The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required that the Department of Health and Human Services (HHS) establish methods of safeguarding protected health information (PHI). To that end, a series of four “rules” were developed to address the key areas of need directly. In this article, we’ll discuss the HIPAA Security Rule, its implementation, and its required safeguards.
In this Article …
What does the HIPAA Security Rule require?
The HIPAA Security Rule requires covered entities to protect all electronic protected health information (ePHI) via administrative, physical, and technical safeguards. These security standards are to be designed to control access in a manner that reasonably anticipated threats related to unauthorized intrusion, use, or disclosure of individually identifiable health information are avoided. Furthermore, they should limit incidental uses or disclosures to just those permitted or required.
The Security Rule does not state exactly what security measures covered entities and their business associates must take to protect ePHI. HHS recognizes that health information technology is a changing field that updates constantly. Further, depending on the size of the organization, different measures are needed. For example, the security measures for a small, single healthcare provider practice won’t be the same as what a large metropolitan hospital must follow.
Within the Security Rule Standards are two types of implementation specifications:
- Required – These, as the title suggests, are mandatory for all covered entities.
- Addressable – Unlike Required implementation specifications, these allow for flexibility in implementation. However, covered entities cannot ignore them. For example, they must keep ePHI secure, but HHS does not dictate the exact method for securing it.
Also, you can choose not to implement an addressable specification, but in its place, you must use an alternative method for safeguarding the data. Plus you need to document both what you’ve done as well as your reasons for doing so.
Required 3 safeguards of the HIPAA Security Rule
The three main categories of the required standards of the Security Rule include physical safeguards, technical safeguards, and administrative safeguards.
1. Physical safeguards for ePHI
Physical safeguards represent the first line of defense in protecting ePHI. What are your policies and procedures that limit physical access to your equipment, buildings, and electronic information systems by unauthorized persons? This is what encompasses the physical safeguards of the Security Rule.
It includes:
- Facility access controls. Implement security measures to both control and validate an individual’s access to facilities where ePHI is stored. This may include security systems, sign-in sheets for visitors, and the establishment of restricted areas.
- Workstation security. Establish the proper function and physical attributes for all workstations that access ePHI, and ensure that they are located in secure areas. Workstations should be equipped with password-protected screensavers.
- Mobile device security. If mobile devices (laptops, smartphones, or tablets) are used to access or store ePHI, either on or off-site, ensure they are securely stored when not in use and are password protected. Consider using encryption and remote wipe capabilities.
- Media reuse and/or disposal. Implement policies and procedures regarding the disposal and re-use of electronic media. Make sure that ePHI data is completely destroyed or not recoverable before media is disposed of or reused. This includes methods such as degaussing, disintegration, melting, etc.
- Physical incident and disaster procedures. Develop and implement policies and procedures for responding to emergencies or other occurrences (like power outages or disasters) that could damage systems containing ePHI. Have a disaster recovery plan in place, and conduct regular drills.
- Maintenance records. Document all repairs and modifications made to the facility which are related to security (for example, hardware, walls, doors, and locks). This will help to track the security measures in place and assist in maintaining physical safeguards.
2. Technical safeguards for ePHI
The second component is technical safeguards. These are technology-based methods used to protect ePHI and control access to it. This area can be challenging for healthcare providers to understand and usually requires assistance from third-party professionals or consultants. To simplify, technical safeguards cover how technology protects the data and who has access to it.
Examples of technical safeguards include:
- Access controls. System activity must be traced to a specific user.
- Audit controls. Covered entities need to implement procedures to view and record activity in information systems that deal with ePHI.
- Secure data transmission. Encrypt ePHI whenever it is appropriate to do so. While the HIPAA Security Rule does not specifically mandate encryption, it should be utilized whenever deemed a reasonable and appropriate safeguard for both ePHI in transmission and at rest.
- Data backup. Regular data backups that ensure ePHI can be adequately restored should be conducted as part of a contingency plan.
- Firewall security. This prevents access in an unauthorized manner from the outside by requiring identity-based authorization to access ePHI.
- Device and Media Controls. Have policies in place regarding the disposal and re-use of electronic media to ensure ePHI is properly removed before disposal or re-use.
3. Administrative safeguards for ePHI
Finally, administrative safeguards are in place to manage the selection and execution of security measures to protect ePHI and to manage the conduct of the workforce in relation to the protection of that information. These safeguards ensure employee compliance with the Security Rule. They include established policies and procedures, and training on those policies and procedures when dealing with ePHI.
Administrative standards include:
- Information access management. Only required users have access to patient data.
- Security personnel. Covered entities must designate a compliance officer to implement and maintain HIPAA Security Rule procedures.
- Security management process. Security measures must be implemented and assessed.
- Regularly review and update security policies. Continually monitor and regularly review your security policies, procedures, and practices to ensure they are up-to-date with evolving risks and technologies, and update them as necessary.
- Workforce training. A covered entity’s workforce should receive annual training on HIPAA compliance. They must be informed of the policies and procedures, and what the sanctions are for violation. And there should be intermittent training as you make changes to your policies and procedures.
- Vendor management. Ensure compliance with HIPAA regulations by your business associates.
- Document, document, document. Document all your policies and procedures related to HIPAA security, as well as any actions, activities, or assessments that you conduct. Proper documentation is critical to show your compliance with the Security Rule.
Updates to HIPAA
In addition to the HIPAA Security Rule, it’s important to briefly discuss the HIPAA Privacy Rule. As the first significant addition to HIPAA, this rule defined protected health information (PHI) and set standards for dealing with sensitive patient data.
HIPAA defines PHI as identifiable health information. The keyword here is identifiable, meaning that research scientists can use patient data in their projects, as long as they keep the patient’s identity separate from the medical data.
The Security Rule complements the Privacy Rule. The main difference is that the Security Rule was enacted to cover the growing issue of electronic forms of protected patient data, known as ePHI.
ePHI is any type of patient data (PHI) that is transmitted, stored, or maintained in electronic form. The Security Rule focuses solely on ePHI.
The need for an annual risk assessment
The administrative safeguards of the Security Rule state that HIPAA risk assessments are required. A risk analysis can help your organization determine which of your security measures are robust and where your areas of weakness and potential risks are.
Conduct assessments and analyses on an ongoing basis so that you can routinely track the effectiveness of your security measures, potential vulnerabilities, and security breaches that may have occurred.
Risk assessments help you maintain your security policies and procedures, and to avoid potential data leaks and breaches. Fines from the HHS can range from $100 per violation up to multi-million dollar settlements. Not to mention, the government may also enact long-term monitoring programs on the organization.
Achieve HIPAA Security Rule compliance
Complying with all of the HIPAA rules, regulations and addendums is a lengthy, complex, and ongoing process. Even if you had the time to sit down and read the entire HIPAA Act and all of its updates, it would be challenging to understand and remember every last detail.
Assess where your organization falls with a HIPAA compliance checklist. Any time is a perfect time to go over this checklist carefully. It could mean the difference between operating in full compliance or experiencing one or more security incidents and suffering sanctions and loss of an excellent reputation you have built.