The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.

Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this. 

  i) What is the difference between addressable and required safeguards ? 

Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.

Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.

  ii) What are Administrative Safeguards under the HIPAA Security rule?  

Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them. 

Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.

Administrative Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Risk Assessment
Required
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Required
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Sanctions Policy
Required
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Required
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Required
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Addressable
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Addressable
Implement procedures to verify if an employee’s access to PHI is appropriate
Termination Procedures
Addressable
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
Required
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Access Authorization
Addressable
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Addressable
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Security Reminders
Addressable
Set up periodic security updates
Protection from Malicious Software
Addressable
Implement procedures for detecting and reporting malicious software
Log-in Monitoring
Addressable
Implement procedures to monitor log-in attempts and report discrepancies
Password Management
Addressable
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Required
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Required
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Required
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Required
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Addressable
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Addressable
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Required
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
Required
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.

  iii) What are Technical Safeguards under the HIPAA Security rule? 

Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).

Technical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Unique User Identification
Required
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Required
Establish procedures to obtain ePHI during an emergency
Automatic Logoff
Addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Addressable
Implement a method to encrypt and decrypt ePHI
Audit Controls
Required
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Required
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Addressable
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of

  iv) What are Physical Safeguards under the HIPAA Security rule? 

ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access. 

Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.

Physical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Contingency Operations
Addressable
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Addressable
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Addressable
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Maintenance Records
Addressable
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Workstation Use
Required
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
Required
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Required
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Media Re-use
Required
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Addressable
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Addressable
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored

If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Rules of HIPAA Compliance

Protected Health Information (PHI)

Last Updated on October 1, 2022 By databracketsIn HIPAA/HITECH Compliance Assurance
  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers