What is the HIPAA Security Rule?
The HIPAA Security Rule stipulates the standards and implementation specifications that must be complied with – when applicable – to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Although a separate Rule from the Privacy Rule, the Security Standards for Protection of ePHI are a subset of the Privacy Rule standards.
One of the most important sections of the Security Rule are the “General Rules” (45 CFR §164.306). These require covered entities and business associates to “Ensure the confidentiality, integrity, and availability of ePHI, protect against any reasonably anticipated threats or hazards to the security and integrity of such information, protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule, and ensure compliance with the Security Rule by members of the workforce.
The Security Rule also defines three major categories of safeguards that must be implemented. The first, administrative safeguards, include:
- Security Management Processes, including risk assessments
- Security Personnel who are responsible for overseeing security policies and procedures
- Information Access Management that limits ensure only authorized individuals have access to PHI
- Workforce Training and Management
- Evaluation of security policies to ensure their efficacy
Secondly, physical safeguards include:
- Facility Access Control so that only authorized individuals can access the grounds where ePHI is held
- Workstation and Device Security, which may include “clear desk” policies or limited personnel access to offices
And finally, technical safeguards include:
- Access Control: ensure only those with correct authorization can access PHI
- Audit Controls that allow management to assess who has accessed ePHI and what it has been used for
- Integrity Controls that ensure that ePHI is not incorrectly accessed and altered or destroyed.
- Transmission Security that ensure that ePHI is protected in transit (e.g. use encrypted channels)
The Security Rule makes a distinction between “required” and “addressable” safeguards. The “required” safeguards must be implemented as laid out in the Security Rule. However, the “addressable” safeguards are not necessarily optional. Rather, it means that the Security Rule allows the Covered Entity to assess whether the safeguard is an appropriate measure. The CE could find that there are alternative safeguards that are more suitable to their organization and that offer the same levels of protection as the “addressable” safeguards stipulated in the Security Rule.
The flexibility afforded by this apparent vagueness also means that the Security Rule itself does not need to be constantly updated in line with changing technologies.
All entities that meet the definition of a HIPAA-Covered Entity, or their Business Associates, must comply with the standards stipulated by the Security Rule. Non-compliance is a violation of HIPAA, and the CE or BA can be penalized by the Office for Civil Rights (within the Department for Health and Human Services). Most violations are resolved by instituting voluntary compliance measures, but more severe violations may result in financial penalties or even criminal prosecution. For this reason, it is essential the CEs and BAs ensure that all staff, volunteers, and students receive comprehensive HIPAA training.