What is the HIPAA Security Rule?
In order to improve the efficiency and effectiveness of the US healthcare system, Congress originally passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the following years, several additional rules were added to HIPAA in order to help protected patients’ protected health information (PHI). These two rules are the Privacy Rule and the HIPAA Security Rule. While both rules work together to protect private healthcare information, they each have different purposes.
The privacy rule covers the physical security and confidentiality of protected health information (PHI) including electronic, paper, and oral. The Security Rule is a set of regulations intended to protect the security of electronic Protected Health Information (ePHI) and to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards. Since then the rule was implemented in 2004, there have been several updates, most notably the HITECH act of 2009 and the Omnibus Rule of 2013.
Security Standards for Protected Health Information
The HIPAA Security Rule contains three types of required standards of implementation that all business associates and covered entities must abide by. These standards are Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
What are Administrative Safeguards?
Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not.
The bulk of the Security Rule is focused on administrative safeguards. Standards include:
Security Management Process: A covered entity must implement security measures that will help to reduce security vulnerabilities. A key part of this standard is conducting a thorough HIPAA risk assessment.
Security Personnel: The rule requires that a Privacy Officer is designated who is responsible for developing and implementing security policies and procedures.
Information Access Management: This rule focuses on restricting unnecessary access to ePHI and only allowing access to that data when it is appropriate.
Workforce Training and Security Awareness: This standard requires that employees of the organization complete annual HIPAA training are trained in security procedures and the organization must have and apply sanctions against employees who violate the security procedures.
What are Physical Safeguards?
Physical Safeguards are the policies and procedures for protecting PHI within electronic information systems, equipment, and the buildings they are housed in from unauthorized intrusion. Common examples of Physical Safeguards include:
Access Control: These are procedures that limit access to the facilities that contain information systems like computers and servers.
Workstation use and security: These pertain to the usage of workstations, which can be any computer as well as the information contained within it.
Device and Media controls: These are the policies for how devices containing ePHI can be removed from a facility.
What are Technical Safeguards?
HIPAA defines technical safeguards as the technology and the policies and procedures that determine how that technology protects ePHI as well as control access to that data. This can often be the most challenging regulation to understand and implement.
Access Control: A covered entity must put in place policies and procedures that only allow authorized individuals to access ePHI.
Audit Control: Covered Entities must implement procedures through hardware or software that record and monitor access to systems that contain ePHI.
Integrity Controls: Organizations must have procedures in place to maintain that ePHI is not altered, destroyed, or tampered with.
Transmission Security: A covered entity must have security measures in place that protect against unauthorized access to ePHI that is being transmitted over an electronic network.
Annual Risk Assessment
The Administrative Safeguards provisions in the Security Rule require covered entities to perform recurring risk assessments as part of their security management processes. The HIPAA Risk Assessment, also called a Security Risk Assessment, will help to determine which security measures are reasonable and appropriate for a particular covered entity.
Risk Assessments will help to:
- Evaluate the likelihood and impact of potential risks to ePHI
- Help guide the implementation of appropriate security procedures to address the risks identified in the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable, and appropriate security protections.
Risk assessments should be an ongoing process so an organization can regularly review its track record to track access to ePHI and identify security breaches, periodically review how effective its security measures have been, and regularly reevaluates potential risks to ePHI.
HHS recognized that security is a moving target, so the rule doesn’t recommend nor define specific technologies or methods to safeguard ePHI. The rule also allows for the different resources available to different organizations. For example, a small rural clinic is not expected to have the same security precautions as a large hospital system in a major city.
With that in mind, the Security Rule is also scalable and flexible. There are two types of standards within the Security Rule: Required and Addressable standards.
Required standards are considered essential. Either you implement these required standards, or you’re violating the HIPAA Security Rule.
Addressable standards are often technical and allow for some flexibility in how they are implemented to accomplish the objectives of the requirement, though it does not mean that they can be ignored. Broadly speaking, addressable standards mean that it may not matter how you secure ePHI, as long as it is secured. If an organization chooses not to implement one of the addressable standards, the HIPAA Security Rule requires the organization to implement alternative safeguards and document the decision and the reasons for choosing to do so.
Penalties for Violations of the Security Rule
The Department of Health and Human Service (HHS) administers HIPAA, but the Office of Civil Rights (OCR) is responsible for enforcing noncriminal violations of the HIPAA Security Rule, which can result in fines that range between $100 to $50,000 per violation, with many HIPAA settlements resulting in fines of over $1 Million.
Can you go to jail for violating HIPAA? It is possible for organizations and individuals to be held criminally liable for knowingly disclosing confidential PHI, whether for commercial gain or malicious intent. Criminal violations of HIPAA will fall under the jurisdiction of the department of justice and on top of fines can result in prison times for those considered responsible.
Complying with the HIPAA Security Rule can feel overwhelming, as it is a very complex and vague law due to its broadness and flexibility. Accountable can help with that, as we built an easy to use software platform to simplify HIPAA. Get started on your road to HIPAA compliance. Did we mention that it is free to get started?