types of standards:
- Required standards are mandatory.
- Addressable standards allow for flexibility in implementation. However, organizations cannot ignore them. For example, they must keep ePHI secure, but the HHS does not dictate the exact method for securing it.
You can choose not to implement an addressable standard, but you must use an alternative method for safeguarding the data. Also, you need to document what you’ve done as well as your reasons for doing so.
Required 3 safeguards of the HIPAA Security Rule
The three main categories of the required standards of the Security Rule include physical safeguards, technical safeguards, and administrative safeguards.
1. Physical safeguards for ePHI
What are your policies for protecting PHI from unauthorized breaches within your equipment, buildings, and electronic information systems? This is what encompasses the physical safeguards of the Security Rule.
- Security at individual workstations.
- Mobile device use outside of the workplace.
- Access control to computers, servers, or any other information system.
2. Technical safeguards for ePHI
This area can be challenging for medical professionals to understand and usually requires assistance from third-party professionals or consultants. To simplify, technical safeguards cover how technology protects the data and who has access to it.
Examples of technical safeguards include:
- Access controls. System activity must be traced to a specific user.
- Audit controls. Organizations need to implement procedures to view and record activity in information systems that deal with ePHI.
- Secure data transmission. When transmitting ePHI, it should be encrypted.
- Firewall security. This prevents unauthorized access from the outside by requiring identity-based authorization to access ePHI.
3. Administrative safeguards for ePHI
These safeguards ensure employee compliance with the Security Rule. They include established procedures and training on those procedures when dealing with ePHI.
Administrative standards include:
- Information access management. Only required users have access to patient data.
- Security personnel. The organization must designate a compliance officer to implement and maintain HIPAA Security Rule procedures.
- Security management process. Security measures must be implemented and assessed.
- Workforce training. Employees should receive annual training on HIPAA compliance. They must be informed of the policies and what the sanctions are for violation.
Updates to HIPAA
In addition to the HIPAA Security Rule, it’s important to briefly discuss the Privacy Rule. As the first significant addition to HIPAA, this rule defined protected health information (PHI) and set standards for dealing with sensitive patient data.
HIPAA defines PHI as identifiable health information. The keyword here is identifiable, meaning that research scientists can use patient data in their projects, as long as they keep the patient’s identity separate from the medical data.
The Security Rule complements the Privacy Rule. The main difference is that the Security Rule was enacted to cover the growing issue of electronic forms of patient data, known as ePHI.
EPHI is any type of patient data (PHI) that is transmitted, stored or maintained in electronic form. The Security Rule focuses solely on ePHI.
The need for annual risk assessments
The administrative safeguards of the Security Rule state that HIPAA risk assessments are required. Risk analyses can help your organization determine which of your security measures are robust and where your areas of weakness are.
Conduct assessments and analyses on an ongoing basis so that you can routinely track the effectiveness of your security measures, potential vulnerabilities, and security breaches that may have occurred.
Risk assessments help you maintain your security policies and avoid potential data leaks and breaches. Fines from the HHS can range from $100 per violation up to multi-million dollar settlements. Not to mention, the government may also enact long-term monitoring programs on the organization.
Achieve HIPAA Security Rule compliance
Complying with all of the HIPAA rules, regulations and addendums can be a lengthy and complex process. Even if you had the time to sit down and read the entire HIPAA Act and all of its updates, it would be challenging to understand and remember every last detail.
Assess where your organization falls with a HIPAA compliance checklist. Any time is a perfect time to go over this checklist carefully. It could mean the difference between operating in full compliance or suffering sanctions and loss of an excellent reputation you have built.