The Health Insurance Portability and Accountability Act (HIPAA) has a necessary provision that protects individuals’ electronic personal health information. This is the Security Rule and it covers how these electronic data is created, received, processed and maintained by a covered entity. Understanding HIPAA Security Rule requirements will help keep all stakeholders protected.
To ensure this protection, the Security Rule requires administrative, physical and technical safeguards. When done correctly, these safeguards will guarantee the integrity, confidentiality, and security of electronic health information.
To ensure compliance with all these safeguards, a risk assessment is essential. This helps uncover any aspect of the organization that may be subject to unnecessary risk. The Office for Civil Rights is an excellent place to start for assessment guidance.
We will also detail all the safeguards here as provided in the HIPAA.
The HIPAA Security Rule Requirements: Safeguards
The HIPAA defines administrative safeguards as actions, procedures and policies encompassing the following:
- The selection, development, implementation, and maintenance of security measures to protect electronically protected health information.
- The management of the conduct of the covered entity’s workforce about the protection of that information.
The following are the standards that govern administrative safeguards:
Security management process
This standard outlines the necessary procedures and policies that a covered entity must implement to guide its employees in compliance.
Healthcare organizations must also think about their risk analysis programs in this standard. These must be reviewed regularly to enforce a strong strategy for data protection.
Assigned security responsibility
This standard requires the identification of a security official in charge of policy development and implementation.
Healthcare organizations must decide whether an individual must be assigned as both the Privacy Officer and Security Officer, or if it is better to have two individuals with separate assignments.
Whatever the decision, the security officer’s range of responsibilities must reflect the organization’s technical complexity.
This standard focuses on the sufficient access of employees to ePHI to accomplish their roles and functions well.
The healthcare organization must identify who has the authority to give access to employees to ePHI. And this must be consistent across all platforms.
Termination procedures must also be considered in this standard. If an employee is terminated, the covered entity should ensure that their access to ePHI should also stop. The password or access code of the employee must be deactivated.
Information access management
The compliance with this standard should cover the restriction of access to only individuals and entities with a need for access. The practices and safeguards must be evaluated to limit unnecessary access and disclosure of protected health information.
Security awareness and training
The training of workforce security is the focus of this standard. Covered entities must ensure that proper password policies are put in place so that employees will not share passwords.
This compliance also must bring into attention the readiness of employees to defend against malicious software.
Security incident procedures
There must be procedures and policies in place to respond to security incidents.
Healthcare organizations must anticipate what types of incidents and threats can happen at their facilities. The guidelines must identify who to report these incidents. There must be a standard way of responding to various situations that may compromise ePHI security.
If there is a natural disaster or sudden power interruption, this standard will provide covered entities with guidelines on what to do. There must be strategies in place to recover access to ePHI.
Healthcare organizations must determine what back-up material is needed, such as cloud storage or recovery discs. This standard will decide how to respond to these emergencies, mostly if it happens over a sustained period of time.
Compliance with this standard focuses on the implementation of monitoring and evaluation plans. There must be a regular review so that healthcare organizations can adjust or adapt to any operational change that can affect ePHI security.
Business associate contracts and other arrangements
This is similar to the business associate agreement aspect under the HIPAA Privacy Rule. The significant difference in this standard is that it is specific to business associates that receive and transmit ePHI.
For full compliance, a written arrangement or contract must be in place that meets the HIPAA requirements.
The Physical Safeguards focuses on the actual handling, management and access of PHI data.
Much of the requirements revolve around the handling by hosting companies that are compliant with HIPAA. Other aspects of the safeguards are about the internal rules of who can access PHI.
Facility Access Controls
- Contingency Operations (addressable). There must be procedures that allow facility access to data restoration. This is important in cases of emergency where there must be a disaster recovery plan.
- Facility Security Plan (addressable). This standard focuses on policies that protect facilities against illegal or unauthorized physical access, theft and tampering.
- Access Control and Validation Procedures (addressable). Implementing procedures that validate the access of authorized personnel must be taken care of in this standard. Aspects such as visitor control and software testing access and revision should be covered here.
- Maintenance Records (addressable). If there are repairs and modifications to physical facilities, there must be sufficient documentation. This standard covers the archiving policy to changes to the physical components of a facility. These must all relate to security.
Device and Media Controls
- Disposal (required). The final disposition of ePHI must be sorted in this standard. There must be policies related to removing ePHI and the hardware that stores it when no longer needed.
- Media Re-Use (required). If physical media are made available for reuse, there must be procedures to ensure that the ePHI will be removed completely. This prevents any unnecessary data leaks.
- Accountability (addressable). There must be continuous logs that record the movements of the necessary hardware and electronic media. The policy must always cover for a person that will be made responsible for these.
- Data Backup and Storage (addressable). To ensure data integrity, there must always be an exact copy of the ePHI that is retrievable when needed. Policies must ensure that there is still a back-up of vital data.
- Workstation Security (required). Unauthorized users must have no access to workstations to ensure the safety of physical facilities. Procedures must reflect this protection.
- Workstation Use (required). The proper functions of physical facilities must be specified clearly in procedures and policies. The specific attributes of the workstation that can access ePHI must also be set in stone.
The HIPAA Technical Safeguards outline what covered entities must accomplish while handling PHI. There are both required and addressable elements, but these must all be implemented to smooth the data protection. In a nutshell, the addressable elements are best practices when it comes to software development.
Access Control Requirements
- Unique User Identification (required). Each authorized individual must have different identification credentials to track their inputs within the system properly.
- Emergency Access Procedure (required). There must be policies in place for acquiring the necessary ePHI when there are emergencies.
- Automatic Logoff (addressable). There must be electronic policies that can end an electronic session when there is a set amount of time of inactivity.
- Authentication (required). Procedures must be put in place to verify personnel that are seeking access to ePHI.
- Encryption and Decryption (addressable). There must be a delineated means to encrypt and decrypt the ePHI.
- Integrity Controls (addressable). The electronic transmission of ePHI must be secure. It must not be improperly modified without detection until it is due time for disposal.
- Encryption (addressable). Encryption should be done when the situation is appropriate. A mechanism must be put in place to ensure the integrity of this process.
Audit and Integrity
- Audit Controls (required). For easier auditing, there must be hardware and software mechanisms that will log, record and assess activity within information systems that contain and process vital ePHI.
- Mechanism to Authenticate ePHI (addressable). There must be a way to verify the integrity of the ePHI to prove that it has not been destroyed or altered by any form of tampering.
HHS Security Risk Assessment Tool
To assess small and medium-sized healthcare companies during risk assessment, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have worked together to help launch a HIPAA Security Risk Assessment Tool.
This tool is downloadable and helps provide a walkthrough guide for the entire process of risk assessment. The adopted requirements include the HIPAA Security Rule and the Incentive Programs of the Centers for Medicare and Medicaid Service (CMS) and Electronic Health Record (EHR).
The information that is put inside the tool is stored locally in the device of the user. The HHS has no means of receiving or collecting this information.
The assessment results will be expressed in a report that will help determine the risk analysis of processes, procedures and policies. The tool may not have the same scope of benefits used by a larger organization because its target audience is small to medium providers.
2018 Tool Update
In October 2018, an updated version of the Security Risk Assessment (SRA) Tool was released. It made it easier to apply to data aspects of confidentiality, integrity, and health information availability.
There is now a diagram of HIPAA Security Rule safeguards. Enhanced functionalities are also added to document how the organization implements the precautions to prevent risks.
The new SRA Tool is available for devices powered by the Windows systems. The iPad version is still available in the Apple App Store under “HHS SRA Tool.” However, it is not available for Mac OS-powered Apple devices.
The updated tool now has access to the following improved features:
- Upgraded user interface
- Modular workflow
- Customized assessment logic
- Progress logger
- Threats and vulnerabilities ratings
- Detailed report writing
- Business associate and asset tracking
- Overall user experience improvement
NIST HIPAA Security Rule Toolkit
This guide helps implement these requirements. For better reference, a comprehensive user guide with instructions is available along with the HSR application.
Compliance With the Help of Experts
RSI Security is a security service provider with many years of experience providing data security compliance and testing services. Our skilled, experienced and qualified team of experts use a risk-based and strategic value-based approach that helps your organization comply with the HIPAA security requirements.
Our advisory services can help your organization in meeting the HIPAA rules and security requirements. This can increase patient data security and minimize the cost required for compliance.
We understand that HIPAA Compliance should be implemented into business-as-usual (BAU) activities. This helps you monitor the effectiveness of controls on an ongoing basis.
The HIPAA Services of RSI Security include the following:
- Network Penetration Testing
- Vulnerability Scanning
- HIPAA Security requirements Rule compliance advisory, assessment and auditing services (covering required and addressable technical, physical, and administrative safeguards for the ePHI and patient data environment)
- Risk Analysis of your patient data environment
- HIPAA Security Awareness and Training
Partner with RSI Security and we can help you achieve the following milestones for HIPAA compliance:
- Audit Ready Patient Data Environment
- Patient Data Security Risk Management
- HIPAA Security and Compliance
- Increased Patient Data Protection
- Increased Customer Trust and Organizational Reputation
- Implementation of Information Security Program
- Effective Incident Response Planning