The Security Rule is one of the major prescriptive portions of the HIPAA regulation. It requires eligible companies, including those tangentially associated with healthcare organizations, to implement risk assessments and install a series of proactive safeguards that prevent and mitigate potential harm to PHI.
Are you compliant with the HIPAA Security Rule? Schedule a consultation to find out!
Everything You Need to Know About the HIPAA Security Rule
Counter-intuitively, one of the most widely applicable cybersecurity regulations in the US is The Health Insurance Portability and Accountability Act (HIPAA). Despite its name, its requirements, like those in its Security Rule, apply to many organizations outside of the healthcare industry.
The three primary concerns all eligible organizations need to prioritize on this front are:
- The requirements for HIPAA Security Rule risk assessments
- The required administrative, physical, and technical safeguards
- The applicability of these and other HIPAA security requirements
It’s also critical to consider HIPAA in a broader regulatory context. There are ways in which its security requirements overlap and intersect with other rulesets—and opportunities for efficiency.
HIPAA Security and Risk Assessments
The Department of Health and Human Services (HHS) enforces HIPAA to ensure organizations that come into contact with protected health information (PHI) take measures to keep it safe. To that effect, organizations need to identify risks to PHI, including both vulnerabilities that make it susceptible to access and threats that could cause it to be breached, intentionally or not.
The specific requirements for HIPAA Security Rule risk assessments are not explicitly defined.
Instead, the HHS encourages eligible organizations to practice due diligence by rigorously documenting and addressing risks to PHI. There are also several tools and resources available at low or no cost. For example, organizations may use the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) to facilitate their audits. Or, they may use the Security Risk Assessment (SRA) Tool, developed by the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC).
Assess your HIPAA / HITECH compliance
HIPAA Security and Required Safeguards
The other major initiative within the Security Rule is to install proactive protections, or safeguards, that limit the likelihood and potential extent of risks to PHI. Infrastructure and architecture that protects PHI needs to include these, at minimum, to be HIPAA-compliant.
These are some of the most clearly and specifically defined requirements in all of HIPAA.
Unlike the risk analysis requirements, these come closest to the lists of requirements and controls that many other regulatory frameworks are built around. As such, to the extent that a HIPAA Security Rule checklist can be conceptualized and leveraged, this is what it looks like.
Collectively, these safeguards work in tandem with risk assessments (see above) to satisfy the HIPAA Security Rule aims of ensuring the confidentiality, integrity, and availability of all PHI.
Required Administrative Safeguards
These governance-level protections ensure top-down security. They include:
- Security management processes – These include programmatically accounting for risk assessment and, critically, addressing the results of assessments to neutralize threats.
- Security personnel and resources – Covered entities must designate one or multiple individuals and equip them with appropriate resources to implement security policies.
- Information access management – All access to PHI must be limited to the Required and Permitted uses (and to the minimum necessary), as defined in the Privacy Rule.
- Workforce training programs – Any individuals who work with or come into contact with PHI must be trained and evaluated on proper handling to avoid illicit access.
- Continuous program evaluation – Policies and procedures must be assessed regularly and adjusted to ensure efficacy and performance at scale and over time.
Required Physical Safeguards
These hardware-level protections prevent physical security breaches. They include:
- Control over facility access – Covered entities must monitor and restrict physical and proximal access to facilities in which PHI and systems that connect to it are located. At the same time, availability for data subjects or the HHS upon request must be assured.
- Control over devices – Covered entities must also monitor and control the specific hardware from which PHI is or can be accessed. This includes accounting for the safe use, removal, and disposal of physical media containing PHI (i.e., flash drives, etc.).
Required Technical Safeguards
These software-level protections prevent remote and other cyberattacks. They include:
- Access control – Covered entities must install controls that monitor, restrict, and revoke (if necessary) virtual access to electronic PHI (ePHI) across hardware and software.
- Audit controls – All behavior across devices and systems that can be used to access ePHI or are connected to PHI in other ways must be recorded and closely examined.
- Integrity controls – Covered entities must implement change management systems to ensure that changes to or deletions of/in PHI are authorized and accurately reported.
- Transmission security – All ePHI being transmitted over a virtual network must be guarded against possible interception or other breaches before, during, and after.
Applicability of the HIPAA Security Rule
The HIPAA security requirements apply primarily to covered entities. These include healthcare providers (i.e., doctors, hospitals), health plan administrators, and healthcare clearinghouses.
However, HIPAA also applies to business associates outside of healthcare proper.
Lawyers, accountants, and other service providers who come into contact with PHI are also subject to HIPAA rules, including all of the requirements above. Furthermore, the covered entities with whom they’re engaged must guarantee HIPAA protections across patient populations impacted by these service providers with business associate contracts.
PHI comprises all records and documents related to patients’ medical and billing histories, including records of their conditions and treatment and any payments associated with them. If your organization comes into contact with these, for any reason, you may be subject to HIPAA.
A good rule of thumb is that if you work extensively with covered entities, HIPAA likely applies.
Other Regulatory Considerations
As noted above, the HIPAA security rule protects patient data far beyond the boundaries of healthcare providers. Likewise, organizations in and around healthcare often have other regulatory commitments that overlap or intersect with their HIPAA obligations. For example:
- Industry-based regulations – Organizations that work with health institutions and the US government may need to implement NIST frameworks. If their work involves the military, they may need to achieve Cybersecurity Model Maturity Certification (CMMC).
- (Inter)national and local laws – Health-adjacent firms based in California or servicing its residents must abide by the California Consumer Privacy Act (CCPA). If they collect data on EU residents, they must follow the General Data Protection Regulation (GDPR).
- Operational and other expectations – Any organization that processes credit card payments may need to achieve Data Security Standard (DSS) compliance, and service organizations (including healthcare) often need to produce SOC 2 reports for clients.
The best way to address all these needs at once is to implement a comprehensive framework such at the HITRUST CSF. HITRUST Certification allows organizations to meet all HIPAA requirements while also satisfying and assessing for these (and other) compliance needs.
Streamline Security Rule Protections Today
Ultimately, the Security Rule requires organizations to implement risk assessments and install a suite of proactive safeguards. These protections apply to both covered entities in the healthcare profession and many associates outside of it—alongside many other overlapping frameworks.
RSI Security is committed to helping organizations both within and adjacent to healthcare fulfill their HIPAA obligations and protect patient data. We know that the right way is the only way to keep PHI safe while protecting your own organization and any others you’re in business with.
To learn more about our HIPAA Security Rule solutions, contact RSI Security today!