The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.
Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this.
i) What is the difference between addressable and required safeguards ?
Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.
Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.
ii) What are Administrative Safeguards under the HIPAA Security rule?
Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them.
Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.
Administrative Safeguards – HIPAA Security rule | Safeguard | Required / Addressable | Action |
|---|---|---|
Risk Assessment | Required | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored |
Risk Management Policy | Required | Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level |
Sanctions Policy | Required | Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures |
Information System Activity Review | Required | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports |
Assigned Security Responsibility | Required | Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures |
Authorization / Supervision | Addressable | Implement procedures to authorize and supervise staff members who access PHI |
Workforce Clearance Procedure | Addressable | Implement procedures to verify if an employee’s access to PHI is appropriate |
Termination Procedures | Addressable | Implement procedures for terminating access to PHI when an employee leaves the organization |
Isolating Health care Clearinghouse Function | Required | If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization |
Access Authorization | Addressable | Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation |
Access Establishment and Modification | Addressable | Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process |
Security Reminders | Addressable | Set up periodic security updates |
Protection from Malicious Software | Addressable | Implement procedures for detecting and reporting malicious software |
Log-in Monitoring | Addressable | Implement procedures to monitor log-in attempts and report discrepancies |
Password Management | Addressable | Implement procedures for creating, changing, and safeguarding passwords |
Response and Reporting | Required | Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes |
Data Backup Plan | Required | Establish and implement procedures to create and maintain retrievable exact copies of ePHI |
Disaster Recovery Plan | Required | Establish (and implement as required) procedures to restore any loss of data |
Emergency Mode Operation Plan | Required | Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode |
Testing Contingency Plans | Addressable | Implement procedures to test and update contingency plans periodically |
Criticality Analysis of Applications and Data | Addressable | Assess the relative criticality of specific applications and data which support other contingency plan components |
Business Associate Contracts and Other Arrangements | Required | Ensure that BAAs and all other arrangements with vendors are signed and updated |
Security Awareness Training for employees | Required | All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained. |
iii) What are Technical Safeguards under the HIPAA Security rule?
Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).
Technical Safeguards – HIPAA Security rule | Safeguard | Required / Addressable | Action |
|---|---|---|
Unique User Identification | Required | Assign a unique name and/or number for identifying and tracking user identity |
Emergency Access Procedure | Required | Establish procedures to obtain ePHI during an emergency |
Automatic Logoff | Addressable | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity |
Encryption and Decryption | Addressable | Implement a method to encrypt and decrypt ePHI |
Audit Controls | Required | Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI |
Mechanism to Authenticate Electronic PHI | Addressable | Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner |
Person or Entity Authentication | Required | Implement procedures to authenticate the personnel who are authorized to work with ePHI |
Integrity Controls – Transmission Security | Addressable | Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of |
iv) What are Physical Safeguards under the HIPAA Security rule?
ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access.
Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.
Physical Safeguards – HIPAA Security rule | Safeguard | Required / Addressable | Action |
|---|---|---|
Contingency Operations | Addressable | Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan |
Facility Security Plan | Addressable | Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft |
Access Control and Validation Procedures | Addressable | Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision |
Maintenance Records | Addressable | Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks |
Workstation Use | Required | Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI |
Workstation Security | Required | Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users |
Disposal of Device and Media Controls | Required | Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored |
Media Re-use | Required | Implement procedures for removing ePHI from electronic media before the media are made available for reuse. |
Accountability of Device and Media Controls | Addressable | Maintain a record of the movements of hardware, electronic media, and any person responsible for them |
Data Backup and Storage | Addressable | Create a retrievable, exact copy of ePHI before moving equipment in which it is stored |
If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.
Related Links:
The Health Insurance Portability and Accountability Act of 1996 (
