HIPAA Security Standards – what are the 3 “big ones”?

HIPAA Security Standards wooden blocks.jpg

HIPAA outlines the protection of protected health information (PHI). Part of HIPAA is the HIPAA Security Rule, or HIPAA Security Standards, which requires healthcare providers to protect electronic PHI (ePHI).

In order for your business to comply with HIPAA Security Standards, you must always ensure the confidentiality and integrity of ePHI at your clinic. You must also protect yourself against real threats to the security or integrity of data that your organization is responsible for. Along with the measures outlined below, you must protect yourself against any uses or disclosures of PHI that are not allowed by HIPAA policy.

The HIPAA Privacy Rule covers all written, oral and electronic PHI. If you find a breach of policies or procedures, you must act to correct it right away. If you do not, you can face penalties and/or fines by the Department of Health and Human Services’ Office for Civil Rights.


HIPAA Security Standards for the protection of ePHI

The HIPAA Security Rule definition comprises physical, technical, and administrative safeguards for your business to protect ePHI. The HIPAA Security Standards outline ways to keep you and your business safe from breaches in privacy.

What are the three standards of the HIPAA security rule?

(1) Physical safeguards for ePHI

You need to protect PHI on you and your employees’ equipment, your electronic data systems, and in your buildings.

  • Individual Security — Protect single workstations and electronics by ensuring only approved users have access to ePHI. Physical safeguards must be in place to prevent unauthorized access to PHI.
  • Facility Access Controls — Limit the physical access to your business to protect ePHI.
    1. Restrict access to areas with PHI to approved users only. You may do this with badge or fingerprint locks to limit door entry.
    2. Set policies for the transfer, removal, disposal, creation, and re-use of PHI in your business.
  • Device and Media Controls — Set up procedures for getting and removing hardware or media with PHI. These procedures must track when PHI moves in, around and out of your business.

(2) Technical safeguards for ePHI

You need to protect the way your data is accessed and the tech systems that are in place for that protection.

  • Access Controls — You must put procedures and rules in place to ensure that only authorized users have access to PHI.
    1. Provide each user with a trackable user ID unique to them.
    2. Create a protocol for PHI access in the event of an emergency and ensure that employees know those crisis procedures.
    3. Consider multi-factor ID methods for logging in to systems with PHI or forcing your systems to log off automatically after a certain time.
  • Audit Controls — Create procedures to record the access to PHI and view the data when needed. Establish routine monitoring to determine policy compliance.
  • Data Transmission — When transmitting data that contains PHI, protect the data from unauthorized access. You may encrypt and decrypt your data transfer, depending on how you want to protect that data. Firewalls may help with data protection.
  • Integrity Control — Make sure that your data is backed up, and that the data will not be changed or destroyed. The backed-up data must follow the same privacy and security rules as the original data.
  • Person or Entity Authentication — Set procedures to verify that the user who accessed data is the one who claimed they did.

(3) Administrative safeguards for ePHI

The administrative safeguards of HIPAA’s Security Rule are there to protect your organization. The best way to do that is by ensuring that your employees comply with the Security Rule and all suggested safeguards. These are examples of the administrative safeguard for PHI.

  • Security Management — You must prevent, detect, contain and fix security violations. You must identify potential risks to your business that deal with the privacy, integrity, and availability of PHI. You need to:
    1. Enact security measures against potential risks.
    2. Ensure that penalties and/or sanctions are in place for employees who break the rules, and inform your employees of those sanctions.
    3. Regularly review data records and verify that your business consistently conducts correct procedures.
  • Security Personnel — Your business must assign a security officer to oversee operations. Their duties include creating policies and executing them.
  • Information Access Management — When you or your employees are disclosing PHI, you should guard the patient’s privacy by sharing only the “minimum necessary” amount of data. All access to PHI should be according to the users’ roles at your clinic.
    1. Establish policies and procedures on how to provide the right access to ePHI.
    2. If your clearinghouse is part of a larger group, set up rules and procedures to ensure the larger group does not have unapproved access to ePHI.
    3. Provide security awareness and training for all your employees.
  • Workforce Training and Management — You must train your employees on your policies and procedures, including annual HIPAA Security Standards training. You must:
    1. Provide proper supervision of the employees with access to PHI.
    2. Inform employees not only about policies but also about the risks for non-compliance.
  • Workforce Security — All employees should have access to PHI according to their role at your business. It is your duty to make sure data is not given to the wrong employee.
  • Evaluation — Your business should do periodic evaluations on technical and non-technical levels.
    1. You must regularly review the security measures in place at your business. Does your security comply with the requirements of the HIPAA Security Standards?
    2. You need to maintain security when your organization shares PHI data with other businesses, so you must document your agreements with other businesses when they create, receive, maintain or share PHI data.
  • Response and Reporting — You must report any known breach in rules, documenting the situation and the outcome.
  • Contingency Plan — Make sure you have rules and procedures to follow in the event of an emergency where your system is damaged or down. You must:
    1. Ensure that your data is backed up.
    2. Have a disaster recovery plan to get back any PHI that should be available.
    3. Create an emergency mode operation plan for when the system is down or in times of emergency.
  • HIPAA Risk Assessments — You must conduct ongoing risk assessments for your business. In assessing risk, you need to:
    1. Evaluate potential risks to PHI and figure out how to defend yourself from those risks.
    2. Establish the security needed to protect the PHI from those risks.
    3. Document the process and maintain the security measures.

Threats to security are a real issue. Whether an attack is in person or online, we always need to protect our patients’ data, so it is important to remind your employees of that. It is amazing how many ways there are to protect our businesses, and these are only the required pieces to follow the rules right now.

The HIPAA Security Standards suggest many more “addressable” items and actions. While these further actions are not required now, they may be in the future. You can find these suggestions through the links in the first paragraph. However, it is important to note that the items described in this article are rules that can currently result in fines or penalties.


Fines and penalties

HIPAA divides fines and penalties for data breaches into categories. Each category carries a minimum and maximum dollar amount for the breach. These are the current fines:

  • For a breach the entity did not know about and would not have known about with reasonable security measures, the fine per violation ranges from $120 to $60,226.
  • For breaches not involving willful neglect, the fine per violation ranges from $1,205 to $60,226.
  • If a breach is due to willful neglect but is corrected within 30 days of when the entity should have known of the mistake, the fine per violation ranges from $12,045 to $60,226.
  • If a breach is due to willful neglect and is not corrected within 30 days of when the entity should have known of the mistake, the fine per violation ranges from $60,226 to $1,806,757.

Your employees must receive annual training on security and rules set forth by your healthcare organization. In that training, employees should also learn about these fines and penalties assessed by HIPAA in the event of data breaches. Knowing about the possible effects could discourage employees who are tempted to bend the rules or fail to follow procedures.

By doing all of the items described above, your business will be HIPAA compliant in regard to the HIPAA Security Standards.

When you need proven expertise and performance