The Healthcare Insurance Portability and Accountability Act (HIPAA) was enacted into law by President Bill Clinton on August 21st 1996. In a landmark achievement, the government set out specific legislation designed to change the US Healthcare System now and forever. The new rules have handed control back to the patient over how their personal information is processed and maintained, while also encouraging healthcare institutions to embrace and migrate to digital technology.
The two key objectives of the new legislation were to enable Americans to keep their existing health insurance when moving between jobs, and to introduce enforceable privacy controls over protected health information (PHI).
The first objective was a clear cut goal that was achieved almost overnight, and it is where the “Portability” aspect of HIPAA became effective. These days, it is clear that this part of HIPAA is rarely mentioned, simply because the goal was achieved immediately.
The second objective of the law is what most professionals are primarily concerned with, the “Accountability” portion of HIPAA. This objective was created to maintain the privacy and security safeguards of US citizens’ protected health information.
Passed in the first dotcom Internet boom, the “Accountability” portion also sets certain mandates and standards regarding the electronic submission and transmission of financial data regarding patient health information.
In April 2003, Title II of HIPAA directed the US department of Health and Human Services (HHS) to develop a series of guidelines and standards to safeguard patient health data. To make these guidelines and standards clear and effective, the HHS developed two additional decrees known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The official title of the Privacy Rule is the “Standards for Privacy of Individually Identifiable Health Information.” As we stated at the beginning of this article, our main focus will be the Security Rule. However, it is worth noting that, as per the official title of the Privacy Rule, the data must be traceable to a specific person in order to require protection.
Importantly, this demarcation permits the public usage of anonymized healthcare data, anyone who wants to study health and medical trends can remain compliant by omitting personally identifiable information prior to data transmission.
The HIPAA Security Rule:
The full title of the HIPAA Security Rule decree is “Security Standards for the Protection of Electronic Protected Health Information”, and as the official title suggests, the ruling was created to define the exact stipulations required to safeguard electronic Protected Health Information (ePHI), specifically relating to how the information is stored and transmitted between digital devices.
The HIPAA Privacy Rule:
The full name of the Privacy Rule is the “Standards for Privacy of Individually Identifiable Health Information.” As we stated at the beginning of this article, our main focus is the Security Rule. But it’s worth noting that in the long title of the Privacy Rule, the data must be traceable to a specific person in order to require protection. That specific wording allows anyone who wants to study health and medical trends by omitting personally identifiable information prior to transmission the legal wiggle room to do so.
It can be confusing to differentiate between these rules, mainly because the rules sound quite similar. Isn’t security a way to maintain privacy, after all? That actually is a correct understanding of HIPAA security compliance: according to the HHS’s own description, the HIPAA Security Rule “operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals electronic protected health information (ePHI)”.
So, in actuality, the Security Rule is designed to complement the Privacy Rule in its entirety.
What are the Three Standards of the HIPAA Security Rule?
Three main standard protections are assessed when implementing the required measures of the HIPAA Security rule:
- Physical Safeguards for PHI
- Technical Safeguards for PHI
- Administrative Safeguards for PHI
Physical Safeguards for PHI
The physical safeguards refer to how the real life physical controls are implemented to digital devices that store and handle ePHI.
Some of the key areas for consideration are:
- How old or faulty equipment is replaced – for example, how ePHI media is destroyed
- What personnel access levels are granted to in-scope systems containing ePHI, ensuring that access is only granted to employees with a relevant level of authorization
- How to train 3rd-party IT professionals when accessing the in-scope equipment for repairs
Technical Safeguards for PHI
The technical safeguards of the Security rule are a more easily defined and include the technical aspects of any networked computers or devices that communicate with each other and contain PHI in their transmissions.
These safeguards include enhanced network security, perimeter firewalls, cyber security authentication protocols, and more. Any security measures that can be implemented on system software or hardware belong to the HIPAA security rule technical safeguards category.
Administrative Safeguards for PHI
The final standard, administrative safeguards, covers how organizations must set up their employee policies and procedures to comply with the Security Rule. Think of it as a separate, dedicated portion of employee training, both for management and labor – defining who gets access and what they can and cannot do once access is granted.
Complying with the HIPAA Security Rule
Working your way through federal legislation, as with many laws and bills, can be an exceedingly lengthy, intricately complex, and almost aggressively dense process. Trying to sit down and read through the entire Health Insurance Portability and Accountability Act front to back would no doubt prove to be a significantly challenging process; not only would reading it be difficult, but also absorbing and understanding it in its entirety.
We have prepared a checklist to help you understand how to comply with the HIPAA Security Rule. Although this checklist should not be considered comprehensive, it will help to organize your position on the various safeguards.
Take the time to go over this HIPAA Security Rule Checklist in full and be sure to involve all parties with knowledge of each area before checking off the boxes.
HIPAA Security Rule Checklist
HIPAA Security Series
The HHS has produced seven education papers designed to teach entities how to comply with the security rules. Here’s an overview of the papers.
- Security 101 for Covered Entities
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Security Standards: Organizational, Policies and Procedures and Documentation Requirements
- Basics of Risk Analysis and Risk Management
- Security Standards: Implementation for the Small Provider
1) Security 101 for Covered Entities
The main rules you need to familiarize yourself with are the following:
- Privacy Rule
- Electronic Transactions and Code Sets Rule
- National identifier requirements for employers, providers and health plans
- Security Rule
The tricky bit is that not all the above rules are relevant to all entities.
So long as you are a HIPAA covered entity, you must comply with the Security Rule. You are a HIPAA covered entity if you are or provide one of the following:
- Covered Health Care Provider
- Health Plans
- Health Care Clearinghouses
- Medicare Prescription Drug Card Sponsors
In order to ensure you’re complying with the security rule, take this step-by-step approach:
- Assess your current security, taking special note of any risks and gaps.
- Develop a plan to implement measures to eliminate the risks and gaps. To do this, you need to read the Security Rule, evaluate the details pertaining to the proposed implementation and then decide on the security measures to take.
- Once your plan is in place, implement the solutions.
- Document all decisions, as well as analysis and the rationale behind the decisions.
- Periodically review and, if necessary, update the security measures. Don’t forget to document any changes and the reasons behind them.
2) Administrative Safeguards
The administrative safeguards make up more than half of the HIPAA Security requirements, so they are worth paying attention to.
When evaluating your current security measures, you will need to ensure you meet the required standard in the following areas:
- Security Management Process – This refers to your organization’s policies and procedures pertaining to security violations. It encompasses not just preventive measures but also your procedures for detecting, dealing with and containing violations.
- Assigned Security Responsibility – This refers to the person or people appointed to develop and implement the measures and policies designed to enable you to comply with the Security Rule.
- Workforce Security – This refers to the policies and measures you’ve put in place to ensure that all members of your staff can access electronic protected health information in an appropriate manner. For those who are not meant to be granted access to electronic protected health information, your policies and measures should be designed to prevent them from doing so.
- Information Access Management – This refers to how you authorize access to any electronic protected health information, and more specifically to how you restrict access to those who need it.
- Security Awareness and Training – This refers to security training programs put in place for those working in your organization, including those in management.
- Security Incident Procedures – This refers to the policies and procedures you have put in place to deal with any security incidents.
- Contingency Plan – This refers to your procedures for dealing with emergencies or other unexpected occurrences that might damage any of the systems that hold electronic protected health information.
- Evaluation – Your security plans and procedures need to be monitored and evaluated periodically to ensure they are adequate.
- Business Associate Contracts and Other Arrangements – This pertains to instances where a business associate is permitted to create, receive, maintain or transmit electronic protected health information on your behalf. This should be permitted only after you have obtained satisfactory assurances that the information will be safeguarded appropriately by the business associate.
3) Physical Safeguards
Here are the elements that need to be up to standards when it comes to the physical safeguards put in place to protect electronic protected health information.
- Facility Access Controls – Physical access to electronic information systems should be limited, as should the facilities in which such information is stored. Any access must be properly authorized and should be regularly audited.
- Workstation Use – Workstations typically include electronic computing devices like desktops or laptops, but the definition can also be extended to devices like smartphones and tablets that can function similarly and store electronic media. Your policies and measures should also detail how and what these devices can be used for, as well as specify the environment surrounding these workstations.
- Workstation Security – Workstations should be protected by adequate physical safeguards that restrict access to electronic protected health information to authorized users.
- Device and Media Controls – This refers to how you control the receipt, removal and movement of any hardware or electronic media that might hold electronic protected health information into, out of and within a facility.
4) Technical Safeguards
Technical safeguards need to be reviewed very regularly, as technological advances bring new security issues.
The following areas must be reviewed to ensure they meet the required standards.
- Access Control – Access to systems containing electronic protected health information should be adequately restricted only to those people or software programs with access rights.
- Audit Controls – You will have to put in place mechanisms that can record and monitor any information systems activity that uses or stores electronic protected health information, whether through hardware, software or some other mechanism.
- Integrity – Electronic protected health information must be protected from being improperly altered or destroyed.
- Person or Entity Authentication – This refers to measures put in place in order to verify the true identity of any persons or entities hoping to gain access to electronic protected health information.
- Transmission Security – This refers to how you prevent unauthorized access when electronic protected health information is transmitted electronically.
5) Security Standards: Organizational, Policies and Procedures and Documentation Requirements
This installment of the Security Series maps out the standards that must be upheld when dealing with business documentation and more.
Here are the areas to where the relevant standards must be upheld.
- Requirements for Group Health Plans – All documentation provided by group health plans must be designed to ensure that electronic personal health information is safeguarded when created, received, maintained or transmitted.
- Policies and Procedures – This refers to all the policies and procedures put in place by an organization, and which must comply with all the relevant standards, rules, specifications or requirements.
- Documentation – This refers to all written or electronic documentation. Where any action, assessment or activity needs to be documented, records must be appropriately maintained.
6) Basics of Risk Analysis and Risk Management
Complying with the rules requires the undertaking of proper risk analysis and risk management.
The rules state that covered entities should:
- Implement policies and procedures to prevent, detect, contain and correct security violations.
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Generation Requirements of the Security Rule.
7) Security Standards: Implementation for the Small Provider
The final paper sets out a brief overview for small providers. Here is the gist of it:
- Whenever the rules indicate a required implementation specification, all covered entities including small providers must comply. For instance, Section 164.308(a)(1) of the Security Rule requires that a risk analysis be carried out. This applies no matter how small of a provider you are.
- Where an implementation specification is marked “addressable”, you must assess whether this is reasonable and appropriate given your environment. If it is deemed reasonable and appropriate, you must then implement it or an equivalent alternative.
- When determining whether a measure is reasonable and appropriate, consider factors such as cost, size, resources and technical infrastructure. Do note, however, that cost alone may not free you from having to implement an appropriate measure.
Get Help with the HIPAA Security Rule
You’re reading this now after one of two outcomes – you either read it in full, or you skipped down to the bottom. If you’re in the latter camp, it’s probably because the list above is lengthy and quite a bit daunting.
Well, there’s a reason for that – it’s supposed to. The requirements set forth by HIPAA and enforced by the HHS are supposed be stringent – the entire efficacy of the law depends on them being that way.
Trying to take this entire HIPAA Security Rule Checklist on all by yourself is a painful proposition – not only is it a lot of work and responsibility, but without help it may take an exceedingly long time to move all of the boxes into the “Finished” category.
As with any organization, the fact is that you have enough to worry about with your human environment. Not only must you select the right employees at the right positions, but you must then train them correctly (the “Administrative” portion of the Security Rule discussed above) and determine who can access what (the “Physical” safeguards, also discussed above). That alone is plenty to concern yourself with – adding on having to deal with the HIT requirements of every new system piece by piece would be enough to send you over the edge.
Thankfully, you’re not alone, and Atlantic.Net can help. The Health Information Technology for Economic and Clinical Health Act, or HITECH Act, of 2009, was an effort to move the country toward getting health records stored electronically. Health care organizations weren’t required or even expected to undertake this without outside assistance.
Under the HITECH Act, the business associates you do enlist the assistance of are usually directly liable for the Privacy and Security Rules.
And while that is a relief to many organizations, you still must do your due diligence in enlisting the help of only those business associates who themselves adhere to the stringent rules and regulations set forth by HIPAA.
Atlantic.net prides itself on doing just that, regularly and reliably for all of our clients. Selecting Atlantic.net for any HIPAA-Compliant Hosting related needs ensures that you can spend your time and energy worrying about other aspects of HIPAA compliance, and leaving the Technical and Physical safeguards for HIPAA and security (listed above) to us. Get in touch with us today and find out how our team of HIPAA-compliant hosting specialists can make your life easier with any of our Cloud Hosting Solutions.
This article was updated with the most recent information on May 20, 2020.
By Moazzam Adnan