In this video, we will cover the Security Rule which laid out the safeguards for the protection of electronic Protected Health Information (ePHI) including maintaining its confidentiality and availability. This means protecting ePHI against unauthorized access, threats to security but providing access for those with authorization. This section will go into great detail about the three general categories of the Security Rule: administrative safeguards, physical safeguards, and technical safeguards.
We’ve just discussed the HIPAA privacy rule, which protects the use and disclosure of PHI, regardless of the form in which it exists. But now we’ll move on to the security rule. The Security Rule sets the security standards for the protection of Electronic Protected Health Information (ePHI) which is health information that is held or transmitted specifically in electronic form. The Security Rule is a set of regulations designed to ensure the confidentiality, integrity, and accessibility of Electronic Protected Health Information. This means protecting ePHI against unauthorized access, use, or disclosure; guarding against threats or hazards to the security or integrity of ePHI, and providing access to ePHI to authorized persons when required. The Security Rule, like the Privacy Rule, applies to all covered entities and business associates that transmit or store PHI electronically. The Department of Health and Human Services (HHS) recognizes that covered entities and business associates range from small providers to very large hospitals and health plans. Accordingly, the Security Rule is intended to be flexible enough to allow entities to analyze their own business needs and determine solutions to fit the nature of their business.
The Security Rule is made up of three types of required standards that all covered entities and business associates must follow: administrative safeguards, physical safeguards, and technical safeguards.
The majority of the Security Rule is focused on the Administrative safeguards which refer to the administrative actions, policies, and procedures put in place to manage the development, implementation, and maintenance of an entity’s security measures. The rule sets out specific administrative safeguard standards, the first of which is the security management process. This says that a covered entity must conduct regular and thorough HIPAA risk assessments to identify potential security vulnerabilities so that they are then able to implement necessary security measures to address those weaknesses. The second standard of security personnel is achieved through the appointment of a Privacy Officer who maintains responsibility for developing and implementing the organization’s security policies, procedures and training. The next is information access management which focuses on restricting access to ePHI to only authorized personnel and to those people only when it is necessary to complete their job. The final administrative safeguard deals with workforce training and security awareness. Employees need to complete an annual HIPAA training, such as these videos, in addition to being trained in an organization specific security protocols and procedures starting from the date of hire with regular updates as needed. Contingency plans also need to be implemented so that in the event of an emergency or natural disaster that could damage systems containing the ePHI, all personnel are aware of the correct next steps to take.
Let’s move on to physical safeguards. Physical safeguards are the procedures for protecting PHI within the electronic information systems, physical equipment, or buildings that it is stored in. These safeguards include facility access controls such as door locks and personnel badges that control who is able to enter the facilities that hold PHI or ePHI. When it comes to ePHI, any computer, tablet or smartphone that can access ePHI needs to have proper protection and security so that unauthorized users cannot use that device to view private information. This includes passwords and electronic encryption as well as procedures for storing and disposing of these devices outside of the secure facility.
The last type of safeguard, technical safeguards, are just as important to ensure that there’s a very low probability of a breach of PHI. The first element of this safeguard is implementing policies and procedures that limit access to ePHI to only those who are authorized. In addition to access controls, audit controls should be used via hardware or software to record and monitor system access and activity. This aspect is extremely important as it allows organizations to see exactly what information was accessed, who accessed it and how long it was viewed which is instrumental in mitigating damage in the event of a breach. Transmission security is also an important element to prevent unauthorized access of ePHI that is being transmitted electronically, especially over the internet or via email. Verifying user identification, typically through the use of passwords, pins, digital signatures, or biometric mechanisms are also an important element of technical safeguarding your ePHI.
Organizations are required to implement reasonable and appropriate policies and procedures to comply with the security rule’s standards that we just outlined. All written security policies and procedures must be kept at least six years from their last effective date, and organizations must periodically review their policies to ensure continued compliance with the security rule. And that wraps up the Security Rule. Next up, the Hitech Act and the Omnibus Rule.