The HIPAA Security Rule is a set of standards devised by the Department of Health & Human Services (HHS) to improve the security of electronic protected health information (ePHI) and to ensure the confidentiality, integrity, and availability of ePHI at rest and in transit. Although the standards have largely remained the same since their publication in 2003, updates to the Rules were made by HITECH Act of 2009 which were applied to HIPAA in the Omnibus Final Rule of 2013.
This post contains a vastly simplified summary of the HIPAA Security Rule and its requirements.
The HIPAA Security Rule contains required standards and addressable standards. The required elements are essential, whereas there is some flexibility with the addressable elements. Addressable elements cannot be ignored. If the decision is taken not to implement an addressable safeguard, an alternative measure is required in its place and the decision and rationale behind the decision must be documented.
Listed below are the required elements of the security standards general rule:
The HIPAA Security Rule is primarily concerned with the implementation of safeguards, which are split into three types: Administrative, technical and physical. The administrative, technical and physical safeguards were developed to help Covered Entities identify and protect against reasonably anticipated threats and impermissible disclosures of electronic PHI (ePHI). In order to achieve these objectives, each Covered Entity has to assess its current security mechanisms, policies and procedures and compile a risk analysis. The risk analysis is a comprehensive, organization-wide analysis of all threats to the confidentiality, integrity, and availability of ePHI. Its aim is to identify all threats and vulnerabilities to allow them to be addressed and reduced to a reasonable and acceptable level.
The Administrative Safeguards are policies and procedures that are implemented to help ensure the security of ePHI and ensure compliance with the HIPAA Security Rule.
The Technical Safeguards also deal with access to ePHI inasmuch as implementing measures to limit access where appropriate and introducing audit controls. More important for many Covered Entities are the technical safeguards relating to transmission security (how ePHI is protected in transit to prevent unauthorized disclosure- i.e. email, SMS, IM, etc.) and the measures that have to be put in place to ensure ePHI is not improperly altered or destroyed, both in transit and at rest.
The key elements of the technical safeguards are:
The physical safeguards cover physical security of the premises in which ePHI is stored and access to the devices on which ePHI is stored. the physical safeguards are split into four standards:
Access controls are require to prevent unauthorized individuals from accessing facilities in which equipment used to store or transmit ePHI is located. Workstation use requires the implementation of policies and procedures covering how workstations must be used and what is and is not permitted. Workstation security requires the use of physical security measures to prevent the viewing of ePHI such as privacy screens and physically securing the devices when they are not in use. Device and media controls cover the use of these devices, removal and destruction of ePHI when the devices are no longer needed or prior to reuse.
There are also several addressable standards, including creating and maintaining and inventory of hardware, creating policies for secure data-backup and storage, procedures for contingency operations covering access in emergencies, and policies and procedures covering repairs and modifications to physical elements of a facility.
All Covered Entities and – since the Omnibus Final Rule – Business Associates with whom ePHI is shared, are required to comply with the HIPAA Security Rule. Each entity should appoint a person in charge of compliance with the HIPAA Security Rule (HIPAA Security Officer), who has the responsibility to conduct risk analyses, review existing policies and procedures, and implement appropriate measures to prevent unauthorized access and impermissible disclosures of ePHI. For smaller organizations the role of the HIPAA Security Officer can be combined with that of the HIPAA Privacy Officer.
As well as documenting every step of the journey toward compliance with the HIPAA Security Rule, the person in charge of compliance also has to organize employee training to ensure that everybody who has access to ePHI is aware of the entity’s policies and procedures and the sanctions they will face for noncompliance. As well as internal training, a Covered Entity´s Compliance Officer should also conduct due diligence on Business Associates to ensure their compliance and review Business Associate Agreements.
The HIPAA Security Rule covers many different uses of ePHI and applies to diverse organizations of different sizes with vastly differing levels of resources. Safeguards that would be reasonable and appropriate for large health systems, may not be necessary for small practices. The HIPAA Security Rule therefore incorporates flexibility for Covered Entities and Business Associates. It is also technology-neutral to allow for advances in technology.
The best place to start with Security Rule compliance is the risk analysis. This will provide Covered Entities with a starting point from which other compliance efforts can be planned. Depending on the Covered Entity’s circumstances, a thorough risk assessment will include areas such as:
Once the risk assessment has been completed, risks need to be managed. Covered Entities then have the flexibility to chose safeguards and software solutions to address the risks they have identified. HIPAA Security Officers will need to prioritize the the actions taken to address threats and vulnerabilities and tackle the most serious threats first.
Security Rule compliance can be a daunting task especially for small healthcare organizations and Business associates. To ensure that no elements are missed, covered entities and businesses associates should consider using third-party compliance experts to assess their compliance efforts and identify any gaps.