The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI protection. Inquire about their implementation specifications.
HIPAA talks generally imply the efficiency and effectiveness of the US healthcare system. However, organizations that are subjected to HIPAA would also mention the long and often complicated road to compliance with its Rules and Regulations. Businesses are especially concerned with implementing the appropriate measures to protect sensitive data. Meanwhile, the HIPAA Security Rule outlines necessary safeguards for ePHI protection and we are going to explain their implementations in more simple terms.
The 1996 Healthcare Insurance Portability and Accountability Act (HIPAA) consists of the HIPAA Privacy and Security Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and the HIPAA Enforcement Rule. There is no hierarchy in these rules, so organizations have to equally meet the requirements of all of them if they want to achieve full HIPAA compliance.
HIPAA compliance involves fulfilling conditions of the 1996 HIPAA, its subsequent amendments, and any related legislation such as HITECH. So, regardless of their size and complexity, covered entities and business associates must ensure applying all administrative, technical, and physical safeguards required by Security Rule. They must protect the confidentiality, integrity, and availability of PHI using policies stated in the Privacy Rule and follow the procedure in the HIPAA Breach Notification Rule in case any breach of PHI occurs. Finally, organizations must fulfill the HIPAA requirements regarding data breaches and their subsequent mitigation.
This article focuses on the HIPAA Security Rule because it addresses one of the main data security concerns that businesses have: what standards and measures must be applied to safeguard and protect sensitive data? Both covered entities and business associates must know that this rule applies to anybody that has access to electronic protected health information (ePHI). Whereas “ePHI” is individually identifiable information relating to the individual’s health status that is created, collected, transmitted, or maintained in any electronic format or media. At the same time, “access” means having the ability to read, write, modify, or communicate ePHI that could reveal an individual’s identity.
The HIPAA Security Rule outlines appropriate administrative, physical, and technical safeguards for ePHI protection. These safeguards may be achieved through implementing the required policies and procedures. However, the Rule does not contain any specifications regarding “what are compliance policies and procedures?” All these requirements are intentionally vague in order to be equally applicable to every type of organization that creates, accesses, processes, or stores ePHI.
To understand the Security Rule requirements, covered entities and business associates should be aware of the main implementation specifications For this purpose, we developed a free compliance assessment application, HIPAA Vitals. HIPAA Vitals considers the organization’s technical profile to select appropriate security controls. The assessment is based on reputable sources including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals.
HHS recognizes that each covered entity is unique and that no totally secure system exists. As such, all the policies and procedures of the HIPAA Security Rule were intentionally designed technology-neutral and scalable (p. 7). It means that they are equally applicable to the smallest of provider practices, the largest of health plans, and their business associates. To decide which measure to use, it is necessary to conduct an accurate risk assessment, evaluate the security measures in place, and take into consideration factors unique to each organization (e.g size, operations). Based on these characteristics, the Rule provides a series of documented solutions to all types of covered entities while affording the flexibility for their implementation.
All safeguards defined in the HIPAA Security Rule involve certain implementation specifications – required or addressable. If policies/procedures are required, the covered entity must implicitly implement those regardless of the organizations’ size, scope, and complexity. If policies/procedures are addressable, then the covered entity must assess the reasonability and appropriateness of implementing this safeguard in its environment based on the above criteria. Such assessments and decisions must be documented for compliance purposes.
As we already stated, the Security Rule contains administrative, physical, and technical safeguards necessary to keep ePHI safe from unauthorized disclosure, access, or use. Here is a detailed explanation of all these safeguards as well as specifications for their successful implementation.
The Security Rule defines administrative safeguards as “administrative actions, policies, and procedures to manage the implementation, selection, and maintenance of security measures to protect ePHI and to manage the workforce conduct concerning the protection of that information (p. 2)”.
Administrative safeguards are the key elements of a HIPAA compliance checklist. They demand assigning a Security Officer to put all the measures and policies in place to protect ePHI. Here is a list of questions that covered entities must ask themselves while assessing their compliance:
To better understand how these questions are connected to the Security Rule realities, consider the following administrative safeguards:
Physical safeguards are “physical measures to protect a covered entity’s electronic information systems as well as related buildings and equipment from natural and environmental hazards, and unauthorized intrusion (p. 2)”. The main standards under physical safeguards are workstation use and security, facility access controls, and device/media controls. Covered entities must implement these safeguards regardless of the physical location of their assets.
Here are some questions to answer while considering the physical safeguards of your information system:
The above questions together with the following implementation specification help better understand and assess the level of the organization’s safeguards in protecting ePHI.
The technical safeguards are “the technologies as well as the policies and procedures for their use that protect ePHI and control access to it (p.2).” One of the main requirements under this section is data encryption. The main purpose of encryption is to make data unreadable, undecipherable, and unusable in case of any breach. The following questions highlight the importance of technical safeguards in general and the encryption of data in particular:
The following table demonstrates the implementation specification and mechanisms that are most appropriate to maintain technical safeguards:
Covered entities must sign Business Associate Agreements (or contracts) with business associates who have access to ePHI. Such an agreement obligates the business associate to:
As we already outlined before, the HIPAA Security Rule intentionally does not specify what policies and procedures must be implemented to comply with its requirements. However, it highlights that these measures must not permit or excuse an action that violates any HIPAA requirement. So, covered entities can implement only reasonable and appropriate procedures as well as change them at any time, provided that the changes are properly documented and implemented.
The HIPAA Security Rule pays special attention to documentation. Thus, organizations must maintain a written record of any action that is required by this Rule. Besides this, covered entities are required to:
Successful implementation of the above safeguards and requirements will definitely make your organization closer to HIPAA compliance.
Learn more about HIPAA Security Rule and get a concise and unbiased analysis of your organization’s compliance with HIPAA Vitals.