There are privacy and security concerns surrounding patient data for companies in the healthcare industry and third-parties operating adjacent to it. Critically, patient data must be processed, stored, and transmitted securely. To keep data secure, companies need to protect this information per the specifications laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule, in particular, comprises three primary components you’ll need to pay special attention to — but what are the three components of the HIPAA Security Rule?
Read on to learn all about them.
Three Components of the HIPAA Security Rule
The Security Rule is one of four rules within the HIPAA framework. The framework details controls and protocols that healthcare providers and adjacent businesses must practice. The Security Rule is arguably the most complex of all, with three components that inform specific practices you need to implement. In this blog, we break down all you need to know, including:
- An explanation of the Security Rule, its controls, and what it takes to implement it fully
- A broader explanation of the remaining HIPAA rules
By the end of this blog, we’ll equip you to comply with all of HIPAA’s rules, with particular attention paid to security. First, let’s discuss whether you even need to comply.
What is HIPAA? Does it Impact Your Business?
HIPAA is presided over by the US Department of Health and Human Services (HHS). It exists to protect a class of data known as protected health information (PHI) or patient health information. All organizations that regularly produce, transmit, store, or otherwise come into contact with PHI must be HIPAA compliant. These organizations fall under the category “covered entities,” which comprises more than healthcare professionals. Covered entities include:
- Healthcare providers, such as general physicians and doctors of all specialties (including psychology), hospitals, nursing homes and other group care facilities, pharmacies, etc.
- Health coverage plans, such as private companies that provide and process insurance, organizations that facilitate governmental plans, Health Maintenance Organizations, etc.
- Health clearinghouses, such as companies that process nonstandard health information and translate it into standardized forms (or vice versa) for the parties noted above
Major updates to HIPAA as part of the HITECH Act in 2009 have extended compliance obligations to business associates of covered entities, which often inform contracts agreed upon between these parties. So, if your company is in the healthcare industry, or if you partner with companies in the healthcare industry, you’re likely impacted.
Implementing the HIPAA Security Rule
The HIPAA Security Rule was first proposed in 1998 but not finalized until 2003; its most recent update came in 2013. It exists to extend Privacy Rule protections for PHI into the digital sphere. So, it focuses much of its attention on electronic PHI (ePHI), specifying controls to safeguard the confidentiality, integrity, and availability of ePHI. The HHS’s illustrative Security Rule Summary breaks down four “General Rules” that constitute the Security Rule:
- Covered entities must ensure the confidentiality, integrity, and availability of ePHI they create themselves, are harboring or transporting, or otherwise come into contact with.
- Covered entities must monitor for, identify, analyze, and protect against threats to ePHI.
- Covered entities must safeguard against reasonably anticipated or foreseeable misuse or inappropriate disclosure of ePHI, as defined in the HIPAA Privacy Rule (see below).
- Covered entities must ensure Security compliance across all members of the workforce.
To achieve these ends, covered entities must establish a robust risk analysis and management program, along with three distinct categories of safeguards — these are the “components” alluded to above.
What makes up the components of HIPAA?
Let’s take a closer look at the specific safeguards involved in each component to fully understand what exactly compliance with the Security Rule entails.
Component #1: Administrative Safeguards
- Security Management Process – Hinted at above, covered entities must implement a robust, systematic management system for all risks to and vulnerabilities of ePHI.
- Security Personnel – Covered entities must also delegate responsibilities for both developing and implementing threat management to one or more security officials.
- Information Access Management – Covered entities must establish role-based access to ePHI, consistent with the Privacy Rule’s approved access definition.
- Workforce Training and Management – Covered entities must enforce accountability for security across the organization with supervision, training, and penalties for errors.
- Evaluation – Covered entities must also perform regular design and implementation assessments of Security Rule measures, taking corrective action when necessary.
These are the top-tier controls covered entities must install, starting with upper management to ensure all security practices are being implemented from the top of the workforce down.
Component #2: Physical Safeguards
- Facility Access and Control – Covered entities must take measures to restrict physical access to facilities containing ePHI (or networks and servers that host ePHI) to individuals who are authorized to access the data. These measures must also ensure ease of access to ePHI for the same authorized users.
- Workstation and Device Security – Covered entities must extend these restrictions to physical devices and workstations that house or are connected to servers that house ePHI. Movement and disposal of all devices must also be closely monitored to ensure deletion of ePHI and all traces thereof before any device is moved indefinitely.
Altogether, these are the proximal controls covered entities must install in and between devices to ensure ePHI security.
Component #3: Technical Safeguards
The Security Rule’s third and final component comprises four “Technical Safeguards.” Once more, according to HHS’s breakdown of the Security Rule, the specific controls required include:
- Access Control – Covered entities must implement technical controls, including but not limited to multi-factor authentication and other identity and access management best practices, to restrict access to only authorized users, as defined by the Privacy Rule.
- Audit Controls – Covered entities must implement measures to monitor access across all software and hardware and take appropriate action if misuse is detected.
- Integrity Controls – Covered entities must establish a system for ensuring no undue alterations or deletions occur within ePHI, with backups prepared at regular intervals.
- Transmission Security – Covered entities must implement controls to monitor and control the transmission of ePHI across wireless networks.
Ultimately, these controls are hyper-focused on technologies, systems, software, and programs, building on the administrative and physical controls to fully safeguard ePHI.
Understanding the Entire HIPAA Framework
As noted, HIPAA for professionals comprises more than the Security Rule and its three primary components. Covered entities also need to comply with the Privacy Rule and Breach Notification Rule, both of which intersect with the Security Rule. Namely, the Security Rule builds upon definitions set out in the Privacy Rule, and the Breach Notification Rule requires timely notice to all stakeholders if there’s a lapse in privacy or security protections.
Failure to follow these rules can result in cyber-attacks that could lead to long-term, irreversible financial and reputational damage, along with a sliding scale of penalties enforceable under the Enforcement Rule. As we’ll get into below, the Enforcement Rule also intersects with the three components of the Security Rule in that any breach can lead to immediate non-compliance fines.
Let’s take a closer look at the remaining HIPAA rules for a full understanding of compliance.
HIPAA Privacy Rule Controls and Protocols
The Security Rule exists to build upon and intensify the protections for PHI and ePHI that were already laid out in the Privacy Rule. The Privacy Rule is the foundation of HIPAA, and its definitions inform all other HIPAA rules. It was first finalized in 2000 and most recently updated late 2020.
Per the HHS’s detailed Privacy Rule Summary, its primary components include the following:
- Defining permitted uses and disclosures – Covered entities cannot allow access to or use of ePHI unless it’s requested by the subject of the ePHI or one of the qualifying conditions is met, including: disclosures to the individual; uses involved in treatment, healthcare, or payment operations; disclosures for which the individual has had ample opportunity to object; uses or disclosures incidental to other, authorized ones; uses for the public benefit; and limited disclosure for the purpose of academic research.
- Requiring authorized use and disclosure – Covered entities are required to disclose PHI to the subject or to a representative upon request. Also, disclosure to the HHS and certain other governmental entities is required in the process of investigation.
- Restricting access by minimum necessity – Covered entities must restrict authorized access to the minimum amount required to satisfy the request, except for legal inquiries.
As seen in previous sections, these definitions and considerations also have implications for the Security Rule, as its components reference them. Critically, they also inform the Breach Notification Rule.
HIPAA Breach Notification Rule Requirements
The protections of the Privacy and Security Rules are intended to minimize or eliminate the threat of cyber-attack. But if and when hacks or other cybersecurity events do occur, HIPAA requires covered entities to notify all parties impacted. Hence the Breach Notification Rule.
This rule defines a breach as any incident in which any element of the Privacy Rule or Security Rule has been broken. When that happens, there are three forms of notice required by HHS:
- Individual notice – Covered entities must notify all individuals impacted by a breach in writing within 60 days of the breach’s discovery. All parties may also be notified by email.
- Secretary notice – Covered entities must submit a breach report to the HHS Secretary within 60 days if it impacts 500 or more people or by the year’s end if it impacts fewer.
- Media notice – Covered entities must also notify a local media outlet if a security breach impacts 500 or more individuals within a defined geographical location.
Accountability is a critical element of the Privacy and Security Rules. Failing to provide proper and timely notice could result in a loss of trust in your company — and, potentially, HIPAA enforcement.
HIPAA Enforcement Rule and Compliance
Finally, the HIPAA Enforcement Rule relates to the components of Security, Privacy, and Breach Notification Rules in that it details the penalties enforceable if any of their provisions are violated. The rule details two primary forms of punishment, which scale upward with the severity of violation:
- Civil money penalties – Covered entities may be fined up to $50 thousand dollars for violations. These fines vary and can be as low as $100 dollars in the case of ignorance, $1 thousand dollars if there was “reasonable cause,” $10 thousand dollars for “willful neglect” with correction, and a flat rate of $50 thousand for neglect without modification.
- Criminal penalties – Covered entities may also face criminal charges along with fines, including $50 thousand dollars and one year of jail time for intentional violations, $100 thousand dollars and five years’ jail time for false pretenses, and $250 thousand dollars and ten years of jail time for violations proven to have been committed for personal gain.
The Enforcement Rule sets the stakes for HIPAA compliance. Failure to adopt the other rules from above can have serious, long-term consequences. RSI Security can help you avoid them.
Professional HIPAA Compliance and Security
Here at RSI Security, we understand how critical compliance is to healthcare providers and other covered entities. We offer a robust, flexible suite of HIPAA compliance advisory services catered to the needs and means of your company. Plus, our talented team is happy to help with all elements of your cybersecurity, whether it involves base-level security architecture implementation or more advanced measures like threat management or penetration testing.
Compliance is not the end of cybersecurity, but it is an essential first step.
To return to the question from above: what are the three components of the HIPAA Security Rule? The components are requirements for administrative, physical, and technical safeguards. To comply with HIPAA, you’ll need to implement these along with all of the Security and Breach Notification Rules’ controls. Failing this, your company may fall into the negative consequences outlined in the Enforcement Rule. To avoid these and strengthen your security, contact RSI Security today!