Administrative Safeguards of the HIPAA Security Rule
A crucial step to protecting electronically protected health information (ePHI) is the implementation of appropriate and reasonable administrative safeguards to organize and establish an organization’s security program. This article will outline what HIPAA administrative safeguards are as well as discuss some methods that organizations can implement to maintain the confidentiality, security, and integrity of ePHI.
What are HIPAA Administrative Safeguards?
The HIPAA Security Rule requires covered entities and their business associates implement several measures of security standards categorized as Administrative safeguards, Technical Safeguards, and Physical Safeguards that will work together to maintain the confidentiality, integrity, and availability of ePHI. Physical safeguards protect the physical security of your offices and devices where ePHI may be maintained or accessed. Technical safeguards pertain to the technology that protects personal health data, such as firewalls, encryption, or data backups. Administrative Standards are concerned with processes, policies, and procedures that will work to protect against a breach or unwanted disclosure of private information. PHI will be needed to be available for authorized users to do their jobs but no more than that.
Administrative Safeguards make up over half the HIPAA Security Rule requirements. HHS defines administrative safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
In other words, covered entities and business associates must implement clear policies that will guide their employees in the proper use and care of ePHI to protect against unauthorized breaches of protected health information. The administrative safeguards are by far the biggest component of the Security Rule, as they inform and lay the foundation for compliance with the physical and technical safeguards that follow. HIPAA Administrative Safeguards can be broken down into several standards and covered entities will need to review and determine how best to implement all of these in order to be compliant with HIPAA.
Security management processes
These procedures relate to the prevention, detection, and correction of any security violations. In other words, these processes lay down the foundations for the steps that an organization must take to guide its employees in HIPAA compliance. This can include a Risk Analysis to identify potential vulnerabilities to PHI and how likely a breach is to occur, how best to manage those risks, and creation of internal policies to penalize employees who are found to be violating internal rules for safeguarding phi.
Assign a Privacy Officer
HIPAA requires that an individual be designated as a security official who will be responsible for the development of security policies and procedures. Some organizations may even have multiple people managing security because they have multiple locations, or even have an entire team or department dedicated to the role. The good news is that the Security Rule understands that different organizations will have different requirements and resources, so the number of security officers should reflect the size, complexity, and technical capabilities of the organization.
Related Article: Responsibilities of the Privacy Officer
This procedure is designed to ensure that all members of an organization have appropriate access to ePHI that is dependent upon the employee properly filling their job function. In other words, if the employee doesn’t need to access ePHI in order to do their job, that employee should not be able to access private health data. Additionally, organizations should be certain that when an employee is terminated or changes roles, access to ePHI is terminated as well.
Information Access Management
This procedure mainly serves to reiterate earlier points that pertain to restricting access to ePHI. According to the HHS, “Compliance with this standard should support a covered entity’s compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information”. As part of this procedure, covered entities should determine how to grant access to ePHI, such as through a designated workstation or software program, and work to ensure that an employee’s permissions are up to date, as well as adding access or removing access as needed.
HIPAA Security Training
As part of this standard, an organization must have a security awareness training program for all members of its workforce. This standard has four components: periodic reminders of the importance of security, protection from malicious software, monitoring of log-ins to ePHI, as well as procedures for creating, updating, and safeguarding passwords.
Security Incident Procedures
Organizations must have policies and procedures in place to address security incidents. These procedures should outline what will happen in the event of a security incident. Essentially, all employees at an organization should understand how they must react in each type of a breach in order to ensure the integrity of ePHI.
This standard outlines what organizations must do in the event of a natural disaster. They should include strategies for recovering access to ePHI as well as plans to backup data.
Evaluations should be assessing all of the steps and procedures that are listed above. Will those policies and procedures protect ePHI? These policies should be periodically reviewed so organizations can adjust to any environmental or operational changes that affect ePHI security.
Business Associate Agreements
Make certain to sign a Business Associate Agreement with any external entity that will be creating, receiving, storing, or transmitting ePHI to ensure that the business associate will be appropriately safeguarding the information entrusted to them. A BAA will clearly state how ePHI will be used, shared, and protected. In the event of a breach, a BAA will ensure that your business associate is liable for the breach, not your organization.
Implement Safeguards to Comply with the Security Rule
These nine standards sound like a lot, right? The good news is that the Security rule was designed with flexibility in mind, as its authors realized that every organization will utilize different quantities of PHI and also have different resources available to protect that data: A small chiropractic office will require different standards than a major hospital or a cloud storage provider. The drawback is that each organization is responsible for determining what their security needs are and how best to accomplish them.
With this ambiguity in the application of the Security Rule, becoming and maintaining HIPAA Compliance can feel daunting and overwhelming. Fortunately, that is why we founded Accountable: our HIPAA compliance management solution will guide you and your organization step by step in the full process of becoming HIPAA compliant.