The HIPAA Security Rule is a set of regulations intended to protect the security of electronic Protected Health Information (ePHI) in order to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards. In this three part series, we'll take time to examine each of these safeguards. The bulk of the Security Rule is focused on administrative safeguards. In this post, we will look at a detailed look at the different types of administrative safeguards the HHS requires in order to comply with HIPAA.
Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not.
The HHS intentionally wrote flexible implementation into the Security Rule. At times, they built clear and specific guidelines to follow for implementation, but with other safeguards, they left the details of executing that piece in the hands of the Privacy Officer at each organization. The two types of standards underneath the Security Rule are “Addressable Standards” and “Required Standards.”
These standards include:
Security Management Process
- Risk Analysis (R): A process of determining certain security risks and assessing the probability of occurrence and magnitude of the risks.
- Risk Management (R): The practice to find sufficient security measures to reduce risks and vulnerabilities to reasonable and appropriate levels.
- Sanction Policy (R): Requires covered entities to apply appropriate sanctions against employees who fail to comply with the security policies and procedures of the covered entity.
- Information System Activity Review (R): A covered entity must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The act should be customized to meet the covered entity’s risk management strategy and take into account the capabilities of all information systems with EPHI.
Assigned Security Responsibility (R)
The purpose of Assigned Security Responsibility is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. There are no separate implementation specifications for this standard. The standard requires that covered entities select a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule. It’s important to note that a covered entity can make one person both the Security Officer and Privacy Officer. Also, other individuals in the covered entity may be assigned specific security responsibilities, but one should be selected as the main person responsible.
- Authorization and/or Supervision (A): Implementation of procedures for the authorization and/or supervision of employees who work with electronic protected health information or in locations where it might be accessed. Authorization is the process of determining whether a particular user (or a computer system) has the permissions to carry out a certain activity, such as reading a file or running a program.
- Workforce Clearance Procedure (A): To establish the procedures necessary to verify that an employee does in fact have the appropriate access for their job function. The covered entity must determine that the access of an employee to electronic protected health information is appropriate.
- Termination Procedures (A): Termination procedures must be implemented to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges--regardless of whether the employee leaves the organization voluntarily or involuntarily, procedures to terminate access must be in place. This is to be done immediately after the employee is no longer employed with the cover entity. The same process that’s implemented for termination should also be used to change access levels if an employee’s job description changes to require more or less access to EPHI.
Information Access Management
- Isolating Healthcare Clearinghouse Function (R): If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. This only applies in the situation where a health care clearinghouse is part of a larger organization.
- Access Authorization (A): A covered entity must: adopt policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. A covered entity’s policies and procedures must clearly identify who has authority to grant access privileges. It must also state the process for granting access. Then, the covered entity must consider how access is established and modified.
- Access Establishment and Modification (A): A covered entity must implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. So, a covered entity must implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes.
Security Awareness and Training
- Security Reminders (A): The covered entity must implement periodic security updates for when: For new or updated policies and procedures; New or upgraded software or hardware; New security technology; or even changes in the Security Rule.
- Protection from Malicious Software (A): One important security measure that employees may need to be reminded of is security software that is used to protect against malicious software. So the covered entity must implement procedures in guarding against, detecting, and reporting malicious software. Under the Security Awareness and Training standard, the employed workers must also be trained regarding its role in protecting against malicious software, and system protection capabilities.
- Log-in Monitoring (A): Makes it so that any inappropriate or attempted log-in is tracked when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log-in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log-in attempts.
- Password Management (A): Covered entities must have procedures for creating, changing, and safeguarding passwords. Also, covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles (i.e. every 60-90 days).
Security Incident Procedures
- Response and Reporting (R): The covered entities must identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
- Data Backup Plan (R): Covered entities must establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Data Backup plans are an important safeguard for all covered entities and a required implementation specification.
- Disaster Recovery Plan (R): Requires covered entities to establish and implement as needed procedures to restore any loss of data. Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI.
- Emergency Mode Operation Plan (R): Enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
- Testing and Revision Procedure (A): Periodic testing and revision of contingency plans. This applies to all implementation specifications under the Contingency Plan standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
- Applications and Data Criticality Analysis (A): Assess the relative criticality of specific applications and data in support of other contingency plan components. This requires covered entities to identify their software applications (data applications that transmit, maintain or store EPHI) and determine how important each is to patient care or business needs, in order to prioritize data backup, disaster recovery and/or emergency operations plans.
Covered entities must implement ongoing monitoring and evaluation plans. Covered entities must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments.
Business Associate Contracts and Other Arrangements
Written Contract or Other Arrangements (R): Have Business Associate Agreement (BAA) Contracts and Other Arrangements signed that meets the applicable requirements of the Organizational Requirements. The agreed contracts are used to confirm that both parties will be HIPAA compliant in their use of any PII or PHI--both physical and digital/electronic.