Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two key provisions: the Privacy Rule and the HIPAA Security Rule.
The Privacy Rule establishes standards for protecting certain health information, or PHI. The Privacy Rule requires those organizations that are governed by HIPAA (covered entities) to implement safeguards to protect the privacy of PHI, and gives individuals the right to access and share their health records.
The Security Rule establishes security standards for PHI that is held or transferred in electronic form (ePHI). As the Department of Health and Human Services explains, “The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”
Put simply, the HIPAA Security Rule aims to simultaneously protect an individual’s private health records while allowing covered entities to adopt new technology that can improve and transform patient care.
What are the Security Rule standards?
First, the Security Rule defines who is covered by the Security Rule standards and what is ePHI.
The Security Rule applies to all “covered entities” — health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Read more about covered entities in our guide, What Are Covered Entities Under HIPAA?. It’s also worth noting that the HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule; if you deal with protected health information in any capacity, review the Act to see what your responsibilities may be.
Next, the HIPAA Security Rule defines electronic protected health information, ePHI. ePHI is also known as individually identifiable health information stored electronically — as a subset of PHI, there are 18 identifiers, including names, social security numbers, addresses, and birth dates. Read more in this guide: Common Identifiers of Protected Health Information (PHI).
There are four general sub-rules that fall under the HIPAA Security Rule. These measures aim to ensure the confidentiality, integrity, and availability of all ePHI that covered entities create, receive, maintain or transmit. HHS says that covered entities must:
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Here is what this means in practice.
Implementing the HIPAA Security Rule
HIPAA is non-prescriptive about how an organization safeguards the security of ePHI. This is because covered entities are all sizes with different resources available. As such, the Security Rule is crafted to be flexible and scalable, allowing covered entities to decide how best to implement the four requirements listed above.
[Read more: HIPAA Compliance Checklist: A Quick Guide]
That being said, there are some specific provisions a covered entity needs to directly address.
First, covered entities must perform a risk analysis. This risk analysis must include:
- An evaluation of potential risks to ePHI
- The implementation of security measures to address those risks
- Documentation of the chosen security measures and a rationale of why each measure was chosen
- Continuous maintenance to keep protections in place
In addition, the HIPAA Security Rule requires administrative, physical, and technical safeguards. Some of these safeguards are “required” — meaning they must be implemented. Others are “addressable” meaning that the safeguard must be implemented in a way that is reasonable and appropriate for the size and resources of the covered entity.
The main administrative, technical and physical safeguards can be found in the HIPAA Security Rule checklist below. In addition, review the resources on HHS.gov to ensure that you’re meeting the full requirements of the HIPAA Security Rule.
HIPAA Security Rule checklist
- Administrative safeguards
HIPAA’s administrative safeguards refer to policies and procedures designed to clearly show how the entity will comply with HIPAA.
- Conduct risk assessments (required)
- Introduce a risk management policy (required)
- Restrict third-party access to ePHI (required)
- Develop a contingency plan in the event of an emergency (required)
- Test the contingency plan (addressable)
- Provide employee training on cybersecurity (addressable)
- Report security incidents (addressable)
In addition, HIPAA requires that covered entities assign a Security Officer and a Privacy Officer to protect ePHI and govern employee conduct.
- Physical safeguards
Physical safeguards focus on securing devices, such as laptops and mobile devices. Workstations and even data centers where ePHI is stored are also liable under HIPAA’s physical safeguards.
- Create policies for the use and positioning of workstations (required)
- Create policies and procedures for the use of mobile devices (required)
- Create an inventory of all hardware (addressable)
- Implement facility access controls (addressable)
- Technical safeguards
Technical safeguards relate to the technology used to protect and access ePHI. The biggest concern for health organizations is to protect PHI at rest or in transit using NIST-standard encryption.
- Implement access control measures (required)
- Introduce activity logs and audit controls (required)
- Use a mechanism to authenticate ePHI (addressable)
- Implement tools for encryption and decryption (addressable)
- Implement a tool for automatic log-off of PCs and devices (addressable)
The HIPAA security rule can be divided into subsections detailing specific requirements (referred to as “implementation specifications”) for each of these safeguards.
Learn more about HIPAA compliance on our blog. For help securing your ePHI, set up a demo at the link below.