What is the HIPAA Security Rule?

Adnan Raja
by (131 posts) under Healthcare IT

The HIPAA Security Rule is a piece of the Healthcare insurance Portability and Accountability Act, passed by Congress and signed into law in 1996. Here is a little information on the Security Rule and a security checklist so that your organization can quickly and effectively become compliant.

  • HIPAA Security and Privacy Rules
  • HIPAA Security Checklist
  • Get Help

HIPAA Security and Privacy Rules

In 1996, a few pen strokes (and a lot of political wrangling leading up to those pen strokes) made a huge impact on the American healthcare industry: President Bill Clinton signed the Healthcare insurance Portability and Accountability Act into law.

There were essentially two main objectives to the new law. The first was to ensure that Americans would be able to keep their existing health insurance between jobs. This is where the “Portability” aspect of HIPAA comes in to play. This part of HIPAA is very straightforward and as such, doesn’t get discussed nearly as much as the second part of the law, the “Accountability” portion of HIPAA.

The second objective, the Accountability objective, is to maintain the privacy and security of health care American health care patients’ personally identifiable information and data. Passed in the first Internet boom, the Accountability portion also sets certain mandates and standards regarding the electronic submission and transmission of financial data regarding patient health information.

Once signed into law, Title II of HIPAA directed Health and Human Services (HHS) to create a series of guidelines and standards to safeguard patient health data. To make these guidelines and standards more clearly and easily followed, HHS developed regulations which are typically called the HIPAA Privacy Rule and HIPAA Security Rule.

The full name of the Privacy Rule is the “Standards for Privacy of Individually Identifiable Health Information.” As we stated at the beginning of this article, our main focus is the Security Rule. But it’s worth noting that in the long title of the Privacy Rule, the data must be traceable to a specific person in order to require protection. That specific wording allows anyone who wants to study health and medical trends by omitting personally identifiable information prior to transmission the legal wiggle room to do so.

The full name of the Security Rule is the “Security Standards for the Protection of Electronic protected Health Information”, and as the long-form name suggest, it creates stipulations to safeguard protected health information (PHI) that is stored or sent between digital devices.

It can be confusing to differentiate these rules because they kind of sound like they are talking about the same thing. Isn’t security a way to maintain privacy, after all? That actually is a correct understanding of HIPAA security compliance: according to the HHS’s own description, the HIPAA Security Rule “operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”

So in actuality, the Security Rule complements the Privacy Rule. It can be best assessed or approached by looking at how it applies to three separate areas of compliance: physical, technical, and administrative.

Physical safeguards refer to how the actual physical access to devices that store PHI is handled – how old or faulty equipment is replaced, access to devices only given to those with proper authorization, how to train 3rd party IT professionals if they must access the equipment for repairs, etc.

The technical portion of the compliance refers to the more…well, technical aspects of networked computers and devices that communicate with each other and contain PHI in their transmissions – things like proper network security, firewalls, cyber security authentication protocols, etc. all fall under the technical category.

The final portion, administrative, covers how organizations must set up their employee policies and procedures to comply with the Security Rule. Think of it as a separate, dedicated portion of employee training, both for management and labor – defining who gets access and what they can and can’t do once they get said access.

In order to improve the adoption of HIPAA security safeguards across all three portions, the HHS Office for Civil Rights (OCR) is directed to make sure that healthcare entities in both the public and private sector follow HIPAA administrative safeguards for information privacy and security. The OCR has the power to request that healthcare providers, plans, and clearinghouses (essentially, an entity that facilitates health information processing) make certain improvements voluntarily. They are also authorized to penalize organizations with fines.

HIPAA Security Checklist

It’s obviously not fun to think about having to work your way through federal legislation – as with many laws and bills, they are exceedingly lengthy, intricately complex, and almost aggressively dense. Trying to sit down and read through the entire Health Insurance Portability and Accountability Act front to back would be an exercise in masochism. Thankfully, HIPAA has been law for long enough and affected enough people in and around the entire health care industry that all of its language has been thoroughly analyzed and the major components for compliance of the Security Rule and other aspects have been drawn out in a streamlined form. Although this checklist should not be considered comprehensive, it will help to organize your position on various safeguards.

Take the time to go over this list in full, and be sure to involve all parties with knowledge of each area before checking off the To Do, In Process, or Finished box.

# Question To Do In Process Finished
1 Did you complete employee training related to HIPAA with a full program (ranging from employee reponsibilities to HIPAA fines)?
2 Did you set up mechanisms to stay abreast of changes to HHS guidelines so that you can retrain staff as needed?
HIPAA Projects
3 Did you assign a project manager and project team?
4 Did you develop a project plan?
Virtual Billing
5 Did you create an inventory of your data environments and operational steps related to digital transactions?
6 Did you put together a list of outside partners related to online transactions?
7 Did you collect and analyze your bills and operations to ensure compliance with the HIPAA Electronic Claims Transaction and Code Set rules?
The Privacy Rule
8 Did you assign someone (usually a current employee) as your internal HIPAA privacy and security compliance officer? Do you have a compliance plan? (HIPAAnews suggests that this position should focus on “such things as fraud and abuse, codes of conduct, whistle-blower suits, auditing and monitoring, disciplinary standards and personnel issues, responding to problems, investigations and corrective actions.”)
9 Did you create a notice on data best practices to post and hand out to every patient?
10 Did you collect and analyze your forms and operations to ensure compliance with the HIPAA Privacy Rule?
11 Did you check that your human resources operations safeguard the privacy of your staff’s personal health data?
12 Did you develop specific, written steps to collect, store, transfer, and get rid of PHI?
13 Did you create a documented way to handle complaints?
14 Did you create patient authorization forms as described by the law?
15 Did you create authorization forms and other information in all main languages spoken by your clients (think Spanish)?
The Security Rule
16 Did you perform a complete risk assessment on your existing infrastructure?
17 Did you safeguard your machines with anti-virus protections, firewalls, VPNs, SSL certificates, and related technologies?
18 Did you establish a system for daily backup?
19 Did you develop disaster recovery and business continuity plans?
20 Did you adopt security policies and procedures for all your operations? (HIPAAnews lists the numerous elements for which your company should have these in place: “confidentiality statements, individually identifying information of system users, passwords, automatic logoff, acceptable use, e-mail, internet usage, authentication of workstations, monitoring and documenting unauthorized access, audit trails of users, sanctions for misuse or disclosure and termination checklists.”)
21 Did you review physical security and harden as needed?
22 Did you write and provide job descriptions for the roles required by the healthcare law?
23 Did you familiarize yourself with the stipulations of the National Provider Identifier Standard (NPI)?

Get Help

You’re reading this now after one of two outcomes – you either read it in full, or you skipped down to the bottom. If you’re in the latter camp, it’s probably because the list above is lengthy and quite a bit daunting.

Well, there’s a reason for that – it’s supposed to. The requirements set forth by HIPAA and enforced by the HHS are supposed be stringent – the entire efficacy of the law depends on them being that way.

Trying to take this entire list on all by yourself is a painful proposition – not only is it a lot of work and responsibility, but without help it may take an exceedingly long time to move all of the boxes into the “Finished” category.

As with any organization, the fact is that you have enough to worry about with your human environment. Not only must you select the right employees at the right positions, but you must then train them correctly (the “Administrative” portion of the Security Rule discussed above) and determine who can access what (the “Physical” safeguards, also discussed above). That alone is plenty to concern yourself with – adding on having to deal with the HIT requirements of every new system piece by piece would be enough to send you over the edge.

Thankfully, you’re not alone, and Atlantic.Net can help. The Health Information Technology for Economic and Clinical Health Act, or HITECH Act, of 2009, was an effort to move the country toward getting health records stored electronically. Health care organizations weren’t required or even expected to undertake this without outside assistance – but bringing in 3rd party business associates opens your organization up to another level of exposure and potential violations.

Thankfully, under the HITECH Act, the business associates you do enlist the assistance of are directly liable for the Privacy and Security Rules.

And while that is a relief to many organizations, you still must do your due diligence in enlisting the help of only those business associates who themselves adhere to the stringent rules and regulations set forth by HIPAA.

Atlantic.net prides itself on doing just that, regularly and reliably for all of our clients. Selecting Atlantic.net for any HIPAA-Compliant Hosting related needs ensures that you can spend your time and energy worrying about other aspects of HIPAA compliance, and leaving the Technical safeguards (listed above) to us. Get in touch with us today and find out how our team of HIPAA-compliant hosting specialists can make your life easier with any of our Cloud Hosting Solutions.

By Moazzam Adnan

Related Posts

Stay Connected With Us