A Review of HIPAA Technical Safeguards
The threat and risks of HIPAA violations and protected health information ( PHI) being compromised continue to be a challenge for covered entities and business associates. Despite the fact that HIPAA may seem confusing and cumbersome, the goal is actually to help you reduce the risks to your organization and the information you store or transmit. One of these requirements is the Technical Safeguards detailed within the HIPAA Security Rule.
HIPAA Security Rule
The HIPAA Security Rule requires three kinds of safeguards that organizations must implement: administrative, physical and technical safeguards. Today we’ll focus on technical safeguards which outline the protections that organizations need to be taking to protect electronic protected health information (ePHI).
What are Technical Safeguards?
Technical Safeguards are defined by HHS as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it.” This can often be the most challenging regulation to understand and implement. Just as we have seen in the past with other HIPAA requirements, the specific technical safeguards are “addressable” within HIPAA.
Essentially this means that the healthcare organizations should use these security measures and apply them reasonably and appropriately to their specific technologies and company elements. It is important to remember that addressable safeguards are not optional but are just customizable by organization.
The first technical safeguard, which is definitely the most robust one, is just what it sounds like it would be - carefully controlling access to ePHI. This extremely important mandate under the security rule contains many specifications - some which are specifically required and others have the flexibility of being addressable.
The two required aspects under access control are assigning unique online identifiers for all employees to track their activity and identify them in all virtual movements. The second required piece of this is setting up methods for retrieving ePHI in the event of an emergency, which is something that should be detailed and planned out through your contingency plan (link to contingency plan blog).
Additionally, the addressable aspects are implementing systems that automatically encrypt then decrypt data and utilizing auto log off software for workstations to prevent unauthorized access.
Next, audit controls refer to covered entities using systems that record and track all activity that occurs in relation to ePHI. This could be in the form of hardware, software or other mechanisms for all systems that contain and use ePHI in any way. The importance of this is that if any risk is determined to have come to ePHI, then it is possible to see exactly who accessed what information, when and why that information was used. All of this leads to better security of ePHI which is the overall goal of the Security Rule and it’s technical safeguards.
The third technical safeguard standard is Integrity which involves ensuring that the ePHI and other health data is not destroyed or changed in any way. When ePHI is altered or deleted, healthcare organizations can experience quality of care or even patient safety concerns. The integrity standard was introduced so that organizations implement policies and procedures to prevent the ruining of ePHI in any form whether by human or electronic error. The addressable specification under this safeguard is the expectation that organizations should take all electronic measures possible to reduce risks to ePHI within your specific organization.
Person or Entity Authentication
Unlike the previous technical safeguards, the person or entity authorization does not have any implementation specifications but rather is entirely addressable by the covered entity’s needs. The person or entity authentication relates to access control in a way but deals mostly with requiring users to provide a proof of their identity before being allowed to access ePHI. This could happen through unique passwords, pins, smart cards, fingerprints, voice identification or other options. How a company chooses to comply with this safeguard will depend on their specific needs and aspects that fit them individually.
The last technical safeguard mandated by the HHS is transmission security which has to do with protecting ePHI from unauthorized access when it is being transmitted electronically. When ePHI is sent via email for example, there are certain precautions and best practices that should be followed to guarantee that no ePHI is compromised. Luckily the HHS through the Security Rule has allowed ePHI to be sent via electronic networks as long as it is properly encrypted and the integrity is secured.
Technological Advances & Technical Safeguards
As technology continues to advance within the healthcare industry, challenges to maintaining the security of ePHI increase. Healthcare organizations must keep up with the technological changes and be sure to implement any additional safeguards that may be needed to keep the information safe. As with many of the other requirements under HIPAA, the technical safeguards are something that organizations need to apply reasonably and appropriately to fit their organization’s operations and specifications. Risks to organizational and ePHI security can come from both internal and external threats so organizations should conduct regular risk assessments to determine their specific vulnerabilities.