A fundamental priority for organizations within and adjacent to the healthcare industry is safeguarding protected health information (PHI) from unauthorized exposure. To protect your PHI against security threats sufficiently, compliance with HIPAA is mandatory. Implementing recommended HIPAA controls will help simplify compliance with HIPAA. Read on to learn more.
Which HIPAA Controls Should You Implement?
Determining which HIPAA controls will best address your organization’s particular needs with respect to PHI and strengthen your overall security posture comes down to four critical pillars:
- Understanding the full scope of HIPAA and its impact on your organization
- Conducting a HIPAA risk assessment to identify relevant controls
- Implementing HIPAA controls based on the Privacy Rule
- Optimizing HIPAA controls per the Security Rule
Developing a framework for implementing all required and suggested HIPAA controls will help you mitigate all threats to PHI—especially with the help of a HIPAA compliance advisor.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
HIPAA 101 – Scope and Impact on Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to safeguard the privacy of protected health information (PHI). Compliance with HIPAA requires all organizations that create, collect, process, transmit, or otherwise come into contact with PHI to implement certain safeguards for all healthcare-related transactions.
HIPAA consists of four primary Rules to guide the implementation of PHI-specific safeguards for all organizations subject to HIPAA. However, the essential Rules for establishing, optimizing, and implementing most HIPAA controls are the Privacy and Security Rules.
Request a Free Consultation
HIPAA Privacy Rule
The Privacy Rule addresses permitted uses and disclosures of PHI across all HIPAA-subject organizations. Individuals whose PHI is collected by a covered entity have the right to know how and why; they must be able to determine and consent to how the PHI is used or disclosed.
Per the Privacy Rule, the covered entities to whom its requirements apply include:
- Health plans – Any individual or group plans that cover costs of medical services:
- Insurers for dental, medical, vision, prescription drug plans
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, and related insurance plans
- Employer-sponsored health plans
- Healthcare providers – Any entity that conducts transactions involving PHI, including:
- Insurance or medical claims
- Inquiries into benefits eligibility
- Requests for referrals
- All other transactions specified under the HIPAA Transactions Rule
- Healthcare clearinghouses – Any organization that converts PHI received in a non-standard form to a standardized form, such as for transactions, including:
- Patient or insurance billing
- Repricing of services
- Management of community health information systems
The Privacy Rule provisions also apply to business associates of covered entities, defined as organizations that provide specific services—involving the use and disclosure of PHI—on behalf of the covered entities. If your organization falls under any other these categories, you’ll need to implement HIPAA controls, safeguarding PHI at rest and during transit to other covered entities.
HIPAA Security Rule
The Security Rule provides guidelines to safeguard electronic PHI (ePHI) at rest and in transit between any covered entities or business associates. HIPAA controls listed in the Security Rule are based on widely-accepted security standards that help covered entities address the challenges of evolving IT environments.
Covered entities can apply the Security Rule provisions to improve the overall quality of healthcare delivery while achieving flexibility and scalability of IT infrastructure.
The Security Rule is broken into three safeguards, addressed in further detail below:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
Covered entities can apply the recommended HIPAA controls from each safeguard to:
- Maintain the integrity, confidentiality, and availability of ePHI
- Detect and mitigate any anticipated threats to ePHI
- Prevent anticipated violations of the Privacy Rule’s permitted uses and disclosures requirement
- Implement organization-wide HIPAA compliance
Following the Security Rule will empower you to develop robust HIPAA controls, regardless of your organization’s size, infrastructure, or potential threats to PHI.
HIPAA Breach Notification Rule
Compliance with HIPAA helps mitigate threats—but it does not guarantee that you will not experience a data breach. Should you experience a breach of PHI, the Breach Notification Rule lists procedures for HIPAA-covered entities to disclose the breaches.
Specifically, covered entities are required to notify:
- The Secretary of Human and Health Services (HHS) via a Breach Report
- Impacted parties (e.g., individuals whose PHI is exposed)
- Local media outlets when 500 or more individuals are affected
Establishing appropriate HIPAA controls will help minimize the risk of PHI breaches.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule lists the provisions related to non-compliance. It includes:
- Enforcement of the Privacy and Security Rules by the Office for Civil Rights (OCR) and the Department of Justice (DOJ), in some cases
- Fines and penalties for non-compliance violations
It is critical to establish HIPAA controls for breach notification and enforcement to help your organization best address any PHI breach incidents. A HIPAA compliance advisor can guide you on optimizing controls for each Rule, helping you achieve HIPAA compliance.
How Risk Assessments Determine Relevant HIPAA Controls
Effective implementation of HIPAA controls requires covered entities to define the risks specific to their IT infrastructure, enabling a seamless and more efficient adoption of PHI safeguards.
Establishing HIPAA security controls that do not meet your needs or address existing or future risks to PHI could further compromise PHI. A HIPAA-based risk assessment should account for:
- Types of PHI processing – It is critical to understand which methods are in use to create, process, transmit, or delete PHI, especially those involving:
- Networked devices (e.g., workstations, printers, individual computers)
- Handheld devices (e.g., tablets, mobile devices)
- Processes for paper PHI disposal (e.g., paper shredders)
- Procedures for ePHI disposal (e.g., scheduled ePHI wipes from workstations)
- Common threats to PHI – Covered entities must also define the risks to PHI–including those specific to their organizations or those commonly experienced by others:
- Insider threats involving malicious exposure of PHI
- Phishing attacks that compromise user IDs and passwords
- Elevation of privilege resulting in unauthorized access to sensitive data
- Existing safeguards – It helps to determine which tools, processes, or frameworks are in place to defend against threats to PHI–enabling optimization to match the standards required for HIPAA compliance.
- Breach likelihood and impact – Effective HIPAA risk assessment should determine your organization’s security posture, including what would happen if a breach occurred. Specific questions to ask when conducting a breach likelihood and impact assessment include:
- How resilient are the existing cyber defenses against threats to PHI?
- Is there a business continuity plan if a breach occurs?
- What are the potential impacts to stakeholders (i.e., patients, business associates, third-party vendors)?
- Security policies – It is also critical to determine whether you have established policies to guide the implementation of PHI safeguards. Even with the most robust HIPAA controls, a security policy helps guide implementation and track adherence to HIPAA compliance.
Following a HIPAA risk assessment, a covered entity can better define which HIPAA controls must be optimized or developed.
HIPAA Controls for Privacy Rule Requirements
The HIPAA controls addressed by the Privacy Rule pertain to uses and disclosures of PHI. Covered entities must provide appropriate safeguards for all transactions involving PHI, especially when there are potential risks of exposure.
PHI Incidental Uses and Disclosures
The Privacy Rule requires covered entities to establish HIPAA controls that minimize unintended and potentially compromising PHI disclosures, including:
- Speaking quietly about patients’ conditions in public areas, such as waiting rooms
- Minimizing the use of identifiable PHI, such as patient names, in public areas
- Preventing unauthorized access to PHI storage (e.g., filing cabinets)
The Security Rule provides further guidance on specific HIPAA security controls (see below) to minimize incidental disclosures of PHI.
PHI Permitted Uses and Disclosures
Per the Privacy Rule, covered entities must not disclose or use PHI without patient authorization, except under specific circumstances.
Permitted uses and disclosures, without individual authorization, include:
- Use of PHI for healthcare operations specific to the covered entity, such as:
- Treatment decision-making and provision of care
- Financial services (e.g., patient billing, claims processing)
- Disclosure of PHI to other healthcare providers for:
- Treatment activities involving an individual (e.g., medical records transfer to a specialist)
- Payment activities (e.g., billing of laboratory services)
- Other healthcare operations in which the subject of the PHI has an existing relationship with either of the involved entities
Covered entities can use the Privacy Rule guidance to develop appropriate organization-wide HIPAA controls to maintain the integrity and privacy of PHI, especially when integrated with the controls recommended by the Security Rule.
HIPAA Controls and Security Rule Requirements
The HIPAA controls list recommended by the Security Rule contains administrative, physical, and technical safeguards—helping organizations optimize their cybersecurity posture to defend against threats to PHI. Working with a leading HIPAA compliance advisor will help you streamline the various HIPAA controls and achieve maximum ROI on cybersecurity.
Administrative Safeguards
The Security Rule administrative safeguards help organizations establish HIPAA controls that address organization-wide security, in conjunction with the Privacy Rule. They include:
- Risk assessment and management – Analyzing the potential risks to ePHI will help define the appropriate and relevant security measures to safeguard it.
- Workforce training and awareness – Some of the most common PHI threats are either staff being unaware of security risks or simply being negligent about security procedures. Ongoing cybersecurity awareness training will help increase vigilance about common threats to PHI, such as phishing risks.
- Access management – Any uses and disclosures of PHI outside of the Privacy Rule provisions present exposure risks. It is critical to manage all access controls involving:
- Temporary or contract staff, ensuring removal of access following their departure from the organization
- Third-party service providers, ensuring access to only PHI environments necessary for business activities
- Security management – Robust implementation of HIPAA controls relies on a dedicated security team to address all aspects of development, optimization, and implementation.
Implementing administrative HIPAA controls will streamline cyber defenses from the top-down.
Physical Safeguards
HIPAA controls that address physical security help safeguard access points to PHI environments. Specific physical safeguards recommended by the Security Rule include:
- Access control protocols – The Security Rule recommends monitoring and securing all access to facilities containing PHI to minimize intrusion by malicious actors. Access controls include:
- Securing environments containing PHI with key cards
- Designating access to PHI storage to specified keyholders
- Installing secure doors to facilities containing PHI storage
- Workstation security – To prevent unauthorized access to ePHI, shared workstations should be secured via:
- Automatic log-off procedures for workstations sitting idle
- Policies to guide the removal, transfer, or disposal of PHI from workstations
- Password-protecting all workstations, especially those with access to ePHI
- Handheld device security – Devices used to create, process, or transmit PHI during healthcare operations should be secured to mitigate unauthorized access to ePHI. Handheld device security involves:
- Password-protecting all shared devices (e.g., tablets, mobile scanners)
- Implementing policies to limit PHI access on handheld devices to only secure networks
- Hardware inventory – Inventory systems are critical to managing assets that require:
- Routine maintenance (e.g. patch management)
- Disposal and removal from PHI environments at end-of-life (EOL) cycles
The Security rule pertains primarily to ePHI, but physical safeguards optimize HIPAA controls at facilities that conduct transactions involving both physical and electronic PHI.
Technical Safeguards
The last group of HIPAA controls recommended by the Security Rule helps organizations address aspects of IT security. The technical safeguards include:
- Access control processes – Unlike the access controls for physical security, technical access control measures limit access to ePHI to only authorized individuals and include:
- Implementation of policies requiring users to create strong passwords
- Establishing privileged user access for ePHI environments
- Designating protocols for ePHI access during emergencies
- ePHI authentication – Modification or deletion of PHI without a subject’s authorization constitutes a HIPAA violation—requiring constant ePHI authentication to verify its integrity.
- Cryptographic tools – Besides the use of passwords to control access to ePHI, covered entities should also use industry-standard encryption tools, including:
- Firewalls to secure systems against malware
- Cloud encryption for any PHI cloud storage
- Encrypted transmission of ePHI via email or intranet
- Access and activity logging – Even with established access controls, unforeseen threats to PHI include malicious insiders or simply undetected breach attempts. Logging user access to ePHI will help:
- Track unusual activity that risks the integrity of PHI
- Initiate the appropriate incident response protocols
- Provide data for future threat mitigation
Implementing the technical HIPAA controls will help your organization optimize HIPAA compliance to effectively address threats to PHI, especially in a complex IT landscape.
Optimize Your HIPAA Controls and Security Posture
Safeguarding PHI is critical for all organizations within and adjacent to healthcare. By establishing and implementing HIPAA controls—optimizing where necessary for robust security—you can achieve HIPAA compliance and mitigate threats to PHI.
As an experienced HIPAA compliance advisor, RSI Security will help you build out the appropriate HIPAA controls. To rethink your HIPAA compliance and optimize your cybersecurity posture, contact RSI Security today.