Getty Images/iStockphoto
What is the HIPAA Security Rule?
The HIPAA Security Rule requires covered entities and business associates to implement technical, physical, and administrative safeguards.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the HHS secretary to develop rules for safeguarding electronic protected health information (ePHI). Out of these requirements, HHS created the HIPAA Privacy Rule and the HIPAA Security Rule. Both rules have since become cornerstones of US health data privacy and security.
With a thorough understanding of the HIPAA Security Rule and its many components, summarized below, HIPAA-covered entities and their business associates can ensure compliance and align themselves with security best practices.
Purpose, Goals of the HIPAA Security Rule
"Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry," the HHS website states.
"At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions."
The HIPAA Security Rule requires covered entities and business associates to develop reasonable security policies that ensure the integrity, confidentiality, and availability of all ePHI that the entities possess, create, maintain, or receive, a CMS summary stated.
The rule also contains provisions for identifying threats to ePHI, protecting against impermissible uses or disclosures, and maintaining employee compliance. CMS suggested that entities consider size, complexity, and capabilities when developing security measures, along with cost and infrastructure.
"A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care," HHS explained.
"Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers' [ePHI]."
The HIPAA Security Rule contains a variety of sub-sections, including requirements for administrative, physical, and technical safeguards, as well as risk analysis and management provisions. The rule also requires entities to maintain written security policies and procedures and periodically update their documentation in response to organizational and environmental changes.
Because of its flexibility, certain aspects of the rule are described as "required" while others are "addressable."
"The 'required' implementation specifications must be implemented. The 'addressable' designation does not mean that an implementation specification is optional," HHS states.
"However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate."
Risk Analysis Requirements
Covered entities must conduct a thorough risk analysis before considering any specific administrative, physical, and technical safeguards under the HIPAA Security Rule. Understanding an organization's specific risk factors will help management implement appropriate and reasonable security measures that fulfill HIPAA requirements and keep ePHI safe.
An entity's risk analysis process should include an evaluation of the impact and likelihood of risks to ePHI, followed by the implementation of relevant security measures to address those risks. The whole process should be thoroughly documented.
"Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI," HHS states.
Administrative Safeguards
The HIPAA Security Rule text defines administrative safeguards as "administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information."
HIPAA breaks down administrative safeguards into numerous subcategories. For example, one required standard is a "security management process." Within this standard, covered entities must implement policies to prevent, detect, contain, and correct security violations via risk analysis, sanction policies, and information system activity reviews.
HIPAA administrative safeguards also require covered entities to designate security personnel. Specifically, the security responsibility safeguard requires entities to assign a security official responsible for developing and implementing the security rules.
Administrative safeguards also encompass information access management policies and workforce training for workforce members who handle ePHI. HIPAA encourages entities to implement role-based PHI access to limit how many people access sensitive information.
In addition, entities must perform periodic assessments to determine how well their security policies and procedures meet the HIPAA Security Rule requirements.
Physical Safeguards
Physical safeguards are also critical components of the HIPAA Security Rule and are essential to securing ePHI. Organizations must consider all the places where ePHI may be accessed or used, including medical offices and remote workers' homes.
"Physical safeguards are physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion," the HIPAA Security Rule states.
HIPAA divides physical safeguards into facility access and control and workstation and device security. Facility access and control measures require entities to implement policies that limit physical access to electronic information systems and the facilities where they are housed.
The standard has numerous addressable subdivisions, including access control and validation procedures, creating a facility security plan, and establishing contingency operations.
Workstation and device security standards involve implementing policies to specify proper use of and access to electronic media and workspaces. HIPAA-covered entities also must have procedures regarding the transfer, disposal, re-use, and removal of electronic media to safeguard ePHI.
Technical Safeguards
According to the HIPAA Security Rule, technical safeguards are "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."
Essentially, a covered entity must implement security measures that allow it to reasonably and appropriately maintain the necessary standards for protection. A covered entity must also determine which security measures and specific technologies are reasonable and appropriate for their organization.
Technical safeguards fall into four categories: access control, audit controls, integrity controls, and transmission security.
Following the principle of least privilege, access control ensures that access to ePHI is limited to those who absolutely need it. Audit controls require covered entities to implement hardware, software, and other mechanisms that keep a record of activity in information systems containing ePHI.
Notably, the Security Rule does not specify how often audit reports should be reviewed. HIPAA gives healthcare organizations the freedom to tailor the required technical safeguards to their organization's specific needs and risk factors.
Integrity controls exist to ensure that organizations implement policies to avoid the improper alteration or disposal of ePHI. Transmission security provisions require covered entities to implement technical security measures to guard against unauthorized ePHI access transmitted over an electronic network.
The HIPAA Security Rule has no shortage of important security measures, policies, and procedures that covered entities and business associates must consider to remain in compliance. However, HIPAA also gives entities the freedom to customize their security measures to best serve the needs of the organization.