The HIPAA Security Rule is a piece of the Healthcare insurance Portability and Accountability Act, passed by Congress and signed into law in 1996. Here is a little information on the Security Rule and a HIPAA Security Rule Checklist so that your organization can quickly and effectively become compliant.
HIPAA Security and Privacy Rules
In 1996, a few pen strokes (and a lot of political wrangling leading up to those pen strokes) made a huge impact on the American healthcare industry: President Bill Clinton signed the Healthcare insurance Portability and Accountability Act into law.
There were essentially two main objectives to the new law. The first was to ensure that Americans would be able to keep their existing health insurance between jobs. This is where the “Portability” aspect of HIPAA comes in to play. This part of HIPAA is very straightforward and as such, doesn’t get discussed nearly as much as the second part of the law, the “Accountability” portion of HIPAA.
The second objective, the Accountability objective, is to maintain the privacy and security of health care American health care patients’ personally identifiable information and data. Passed in the first Internet boom, the Accountability portion also sets certain mandates and standards regarding the electronic submission and transmission of financial data regarding patient health information.
Once signed into law, Title II of HIPAA directed Health and Human Services (HHS) to create a series of guidelines and standards to safeguard patient health data. To make these guidelines and standards more clearly and easily followed, HHS developed regulations which are typically called the HIPAA Privacy Rule and HIPAA Security Rule.
What is the HIPAA Privacy Rule?
The full name of the Privacy Rule is the “Standards for Privacy of Individually Identifiable Health Information.” As we stated at the beginning of this article, our main focus is the Security Rule. But it’s worth noting that in the long title of the Privacy Rule, the data must be traceable to a specific person in order to require protection. That specific wording allows anyone who wants to study health and medical trends by omitting personally identifiable information prior to transmission the legal wiggle room to do so.
What is the HIPAA Security Rule?
The full name of the Security Rule is the “Security Standards for the Protection of Electronic protected Health Information”, and as the long-form name suggest, it creates stipulations to safeguard protected health information (PHI) that is stored or sent between digital devices.
It can be confusing to differentiate these rules because they kind of sound like they are talking about the same thing. Isn’t security a way to maintain privacy, after all? That actually is a correct understanding of HIPAA security compliance: according to the HHS’s own description, the HIPAA Security Rule “operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”
So in actuality, the Security Rule complements the Privacy Rule.
What are the Three Standards of the HIPAA Security Rule?
The HIPAA Security Rule can be best assessed or approached by looking at how it applies to three separate areas of compliance: physical, technical, and administrative.
Physical Safeguards for PHI
Physical safeguards refer to how the actual physical access to devices that store PHI is handled – how old or faulty equipment is replaced, access to devices only given to those with proper authorization, how to train 3rd party IT professionals if they must access the equipment for repairs, etc.
Technical Safeguards for PHI
The technical safeguards portion of the compliance refers to the more…well, technical aspects of networked computers and devices that communicate with each other and contain PHI in their transmissions – things like proper network security, firewalls, cyber security authentication protocols, etc. all fall under the HIPAA security rule technical safeguards category.
Administrative Safeguards for PHI
The final portion, administrative safeguards, covers how organizations must set up their employee policies and procedures to comply with the Security Rule. Think of it as a separate, dedicated portion of employee training, both for management and labor – defining who gets access and what they can and can’t do once they get said access.
About HIPAA Security Rule Safeguards
In order to improve the adoption of HIPAA security safeguards across all three portions, the HHS Office for Civil Rights (OCR) is directed to make sure that healthcare entities in both the public and private sector follow HIPAA administrative safeguards for information privacy and security. The OCR has the power to request that healthcare providers, plans, and clearinghouses (essentially, an entity that facilitates health information processing) make certain improvements voluntarily. They are also authorized to penalize organizations with fines.
Complying with the HIPAA Security Rule
It’s obviously not fun to think about having to work your way through federal legislation – as with many laws and bills, they are exceedingly lengthy, intricately complex, and almost aggressively dense. Trying to sit down and read through the entire Health Insurance Portability and Accountability Act front to back would be a tedious process. To help, we have prepared a checklist to help you understand how to comply with HIPAA’s Security Rule. Although this checklist should not be considered comprehensive, it will help to organize your position on various safeguards.
Take the time to go over this HIPAA Security Rule Checklist in full, and be sure to involve all parties with knowledge of each area before checking off the To Do, In Process, or Finished box.
HIPAA Security Rule Checklist
HIPAA Security Series
The HHS has produced seven education papers designed to teach entities how to comply with the security rules. Here’s the gist of the papers.
1) Security 101 for Covered Entities
The main rules you need to familiarize yourself with are the following:
- Privacy Rule
- Electronic Transactions and Code Sets Rule
- National identifier requirements for employers, providers and health plans
- Security Rule
The tricky bit is that not all the above rules are relevant to all entities.
So long as you are a HIPAA covered entity, you must comply with the Security Rule. You are a HIPAA covered entity if you are or provide one of the following:
- Covered Health Care Provider
- Health Plans
- Health Care Clearinghouses
- Medicare Prescription Drug Card Sponsors
In order to ensure you’re complying with the security rule, take this step-by-step approach:
- Assess your current security, taking special note of any risks and gaps.
- Develop a plan to implement measures to eliminate the risks and gaps. To do this, you need to read the Security Rule, evaluate the details pertaining to the proposed implementation and then decide on the security measures to take.
- Once your plan is in place, implement the solutions.
- Document all decisions, as well as analysis and the rationale behind the decisions.
- Periodically review and, if necessary, update the security measures. Don’t forget to document any changes and the reasons behind them.
2) Administrative Safeguards
The administrative safeguards make up more than half of the HIPAA Security requirements, so they are worth paying attention to.
When evaluating your current security measures, you will need to ensure you meet the required standard in the following areas:
- Security Management Process – This refers to your organization’s policies and procedures pertaining to security violations. It encompasses not just preventive measures but also your procedures for detecting, dealing with and containing violations.
- Assigned Security Responsibility – This refers to the person or people appointed to develop and implement the measures and policies designed to enable you to comply with the Security Rule.
- Workforce Security – This refers to the policies and measures you’ve put in place to ensure that all members of your staff can access electronic protected health information in an appropriate manner. For those who are not meant to be granted access to electronic protected health information, your policies and measures should be designed to prevent them from doing so.
- Information Access Management – This refers to how you authorize access to any electronic protected health information, and more specifically to how you restrict access to those who need it.
- Security Awareness and Training – This refers to security training programs put in place for those working in your organization, including those in management.
- Security Incident Procedures – This refers to the policies and procedures you have put in place to deal with any security incidents.
- Contingency Plan – This refers to your procedures for dealing with emergencies or other unexpected occurrences that might damage any of the systems that hold electronic protected health information.
- Evaluation – Your security plans and procedures need to be monitored and evaluated periodically to ensure they are adequate.
- Business Associate Contracts and Other Arrangements – This pertains to instances where a business associate is permitted to create, receive, maintain or transmit electronic protected health information on your behalf. This should be permitted only after you have obtained satisfactory assurances that the information will be safeguarded appropriately by the business associate.
3) Physical Safeguards
Here are the elements that need to be up to standards when it comes to the physical safeguards put in place to protect electronic protected health information.
- Facility Access Controls – Physical access to electronic information systems should be limited, as should the facilities in which such information is stored. Any access must be properly authorized and should be regularly audited.
- Workstation Use – Workstations typically include electronic computing devices like desktops or laptops, but the definition can also be extended to devices like smartphones and tablets that can function similarly and store electronic media. Your policies and measures should also detail how and what these devices can be used for, as well as specify the environment surrounding these workstations.
- Workstation Security – Workstations should be protected by adequate physical safeguards that restrict access to electronic protected health information to authorized users.
- Device and Media Controls – This refers to how you control the receipt, removal and movement of any hardware or electronic media that might hold electronic protected health information into, out of and within a facility.
4) Technical Safeguards
Technical safeguards need to be reviewed very regularly, as technological advances bring new security issues.
The following areas must be reviewed to ensure they meet the required standards.
- Access Control – Access to systems containing electronic protected health information should be adequately restricted only to those people or software programs with access rights.
- Audit Controls – You will have to put in place mechanisms that can record and monitor any information systems activity that uses or stores electronic protected health information, whether through hardware, software or some other mechanism.
- Integrity – Electronic protected health information must be protected from being improperly altered or destroyed.
- Person or Entity Authentication – This refers to measures put in place in order to verify the true identity of any persons or entities hoping to gain access to electronic protected health information.
- Transmission Security – This refers to how you prevent unauthorized access when electronic protected health information is transmitted electronically.
5) Security Standards: Organizational, Policies and Procedures and Documentation Requirements
This installment of the Security Series maps out the standards that must be upheld when dealing with business documentation and more.
Here are the areas to where the relevant standards must be upheld.
- Requirements for Group Health Plans – All documentation provided by group health plans must be designed to ensure that electronic personal health information is safeguarded when created, received, maintained or transmitted.
- Policies and Procedures – This refers to all the policies and procedures put in place by an organization, and which must comply with all the relevant standards, rules, specifications or requirements.
- Documentation – This refers to all written or electronic documentation. Where any action, assessment or activity needs to be documented, records must be appropriately maintained.
6) Basics of Risk Analysis and Risk Management
Complying with the rules requires the undertaking of proper risk analysis and risk management.
The rules state that covered entities should:
- Implement policies and procedures to prevent, detect, contain and correct security violations.
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Generation Requirements of the Security Rule.
7) Security Standards: Implementation for the Small Provider
The final paper sets out a brief overview for small providers. Here is the gist of it:
- Whenever the rules indicate a required implementation specification, all covered entities including small providers must comply. For instance, Section 164.308(a)(1) of the Security Rule requires that a risk analysis be carried out. This applies no matter how small of a provider you are.
- Where an implementation specification is marked “addressable”, you must assess whether this is reasonable and appropriate given your environment. If it is deemed reasonable and appropriate, you must then implement it or an equivalent alternative.
- When determining whether a measure is reasonable and appropriate, consider factors such as cost, size, resources and technical infrastructure. Do note, however, that cost alone may not free you from having to implement an appropriate measure.
Get Help with the HIPAA Security Rule
You’re reading this now after one of two outcomes – you either read it in full, or you skipped down to the bottom. If you’re in the latter camp, it’s probably because the list above is lengthy and quite a bit daunting.
Well, there’s a reason for that – it’s supposed to. The requirements set forth by HIPAA and enforced by the HHS are supposed be stringent – the entire efficacy of the law depends on them being that way.
Trying to take this entire HIPAA Security Rule Checklist on all by yourself is a painful proposition – not only is it a lot of work and responsibility, but without help it may take an exceedingly long time to move all of the boxes into the “Finished” category.
As with any organization, the fact is that you have enough to worry about with your human environment. Not only must you select the right employees at the right positions, but you must then train them correctly (the “Administrative” portion of the Security Rule discussed above) and determine who can access what (the “Physical” safeguards, also discussed above). That alone is plenty to concern yourself with – adding on having to deal with the HIT requirements of every new system piece by piece would be enough to send you over the edge.
Thankfully, you’re not alone, and Atlantic.Net can help. The Health Information Technology for Economic and Clinical Health Act, or HITECH Act, of 2009, was an effort to move the country toward getting health records stored electronically. Health care organizations weren’t required or even expected to undertake this without outside assistance.
Under the HITECH Act, the business associates you do enlist the assistance of are usually directly liable for the Privacy and Security Rules.
And while that is a relief to many organizations, you still must do your due diligence in enlisting the help of only those business associates who themselves adhere to the stringent rules and regulations set forth by HIPAA.
Atlantic.net prides itself on doing just that, regularly and reliably for all of our clients. Selecting Atlantic.net for any HIPAA-Compliant Hosting related needs ensures that you can spend your time and energy worrying about other aspects of HIPAA compliance, and leaving the Technical and Physical safeguards for HIPAA and security (listed above) to us. Get in touch with us today and find out how our team of HIPAA-compliant hosting specialists can make your life easier with any of our Cloud Hosting Solutions.
This article was updated with the most recent information on November 10, 2019.
By Moazzam Adnan