HIPAA is composed of several different “HIPAA Rules”, each governing a different aspect of patient privacy. One such rule is the HIPAA Security Rule, which broadly addresses the steps needed to ensure that patient data remains private. But what is the HIPAA Security Rule? What does it mean for Covered Entities (CEs) and their Business Associates (BAs)?
The Security Standards for the Protection of Electronic Protected Health Information (shortened to the Security Rule) were introduced in 2003 to lay out how the protections required in the HIPAA Privacy Rule should be implemented. The Privacy Rule, broadly, defines “Protected Health Information” (PHI; the patient data that is protected by HIPAA) and lays out when it can be used and disclosed. However, it does not actually offer any guidance on how to ensure that the data remain private.
The Security Rule addresses this gap by establishing a set of standard administrative, technical, and physical safeguards that all CEs and BAs must implement. These safeguards only apply to electronic PHI (which is PHI that has been created, received, maintained or transmitted electronically). Any verbal or physical PHI is not protected under the Security Rule, though it may be protected under other aspects of HIPAA (such as the Minimum Necessary Rule) or other legislation. The focus on ePHI in part reflects the increasing use of digital technologies within the healthcare sphere.
The Security Rule defines three major categories of safeguards that must be implemented. The first, administrative safeguards, include:
- Security Management Processes, including risk assessments
- Security Personnel who are responsible for overseeing security policies and procedures
- Information Access Management that limits ensure only authorized individuals have access to PHI
- Workforce Training and Management
- Evaluation of security policies to ensure their efficacy
Secondly, physical safeguards include:
- Facility Access Control so that only authorized individuals can access the grounds where ePHI is held
- Workstation and Device Security, which may include “clear desk” policies or limited personnel access to offices
And finally, technical safeguards include:
- Access Control: ensure only those with correct authorization can access PHI
- Audit Controls that allow management to assess who has accessed ePHI and what it has been used for
- Integrity Controls that ensure that ePHI is not incorrectly accessed and altered or destroyed.
- Transmission Security that ensure that ePHI is protected in transit (e.g. use encrypted channels)
The Security Rule makes a distinction between “required” and “addressable” safeguards. The “required” safeguards must be implemented as laid out in the Security Rule. However, the “addressable” safeguards are not necessarily optional. Rather, it means that the Security Rule allows the Covered Entity to assess whether the safeguard is an appropriate measure. The CE could find that there are alternative safeguards that are more suitable to their organization and that offer the same levels of protection as the “addressable” safeguards stipulated in the Security Rule.
The flexibility afforded by this apparent vagueness also means that the Security Rule itself does not need to be constantly updated in line with changing technologies.
All entities that meet the definition of a HIPAA-Covered Entity, or their Business Associates, must comply with the standards stipulated by the Security Rule. Non-compliance is a violation of HIPAA, and the CE or BA can be penalized by the Office for Civil Rights (within the Department for Health and Human Services). Most violations are resolved by instituting voluntary compliance measures, but more severe violations may result in financial penalties or even criminal prosecution. For this reason, it is essential the CEs and BAs ensure that all staff, volunteers, and students receive comprehensive HIPAA training.