The US healthcare industry is one of the most attractive targets for cybercrime worldwide. Any attack, like the recent ransomware strike on Universal Health Services, can freeze hundreds of providers and impact millions of patients. Complying with the Health Insurance Portability and Accountability Act (HIPAA) is the first step you can take to avoid potentially crippling attacks, and understanding the HIPAA security rule is a key part of achieving compliance.
In addition to the ever-present threat of attack, companies who fail to meet compliance standards can face financial penalties and even jail time. Implementing the security rule is essential to avoiding legal trouble and safeguarding your clients’ sensitive information.
But that doesn’t mean it’s easy.
What You Should Know About the HIPAA Security Rule
Nearly all companies within and adjacent to the medical industry need to be compliant with HIPAA. In practice, that means following its four rules. And the second rule, concerning security, can be one of the hardest to follow. It requires implementing controls on multiple levels and activating every single person in your company to help protect sensitive information.
Understanding all it entails can be a challenge. But don’t worry; This guide will break down everything you need to know about the HIPAA security rule, providing:
- A summary of the security rule
- An explanation of the other HIPAA rules
- A solution to HIPAA compliance across all rules
By the end of this guide, you’ll know the security rule inside and out. But first, let’s get into some basic context of what HIPAA is and why it matters for your business.
What is HIPAA, and Why Does it Matter?
The US Department of Health and Human Services (HHS) administers HIPAA in order to ensure that healthcare providers across the country have uniform standards for the safety and security of their clients’ information. Specifically, HIPAA designates certain personal information, such as clients’ biographical, medical, and payment records, as protected health information (PHI).
In practice, HIPAA’s main function requires all covered entities to safeguard PHI.
Entities to whom this applies include all direct healthcare providers, such as doctors and hospitals. But it also includes institutions that administer and process healthcare plans, as well as clearinghouses, such as billing and information management platforms used by medical companies. Business associates of the aforementioned entities also need to be vetted.
HIPAA matters because the integrity of PHI matters — for clients and for your business. Cybercriminals who seize PHI can wreak havoc on both patients and healthcare institutions.
Hence the importance of security.
HIPAA Security Rule Summary
While HIPAA exists in order to regulate security of all PHI, the security rule protects the following forms of electronic PHI (ePHI) in particular:
- Digital copies of clients’ biographical, financial, and medical records
- Certain account information (credentials, etc.) related to these records
The rule was proposed in 1998, but reached its first official form in 2003. Compliance was required as of 2005 for most covered entities. Its most recent updates are documented in 2013’s omnibus final rule, which modernized all of HIPAA to contemporary standards.
The stated purpose of the security rule is ensuring confidentiality, integrity, and security of ePHI with required standards across four categories:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational requirements
HIPAA recognizes the diversity of covered entities; the particular ways companies implement these safeguards can vary depending on their size, complexity, and risk profile.
The National Institute of Standards and Technology (NIST) developed a security rule toolkit to help companies adapt solutions to their specific needs. And Centers for Medicaid and Medicare Services (CMS) has partnered with HHS to publish guides explaining each safeguard.
The first and largest set of requirements in the security rule are its administrative safeguards.
These break down into nine main standards, along with required specifications covered entities must implement, and/or addressable specifications they can choose between:
- Security management process – Governing company-wide approach to risks threatening PHI. Specifications include:
- Risk analysis to identify and understand risk (required)
- Risk management to address identified risks (required)
- Sanction policies against noncompliant personnel (required)
- Information system activity review for all logs, reports, etc. (required)
- Assigned security responsibility – Requiring designation of a “Security Official” to develop and implement parameters of the security rule.
- Workforce security – Regulating employees’ access to ePHI. Specifications include:
- Authorization or supervision for access to ePHI (addressable)
- Workforce clearance procedures that verify access (addressable)
- Termination procedures for revoking access, when needed (addressable)
- Information access management – Restricting access to ePHI. Specifications include:
- Isolating functions of healthcare clearinghouse (required)
- Access authorization for non-workforce entities (addressable)
- Periodic establishment and modification of access (addressable)
- Security awareness and training – Requiring regular monitoring and training across the workforce. Specifications include:
- Periodic reminders or updates on protocols (addressable)
- Guidance on anti-malware best practices (addressable)
- Monitoring of log-ins and reporting of discrepancies (addressable)
- Overall password management (addressable)
- Security incident procedures – Requiring standardized procedures for addressing incidents, including one specification:
- Response, reporting, and mitigation (required)
- Contingency plan – Plotting out a course of action in the event of an accident or attack. Specifications include:
- Method(s) for data backup (required)
- Method(s) for retrieval of backup data (required)
- Protocols for operation during emergency (required)
- Procedures for testing and revision of plan (addressable)
- Analysis of criticality for data and applications (addressable)
- Evaluation – Requiring ongoing, regular evaluation of above standards.
- Business associate contracts – Requiring contractual relationships with business associates, in accordance with standards specified in “organizational and documentation requirements” below. At the administrative level, there is one specification:
- Written contract acknowledging security of ePHI (required)
Taken together, these standards comprise about half of all security rule requirements.
The physical safeguards add requirements that regulate the various physical endpoints used to access PHI. There are four main standards for physical safeguards, along with various specifications, which break down into the following:
- Facility access control – Limiting physical access to systems and facilities housing ePHI to authorized personnel. Specifications include:
- Contingency operations in the event of emergency (addressable)
- Policies to safeguard facilities housing ePHI (addressable)
- Validation requirement for access to facilities housing PHI (addressable)
- Diligent records of all maintenance repair (addressable)
- Workstation use – Defining what a workstation is and how it should be used.
- Workstation security – Defining how a workstation must be protected.
- Device and media control – Detailing protocols for receipt, use, and disposal of physical devices used to process ePHI. Specifications include:
- Proper disposal protocols (required)
- Protocols for proper re-use (required)
- Recording all transfer of devices (addressable)
- Back up all ePHI before moving devices (addressable)
Importantly, these standards apply not only to the physical space of the office, but also outside of it to workers’ homes or any other places where they must access ePHI.
The technical safeguards establish basic requirements regarding the technologies and procedures used by a covered entity. These break down into five standards and accompanying specifications:
- Access control – Restricting the ability to read, modify, or otherwise use ePHI. Specifications include:
- Identification system for users (required)
- Procedures for access during emergency (required)
- Automatic logoff after prolonged inactivity (addressable)
- Encryption and decryption of ePHI (addressable)
- Audit controls – Requiring regular self-examination of all systems that process ePHI.
- Integrity – Requiring measures that prevent unauthorized alteration or destruction of ePHI, including one specification:
- Electronic mechanism to verify and/or corroborate integrity (addressable)
- Person or entity authentication – Requiring authentication that users accessing ePHI are in fact who they claim to be, such as through multi-factor authentication (MFA).
- Transmission security – Guarding access during transmission over electronic network(s). Specifications include:
- Integrity verification before, during, and/or after transmission (addressable)
- Encryption during or before and after transmission (addressable)
Given HIPAA’s flexibility and scalability, the technical standards don’t require any one particular product or service. They govern minimum requirements for any technology a company chooses.
Finally, there are four remaining standards spread across organizational policies, procedures, and documentation. These break down as follows:
- Business associate contracts or other arrangements – Requiring adherence to security rule criteria for business associates entering into contract with covered entities. Specifications include:
- Contracts specifying controls for business associates (required)
- Alternative binding agreements for special institutions (required)
- Requirements for group health plans – Requiring plan sponsors to sufficiently protect ePHI generated, hosted, and/or processed. One specification is required:
- Implement safeguards detailed above, as well as privacy rule requirements (see below), and report on any incident that compromises ePHI
- Policies and procedures – Codifying the “flexibility” mentioned above; requiring the establishment of procedures to implement safeguards while allowing room for changes.
- Documentation – Requiring written records of all matters related to implementation of the security rule. Specifications include:
- Retainment of records for 6 years from date of creation or last use (required)
- Make documentation available to authorized personnel (required)
- Regular review and updates of all records (required)
Across all these standards, the security rule can be challenging to follow. This difficulty compounds with the fact that HIPAA also entails three other rules.
Other HIPAA Rules, Explained
The HIPAA security rule works in conjunction with the other HIPAA rules to offer complete, comprehensive security standards across the healthcare industry. While the security rule safeguards ePHI, the other rules broaden the scope of protection to include all PHI and data breaches, as well as specific enforcement protocols:
- HIPAA Privacy Rule – The original HIPAA rule establishes PHI as a protected class of information, limiting the conditions for use and disclosure thereof. It also establishes requirements for access to PHI for patients themselves and governmental agencies.
- Disclosure is also restricted to parameters including “minimum necessary”
- Patients are also entitled to accurate accounting of disclosure history of their PHI.
- HIPAA Enforcement Rule – The enforcement rule specifies the formal enforcement process, including investigation by HHS’s Office for Civil Rights (OCR) and the US Department of Justice (DOJ) in the event of a suspected violation.
- Noncompliance and other violations are subject to civil money penalties
- The most serious violations are also subject to criminal penalties
- HIPAA Breach Notification Rule – Also known as HITECH, this rule requires covered entities to promptly notify HHS and impacted individuals in the event of a data breach.
- For breaches impacting 500 people or more, notification is required as soon as possible, and within no more than 60 days in all cases.
- For breaches impacting 500 or fewer people, notification is required within 60 days of the end of the calendar year (in which the breach occurred).
The various rules and requirements spread across all of HIPAA’s rules make compliance a challenge for healthcare and health-adjacent companies of all sizes. This is especially true for small to medium sized businesses with relatively fewer resources dedicated to IT.
HIPAA Compliance, Across All Rules
The best way for many companies to ensure compliance with not only the security rule, but all of HIPAA, is to bring in professional help. To that effect, RSI Security offers comprehensive HIPAA compliance services to help you through every step of the process. We’re fully accredited Advisors and Assessors who can prepare you for compliance and certify you once you’re ready.
We’ll begin with an intake and consultation, gauging where you are in your journey toward compliance. Then, we will work with you to set up controls tailored to each of the rules detailed above, integrating them throughout your whole system and cybersecurity architecture. Compliance isn’t a one-time ordeal; you need to be set up for long-term security.
Professional Compliance and Cybersecurity
RSI Security isn’t just your best option when it comes to HIPAA compliance—our team of experts offer robust compliance advisory services for any protocol you’re required to follow. From HITRUST CSF to PCI DSS and everything in between, we’ve got you covered.
Plus, we know that compliance is far from the end of cybersecurity; it’s just the beginning. Keeping your company safe means going above and beyond the basic legal requirements. That’s why we offer a variety of managed security and IT solutions, including but not limited to:
- Proactive web filtering
- Detection and response
- Architecture implementation
- Cybersecurity technical writing
- Identity and access management
We’ve provided cyberdefense guidance to companies of all sizes and across all industries for over a decade. Contact RSI Security today for assistance with the HIPAA security rule and all other cybersecurity solutions your company needs to keep you and your stakeholders safe.