HIPAA Security Rule

The HIPAA Security Rule is a set of standards devised by the Department of Health & Human Services (HHS) to improve the security of electronic protected health information (ePHI) and to ensure the confidentiality, integrity, and availability of ePHI at rest and in transit. Although the standards have largely remained the same since their publication in 2003, updates to the Rules were made by HITECH Act of 2009 which were applied to HIPAA in the Omnibus Final Rule of 2013.

This post contains a vastly simplified summary of the HIPAA Security Rule and its requirements.

General Security Standards

The HIPAA Security Rule contains required standards and addressable standards. The required elements are essential, whereas there is some flexibility with the addressable elements. Addressable elements cannot be ignored. If the decision is taken not to implement an addressable safeguard, an alternative measure is required in its place and the decision and rationale behind the decision must be documented.

Listed below are the required elements of the security standards general rule:

  • Ensure the confidentiality, integrity, and availability of ePHI
  • Protect against reasonably anticipated threats to ePHI and vulnerabilities
  • Implement controls to prevent uses and disclosures of ePHi not permitted by the HIPAA Privacy rule
  • Ensure the entire workforce complies with policies and procedures covering Security Rule compliance

The Administrative, Technical and Physical Safeguards

The HIPAA Security Rule is primarily concerned with the implementation of safeguards, which are split into three types: Administrative, technical and physical. The administrative, technical and physical safeguards were developed to help Covered Entities identify and protect against reasonably anticipated threats and impermissible disclosures of electronic PHI (ePHI). In order to achieve these objectives, each Covered Entity has to assess its current security mechanisms, policies and procedures and compile a risk analysis. The risk analysis is a comprehensive, organization-wide analysis of all threats to the confidentiality, integrity, and availability of ePHI. Its aim is to identify all threats and vulnerabilities to allow them to be addressed and reduced to a reasonable and acceptable level.

Administrative Safeguards

The Administrative Safeguards are policies and procedures that are implemented to help ensure the security of ePHI and ensure compliance with the HIPAA Security Rule.

  • Developed a security management process to protect ePHI, detect and contain breaches, and correct security violations, including a risk analysis, risk management process, sanction policy, and information systems activity reviews
  • Appoint of a HIPAA Security Officer responsible for compliance with the Security Rule
  • Workforce security – Policies and procedures that ensure only authorized individuals have access to ePHI and systems
  • Information access management – Policies and procedures covering access to information systems and management
  • Security awareness and training – Train employees on security awareness
  • Security incident procedures to ensure a rapid response to a security incident is possible
  • Develop a contingency plan covering data backup and policies and procedures for emergencies and natural disasters
  • Evaluation – Regular technical and nontechnical evaluations of security

Technical Safeguards

The Technical Safeguards also deal with access to ePHI inasmuch as implementing measures to limit access where appropriate and introducing audit controls. More important for many Covered Entities are the technical safeguards relating to transmission security (how ePHI is protected in transit to prevent unauthorized disclosure- i.e. email, SMS, IM, etc.) and the measures that have to be put in place to ensure ePHI is not improperly altered or destroyed, both in transit and at rest.

The key elements of the technical safeguards are:

  • Access controls – The use of unique identifiers for individuals and technical controls to prevent unauthorized individuals from accessing ePHI or systems used to create, store, maintain, or transit ePHI
  • Audit controls – Creation of mechanisms to record activity related to ePHI and access attempts and monitoring of logs
  • Integrity controls – Controls to prevent the unauthorized alteration or destruction of ePHI
  • Authentication of individuals and entities – The use of authentication measures verify the identity of an individual before access to ePHI is granted
  • Transmission security – Technical measures to prevent unauthorized access or alteration of ePHI in transit

Physical Safeguards

The physical safeguards cover physical security of the premises in which ePHI is stored and access to the devices on which ePHI is stored. the physical safeguards are split into four standards:

  • Facility access controls
  • Workstation use
  • Workstation security
  • Device and media controls

Access controls are require to prevent unauthorized individuals from accessing facilities in which equipment used to store or transmit ePHI is located. Workstation use requires the implementation of policies and procedures covering how workstations must be used and what is and is not permitted.  Workstation security requires the use of physical security measures to prevent the viewing of ePHI such as privacy screens and physically securing the devices when they are not in use. Device and media controls cover the use of these devices, removal and destruction of ePHI when the devices are no longer needed or prior to reuse.

There are also several addressable standards, including creating and maintaining and inventory of hardware, creating policies for secure data-backup and storage, procedures for contingency operations covering access in emergencies, and policies and procedures covering repairs and modifications to physical elements of a facility.

Responsibility for Compliance with the HIPAA Security Rule

All Covered Entities and – since the Omnibus Final Rule – Business Associates with whom ePHI is shared, are required to comply with the HIPAA Security Rule. Each entity should appoint a person in charge of compliance with the HIPAA Security Rule (HIPAA Security Officer), who has the responsibility to conduct risk analyses, review existing policies and procedures, and implement appropriate measures to prevent unauthorized access and impermissible disclosures of ePHI. For smaller organizations the role of the HIPAA Security Officer can be combined with that of the HIPAA Privacy Officer.

As well as documenting every step of the journey toward compliance with the HIPAA Security Rule, the person in charge of compliance also has to organize employee training to ensure that everybody who has access to ePHI is aware of the entity’s policies and procedures and the sanctions they will face for noncompliance. As well as internal training, a Covered Entity´s Compliance Officer should also conduct due diligence on Business Associates to ensure their compliance and review Business Associate Agreements.

Tips for Complying with the HIPAA Security Rules

The HIPAA Security Rule covers many different uses of ePHI and applies to diverse organizations of different sizes with vastly differing levels of resources. Safeguards that would be reasonable and appropriate for large health systems, may not be necessary for small practices. The HIPAA Security Rule therefore incorporates flexibility for Covered Entities and Business Associates. It is also technology-neutral to allow for advances in technology.

The best place to start with Security Rule compliance is the risk analysis. This will provide Covered Entities with a starting point from which other compliance efforts can be planned. Depending on the Covered Entity’s circumstances, a thorough risk assessment will include areas such as:

  • How ePHI is created, used and stored within the organization.
  • How ePHI is shared outside the organization with Business Associates.
  • How ePHI is protected against cyberattacks.
  • How ePHI is protected (and accessible) in the event of an emergency or natural disaster.

Once the risk assessment has been completed, risks need to be managed. Covered Entities then have the flexibility to chose safeguards and software solutions to address the risks they have identified. HIPAA Security Officers will need to prioritize the the actions taken to address threats and vulnerabilities and tackle the most serious threats first.

Security Rule compliance can be a daunting task especially for small healthcare organizations and Business associates. To ensure that no elements are missed, covered entities and businesses associates should consider using third-party compliance experts to assess their compliance efforts and identify any gaps.