The HIPAA Security Rules consist of three sets of standards published by the Department of Health & Human Services (HHS). The standards consist of the administrative, technical and physical safeguards that have to be implemented where appropriate to ensure the confidentiality, integrity and security of electronic PHI in transit and at rest. Although the standards have remained the same since their publication in 2003, updates to the Rules in the HITECH Act of 2009 and the Final Omnibus Rule of 2013 affect who they apply to and the penalties for non-compliance.
The administrative, technical and physical safeguards have been developed in order to help Covered Entities identify and protect against reasonably anticipated threats and impermissible disclosures of electronic PHI (ePHI). In order to achieve these objectives, each Covered Entity has to assess its current security mechanisms, policies and procedures and compile a risk analysis which prioritizes potential vulnerabilities so any weaknesses can be addressed.
The Administrative Safeguards cover the appointing of a HIPAA Security Officer (see below), the initial risk assessment and analyses process, and ongoing evaluation – especially when new work practices or technology is introduced. This area of the HIPAA Security Rules also deals with Information Access Management, which limits the amount of access personnel have to ePHI to a level appropriate for their role.
The Technical Safeguards also deal with access to ePHI inasmuch as implementing measures to limit access where appropriate and introducing audit controls. More important for many Covered Entities are the technical safeguards relating to transmission security (how ePHI is protected in transit to prevent unauthorized disclosure- i.e. email, SMS, IM, etc.) and the measures that have to be put in place to ensure ePHI is not improperly altered or destroyed, both in transit and at rest.
The physical safeguards not only address the physical security of the premises in which ePHI is stored and the devices they are stored on, it also raises issues about the visibility of ePHI on workstation screens and employees´ mobile devices. For example, the positioning of workstation screens should be such that their content cannot be read by passing third parties, while mobile devices should have automatic time-outs to protect the integrity of ePHI when the device is left unattended.
The safeguards are described as either being “required” or “addressable”. An addressable safeguard does not mean it is optional. It simply gives a Covered Entity the opportunity to determine whether an addressable safeguard is appropriate in its specific circumstances, or if an existing/alternative solution resolves the issue the safeguard is trying to prevent. Covered Entities are required to comply with every safeguard, or provide reasons why one or more has not been actioned.
All Covered Entities and – since the Final Omnibus Rule – Business Associates with whom ePHI is shared are required to comply with the HIPAA Security Rules. Each should appoint a person in charge of compliance with the HIPAA Security Rules (the HIPAA Security Officer), who has the responsibility to conduct risk assessments and risk analyses, review existing policies and procedures, and implement appropriate measures to prevent impermissible disclosures of ePHI.
As well as documenting every step of the journey to compliance with the HIPAA Security Rules, the person in charge of compliance also has to organize employee training so everybody who has access to ePHI is aware of the policies and procedures, and aware of the sanctions they will face for non-compliance. As well as internal training, a Covered Entity´s Compliance Office should also conduct due diligence on Business Associates to ensure their compliance and review Business Associate Agreements.
As the HIPAA Security Rules have been written in to cope with the many different uses of ePHI in healthcare-related industries – and are purposefully technology-neutral – the best way to comply with the Rules is to first conduct a thorough assessment of potential risks and vulnerabilities. This will provide Covered Entities with a starting point from which other compliancy efforts can be planned. Depending on the Covered Entities´ circumstances, a thorough risk assessment will include areas such as:
Once the risk assessment has been completed, Covered Entities will be able to determine what safeguards required by the HIPAA Security Rules are already in place and whether or not they are configured and being used as intended. From this point, HIPAA Security Officers will be able to prioritize the measures that need to be taken in order to comply with the HIPAA Security Rules.