The HIPAA Security Rule outlines specific administrative, physical, and technical safeguards that covered entities must implement to protect electronic protected health information (ePHI). It applies to healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Under this rule, covered entities are required to conduct regular risk assessments, implement access controls, use secure encryption protocols, and establish ongoing training and monitoring processes to ensure compliance. Failure to meet these requirements can lead to severe penalties, including fines and loss of trust
By adhering to the Security Rule, covered entities reduce the likelihood of breaches and ensure that patient information remains confidential, available, and unaltered—core goals of HIPAA compliance.Are you compliant with the HIPAA Security Rule? Schedule a consultation to find out!
Everything You Need to Know About the HIPAA Security Rule
Despite its healthcare-focused name, the Health Insurance Portability and Accountability Act (HIPAA), especially its Security Rule — extends beyond hospitals and clinics. HIPAA applies to a wide range of covered entities and business associates, including health plans, clearinghouses, and even third-party vendors that handle electronic protected health information (ePHI).
The HIPAA Security Rule sets national standards for protecting ePHI from unauthorized access, tampering, or disclosure. It requires covered entities to adopt risk-based security controls tailored to the size, complexity, and capabilities of the organization.
These controls span technical safeguards like encryption and audit controls, physical safeguards like secure facility access, and administrative safeguards such as employee training and incident response planning.
Understanding the full scope of the Security Rule is essential for any organization that processes ePHI, not just traditional healthcare providers.
The three primary concerns all eligible organizations need to prioritize on this front are:
- The requirements for HIPAA Security Rule risk assessments
- The required administrative, physical, and technical safeguards
- The applicability of these and other HIPAA security requirements
It’s also critical to consider HIPAA in a broader regulatory context. There are ways in which its security requirements overlap and intersect with other rulesets—and opportunities for efficiency.
HIPAA Security and Risk Assessments
The Department of Health and Human Services (HHS) enforces HIPAA to ensure organizations that come into contact with protected health information (PHI) take measures to keep it safe.
To that effect, organizations need to identify risks to PHI, including both vulnerabilities that make it susceptible to access and threats that could cause it to be breached, intentionally or not.
The specific requirements for HIPAA Security Rule risk assessments are not explicitly defined.
Instead, the HHS encourages eligible organizations to practice due diligence by rigorously documenting and addressing risks to PHI.
There are also several tools and resources available at low or no cost. For example, organizations may use the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) to facilitate their audits. Or, they may use the Security Risk Assessment (SRA) Tool, developed by the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC).
Assess your HIPAA / HITECH complianceHIPAA Security and Required Safeguards
The other major initiative within the Security Rule is to install proactive protections, or safeguards, that limit the likelihood and potential extent of risks to PHI. Infrastructure and architecture that protects PHI needs to include these, at minimum, to be HIPAA-compliant.
These are some of the most clearly and specifically defined requirements in all of HIPAA.
Unlike the risk analysis requirements, these come closest to the lists of requirements and controls that many other regulatory frameworks are built around.
As such, to the extent that a HIPAA Security Rule checklist can be conceptualized and leveraged, this is what it looks like.
Collectively, these safeguards work in tandem with risk assessments (see above) to satisfy the HIPAA Security Rule aims of ensuring the confidentiality, integrity, and availability of all PHI.
Required Administrative Safeguards
These governance-level protections ensure top-down security. They include:
- Security management processes – These include programmatically accounting for risk assessment and, critically, addressing the results of assessments to neutralize threats.
- Security personnel and resources – Covered entities must designate one or multiple individuals and equip them with appropriate resources to implement security policies.
- Information access management – All access to PHI must be limited to the Required and Permitted uses (and to the minimum necessary), as defined in the Privacy Rule.
- Workforce training programs – Any individuals who work with or come into contact with PHI must be trained and evaluated on proper handling to avoid illicit access.
- Continuous program evaluation – Policies and procedures must be assessed regularly and adjusted to ensure efficacy and performance at scale and over time.
Required Physical Safeguards
These hardware-level protections prevent physical security breaches. They include:
- Control over facility access – Covered entities must monitor and restrict physical and proximal access to facilities in which PHI and systems that connect to it are located. At the same time, availability for data subjects or the HHS upon request must be assured.
- Control over devices – Covered entities must also monitor and control the specific hardware from which PHI is or can be accessed. This includes accounting for the safe use, removal, and disposal of physical media containing PHI (i.e., flash drives, etc.).
Required Technical Safeguards
These software-level protections prevent remote and other cyberattacks. They include:
- Access control – Covered entities must install controls that monitor, restrict, and revoke (if necessary) virtual access to electronic PHI (ePHI) across hardware and software.
- Audit controls – All behavior across devices and systems that can be used to access ePHI or are connected to PHI in other ways must be recorded and closely examined.
- Integrity controls – Covered entities must implement change management systems to ensure that changes to or deletions of/in PHI are authorized and accurately reported.
- Transmission security – All ePHI being transmitted over a virtual network must be guarded against possible interception or other breaches before, during, and after.
Applicability of the HIPAA Security Rule
The HIPAA security requirements apply primarily to covered entities. These include healthcare providers (i.e., doctors, hospitals), health plan administrators, and healthcare clearinghouses.
However, HIPAA also applies to business associates outside of healthcare proper.
Lawyers, accountants, and other service providers who come into contact with PHI are also subject to HIPAA rules, including all of the requirements above. Furthermore, the covered entities with whom they’re engaged must guarantee HIPAA protections across patient populations impacted by these service providers with business associate contracts.
PHI comprises all records and documents related to patients’ medical and billing histories, including records of their conditions and treatment and any payments associated with them. If your organization comes into contact with these, for any reason, you may be subject to HIPAA.
A good rule of thumb is that if you work extensively with covered entities, HIPAA likely applies.
Other Regulatory Considerations
As noted above, the HIPAA security rule protects patient data far beyond the boundaries of healthcare providers. Likewise, organizations in and around healthcare often have other regulatory commitments that overlap or intersect with their HIPAA obligations. For example:
- Industry-based regulations – Organizations that work with health institutions and the US government may need to implement NIST frameworks. If their work involves the military, they may need to achieve Cybersecurity Model Maturity Certification (CMMC).
- (Inter)national and local laws – Health-adjacent firms based in California or servicing its residents must abide by the California Consumer Privacy Act (CCPA). If they collect data on EU residents, they must follow the General Data Protection Regulation (GDPR).
- Operational and other expectations – Any organization that processes credit card payments may need to achieve Data Security Standard (DSS) compliance, and service organizations (including healthcare) often need to produce SOC 2 reports for clients.
The best way to address all these needs at once is to implement a comprehensive framework such at the HITRUST CSF. HITRUST Certification allows organizations to meet all HIPAA requirements while also satisfying and assessing for these (and other) compliance needs.
Streamline Security Rule Protections Today
Ultimately, the Security Rule requires organizations to implement risk assessments and install a suite of proactive safeguards. These protections apply to both covered entities in the healthcare profession and many associates outside of it—alongside many other overlapping frameworks.
RSI Security is committed to helping organizations both within and adjacent to healthcare fulfill their HIPAA obligations and protect patient data. We know that the right way is the only way to keep PHI safe while protecting your own organization and any others you’re in business with.
Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant
