The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.
Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this.
i) What is the difference between addressable and required safeguards ?
Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.
Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.
ii) What are Administrative Safeguards under the HIPAA Security rule?
Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them.
Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.
Administrative Safeguards – HIPAA Security rule
Required / Addressable
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Implement procedures to verify if an employee’s access to PHI is appropriate
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Set up periodic security updates
Protection from Malicious Software
Implement procedures for detecting and reporting malicious software
Implement procedures to monitor log-in attempts and report discrepancies
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.
iii) What are Technical Safeguards under the HIPAA Security rule?
Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).
Technical Safeguards – HIPAA Security rule
Required / Addressable
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Establish procedures to obtain ePHI during an emergency
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Implement a method to encrypt and decrypt ePHI
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of
iv) What are Physical Safeguards under the HIPAA Security rule?
ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access.
Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.
Physical Safeguards – HIPAA Security rule
Required / Addressable
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored
If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.