In order to improve the efficiency and effectiveness of the US healthcare system, Congress originally passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the following years, several additional rules were added to HIPAA in order to help protected patients’ protected health information (PHI). These two rules are the Privacy Rule and the Security Rule.
While both rules work together to protect private healthcare information, they each have different purposes. The Privacy Rule covers the physical security and confidentiality of protected health information (PHI) including electronic, paper, and oral. As time went on and more healthcare information was shared and stored electronically, there needed to be a rule dedicated to the safeguarding of electronic health information, hence the Security Rule. Since the Security Rule was implemented in 2004, there have been several updates, most notably the HITECH act of 2009 and the Omnibus Rule of 2013.
What is the HIPAA Security Rule?
The Security Rule is a set of regulations intended to protect the security of electronic Protected Health Information (ePHI) and to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards.
Set Standards for Protected Health Information
The HIPAA Security Rule contains three types of required standards of implementation that all business associates and covered entities must abide by. These standards are Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
What are Administrative Safeguards?
Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not.
The bulk of the Security Rule is focused on administrative safeguards. These standards include:
Security Management Process: A covered entity must implement security measures that will help to reduce vulnerabilities in PHI security. A key part of this standard is conducting a thorough HIPAA risk assessment.
Security Personnel: The rule requires that a Privacy Officer is designated who is responsible for developing and implementing security policies and procedures.
Information Access Management: This standard focuses on restricting unnecessary access to ePHI meaning that only the appropriate personnel have access to that data only when it is appropriate.
Workforce Training and Security Awareness: This standard requires that employees complete an annual HIPAA training and also be educated on the organization’s specific security procedures. The organization must also have and apply sanctions against any employee who violates these security procedures.
What are Physical Safeguards?
Physical Safeguards are the policies and procedures for protecting PHI within electronic information systems, equipment, and the buildings they are housed in from unauthorized intrusion. Common examples of Physical Safeguards include:
Access Control: These are procedures that limit access to the facilities that contain information systems like computers and servers.
Workstation use and security: These pertain to the usage of workstations, which can be any computer as well as the information contained within it.
Device and Media controls: These are the policies for how devices containing ePHI can be removed from a facility.
What are Technical Safeguards?
HIPAA defines technical safeguards as the policies and procedures that determine how technology protects ePHI as well as control access to that data. This can often be the most challenging regulation to understand and implement.
Access Control: A covered entity must put in place policies and procedures that allow only the authorized individuals to access ePHI.
Audit Control: Covered Entities must implement procedures through hardware or software that record and monitor access to systems that contain ePHI.
Integrity Controls: Organizations must have procedures in place to maintain that ePHI is not altered, destroyed, or tampered with.
Transmission Security: A covered entity must implement security measures that protect against unauthorized access to ePHI that is being transmitted over an electronic network.
Annual Risk Assessment
The Administrative Safeguards provisions in the Security Rule require covered entities to perform recurring risk assessments as part of their security management processes. The HIPAA Risk Assessment, also called a Security Risk Assessment, will help to determine which security measures are reasonable and appropriate for a particular covered entity.
Risk Assessments will help to:
- Evaluate the likelihood and impact of potential risks to ePHI
- Help guide the implementation of appropriate security procedures to address the risks identified in the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable, and appropriate security protections.
Risk assessments should be an ongoing process so an organization can regularly track access to ePHI and identify security breaches, periodically review how effective its security measures have been, and regularly reevaluate potential risks to ePHI.
HHS recognizes that security is a moving target, so the rule doesn’t recommend nor define specific technologies or methods to safeguard ePHI. The rule also allows for the different resources available to different organizations. For example, a small rural clinic is not expected to have the same security precautions as a large hospital system in a major city.
With that in mind, the Security Rule is also scalable and flexible. There are two types of standards within the Security Rule: Required and Addressable standards.
Required standards are considered essential. Either you implement these required standards, or you’re violating the HIPAA Security Rule.
Addressable standards are often technical and allow for some flexibility in how they are implemented to accomplish the objectives of the requirement, though it does not mean that they can be ignored. Broadly speaking, addressable standards mean that it may not matter how you secure ePHI, as long as it is secured. If an organization chooses not to implement one of the addressable standards, the rule requires the organization to implement alternative safeguards and document the decision and the reasons for choosing to do so.
Penalties for Violations of the Security Rule
The Department of Health and Human Service (HHS) administers HIPAA, but the Office of Civil Rights (OCR) is responsible for enforcing noncriminal violations, which can result in fines that range between $100 to $50,000 per violation, with many HIPAA settlements resulting in fines of over $1 Million.
Can you go to jail for violating HIPAA? It is possible for organizations and individuals to be held criminally liable for knowingly disclosing confidential PHI, whether for commercial gain or malicious intent. Criminal violations of HIPAA will fall under the jurisdiction of the department of justice and on top of fines can result in prison times for those considered responsible.
Complying with the HIPAA Security Rule can feel overwhelming, as it is a very complex and vague law due to its broadness and flexibility. Accountable can help with that, as we built an easy to use software platform to simplify HIPAA. Get started on your road to HIPAA compliance. Did we mention that it is free to get started?