Getty Images/Tetra images RF
HIPAA Technical Safeguards: A Basic Review
It’s critical to review the requirements of HIPAA technical safeguards to ensure that your healthcare organization is compliant and able to keep PHI safe.
While no healthcare organization can eliminate the possibility of facing a data breach, implementing HIPAA technical safeguards can go a long way toward mitigating cyber risk.
Under the HIPAA Security Rule, healthcare organizations are required to keep electronic protected health information (ePHI) safe from external and internal threats via technical, administrative, and physical safeguards.
Healthcare data breaches occur nearly every day, and threat actors are constantly shifting their tactics and targets to adapt. In response to the ever-changing cyber threat landscape, it is crucial that healthcare organizations implement technical safeguards that are current, comprehensive, and compliant.
What are HIPAA technical safeguards?
According to the HIPAA Security Rule, technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Essentially, a covered entity must implement security measures that allow it to reasonably and appropriately maintain the necessary standards for protection. Moreover, a covered entity must determine which security measures and specific technologies are reasonable and appropriate for their organization.
For example, a smaller healthcare organization might not need the same type of endpoint security tool as a large health information exchange, as it is likely operating on a less complicated system. “A covered entity must establish a balance between the identifiable risks and vulnerabilities to EPHI, the cost of various protective measures and the size, complexity, and capabilities of the entity,” HHS states in its HIPAA Security Series.
Cost is an important factor, but it must not be the only one that a healthcare organization considers, according to HHS. With “reasonable and appropriate” security measures, facilities of any size should be able to keep electronic data secure.
Access and audit controls
Access controls ensure that access to ePHI is limited to those who absolutely need it.
“Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files,” HHS states.
“Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.”
For example, a facility needs to determine the access control capability of all information systems with ePHI and ensure that system activity can be traced to a specific user. It is also critical to create a formal policy for access control that will guide the development of procedures.
Implementing a mechanism to encrypt and decrypt ePHI will also be beneficial. This can help healthcare organizations determine if the chosen encryption method is appropriate for storing and maintaining ePHI while it’s being stored and while it’s being transmitted.
Audit controls require covered entities to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” the HIPAA Security rule states.
A covered entity also needs to document and communicate audit control procedures and protocols. Employees at all levels must understand how often audits will take place, how the results will be analyzed, what the organization’s sanction policies are for employee violations, and where audit information will reside.
Importantly, the Security Rule does not specify what data must be collected by audit controls or how often audit reports should be reviewed. HIPAA gives healthcare organizations the freedom to tailor the required technical safeguards to their organization’s specific needs and risk factors.
Authentication, integrity, transmission security
Covered entities must also institute policies and procedures to protect ePHI from improper alteration or destruction. Organizations can create these controls by figuring out how outside sources might jeopardize information integrity.
Furthermore, healthcare organizations should determine how to secure that data while it’s being stored. For example, error-correcting memory, magnetic disk storage, and digital signatures are all electronic mechanisms that can be used for authentication.
Secure data transmission is also essential for healthcare organizations, especially with the growth of electronic health records (EHRs) and health information exchanges (HIEs). How can covered entities function properly if they cannot securely transmit a patient’s medical records to another facility?
Overall, a comprehensive view needs to be taken when confirming user identities. Healthcare organizations must ensure that a user who is viewing ePHI is actually authorized to do so. Even guaranteeing the validity of a transmission source or access privileges to patient data can go a long way in building strong technical safeguards.
When technical safeguards are properly applied with physical and administrative safeguards, a healthcare organization will be much better prepared for numerous types of data breaches. Data encryption and firewalls are just the beginning, as employees must also be trained properly on how best to handle ePHI.
Technical safeguards must evolve along with healthcare technology. But if an organization takes the necessary steps to keep pace, it will have a much better chance at keeping ePHI from falling into the wrong hands.