In this week’s “Know The Rules!”, I am providing an overview of the HIPAA Security Standards.
Identity theft, lost and/or stolen computer disks, insider threats, hackers, and other preventable losses of information are just a few of the hazards facing Covered Entities (CEs) and Business Associates (BAs) that create, receive, maintain, and transmit electronic protected health information (ePHI).
Every day providers face major problems if their patient’s sensitive information is stolen, misused, or unavailable. The ePHI they hold is critical to their business and vital to the care of their patients.
The HIPAA Security Standards provide a structure for CEs and BAs to develop and implement policies and procedures to guard against and react to security incidents. The Security Rule provides a flexible, scalable and technology neutral framework to allow all CEs to comply in a manner that is consistent with the unique circumstances of their size and environment.
The Security Rule is divided into five main sections – each representing a set of standards and implementation specifications that must be addressed by all CEs and BAs.
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements
- Policies and Procedures and Documentation Requirement
Each Security Rule standard is a requirement: all CEs and BAs must comply with all of the standards of the Security Rule with respect to the ePHI it create, receive, maintain, store, and/or transmit.
Many of the standards contain implementation specifications.
An implementation specification is a more detailed description of the method or approach CEs and BAs can use to meet a particular standard. Implementation specifications are either required or addressable.
Regardless of whether a standard includes one or more implementation specifications, all CEs and BAs must comply with each standard.
Administrative Safeguards – 45 CFR § 164.308
The Administrative Safeguards comprise over half of the HIPAA Security Rule. It establishes a national set of minimum security standards for protecting all ePHI that CEs and BAs create, receive, maintain, store, and/or transmit.
The HIPAA Security Rule defines Administrative Safeguards as:
“Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE’s or BA’s workforce in relation to the protection of that information.”
The Security Rule contains several types of safeguards and requirements which CEs and BAs must put in place to secure ePHI. When reviewing the Administrative Safeguards, they are generally identified as: administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.
Administrative Safeguards also involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.
In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibilities to an individual, and workforce security training requirements.
Physical Safeguards – 45 CFR § 164.310
As with all the standards in the HIPAA Security Rule, compliance with the Physical Safeguards standards requires CEs and BAs to perform an evaluation of their security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each organization.
The HIPAA Security Rule defines Physical Safeguards as:
“Physical measures, policies, and procedures to protect a CE’s and BA’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
When evaluating and implementing these standards, CEs and BAs must consider all physical access to ePHI. This may extend outside of the actual office(s), and could include workforce members’ homes or other physical locations where they are able to access ePHI (i.e., mobile devices).
In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They also include restricting access to ePHI and the retaining of off-site computer backups.
Technical Safeguards – 45 CFR § 164.304
Technical Safeguards are increasingly more important due to advancements in technology used in healthcare. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protecting ePHI from various internal and external risks and threats. To reduce these risks, CEs and BAs must implement Technical Safeguards.
The Security Rule defines Technical Safeguards as:
“The technology and the policy and procedures for its use that protect ePHI and control access to it.”
Organizational Requirements – 45 CFR § 164.314
As with all the standards in the HIPAA Security Rule, compliance with the Organizational Requirements standards requires CEs, and under certain circumstances BAs, to have signed Business Associate Agreement (BAA) contract(s) or other arrangements before granting access to ePHI. The standards provide the specific criteria required for written contracts or other arrangements.
Policies and Procedures and Documentation Requirements – 45 CFR § 164.316
The Policies and Procedures Standard requires CEs and BAs to implement and maintain reasonable and appropriate written policies and procedures and documentation necessary to comply with the provisions of the Security Rule. Specifically, it requires CEs and BAs to:
“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].
This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. CEs and BAs may change their policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”
The Policies and Procedures standard is further explained and supported by the Documentation standard.
The Documentation Standard requires CEs and BAs to:
“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
A CE must maintain, for a period of six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities, or assessments. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI.
Information Security is a Necessity in Today’s World.
In summary, preventing unauthorized use of PHI must be the goal of every member of the healthcare community. The Security Rule allows CEs and BAs, including small providers, to implement reasonable and appropriate measures that enable them to comply with the Rule.
The standards were designed to be scalable, flexible and technology neutral to allow CEs and BAs to comply in a manner consistent with the complexity of their particular operations and circumstances. The rule does not prescribe the use of any specific technologies, so the healthcare community will is not be bound by specific systems and/or software that may become obsolete.
Health & Human Services (HHS) recognizes the security needs of CEs and BAs can vary significantly. This flexibility enables each healthcare organization to select technologies that best meet their specific needs and also comply with the standards.
Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and as technologies change.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.