HIPAA (Health Insurance Portability and Accountability Act) is a 1996 federal law that seeks to protect the medical information of patients. To achieve this, it lays down certain compliance requirements for covered entities. In the context of HIPAA, covered entities are organizations on which HIPAA is applicable. Under Title II of this act, the US Department of Health and Human Services (HHS) is responsible for developing regulations and standards for protecting the privacy and security of health information.
Over the years, HHS has published many rules and regulations out of which, two are the most popular: HIPAA Security Rule and HIPAA Privacy Rule. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes national standards for protecting health information. On the other hand, the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) prescribes a national set of standards for protecting electronically protected health information (ePHI).
What is the goal of the HIPAA Security Rule?
A primary objective of the HIPAA Security Rule is to maintain a balance between individual privacy and new technologies. It seeks to protect the privacy of individuals, while at the same time, allow healthcare providers to embrace new technologies. Unlike other standards and rules, this rule is flexible in nature and allows covered entities to implement policies, procedures, and technologies based on their size, structure, and risks.
Applicability of HIPAA Security Rule
HIPAA Security Rule covers health plans, healthcare clearinghouses, and any healthcare service provider who transmits PHI in electronic form. It also applies to business associates of such service providers. The HITECH Act, in 2009, extended the applicability of HIPAA Security Rule to cover business associates.
What information does HIPAA Security Rule protect?
HIPAA Privacy Rule focuses on the protection of individually identifiable health information called protected health information (PHI). HIPAA Security Rule, on the other hand, protects a subset of this information that a covered entity creates, receives, transmits, or maintains in electronic form. This information is referred to as “electronic protected health information” or ePHI.
What does the HIPAA Security Rule say?
HIPAA Security Rule specifies that a covered entity must implement and maintain appropriate and reasonable technical, administrative, and physical safeguards to protect ePHI available with them. The general rules for covered entities require that:
- A covered entity shall ensure the confidentiality, integrity, and availability of ePHI they create, receive, transmit, or maintain.
- A covered entity shall identify and protect against reasonably anticipated threats against the integrity or security of ePHI.
- A covered entity shall protect ePHI against impermissible or reasonably anticipated uses or disclosures.
- A covered entity shall ensure compliance by its workforce.
Security measures prescribed by HIPAA Security Rule
HHS has recognized that covered entities under HIPAA range from small to multi-state service providers. Hence, this rule allows covered entities to perform self-analysis and implement security measures specific to their environment. HIPAA Security Rule specifies the following considerations for selecting security measures:
- Security Management Process: A covered entity shall identify and analyze potential risks to ePHI stored with them. Based on the outcomes of risk assessment, security measures should be implemented. Risk analysis must be a continuous process where a covered entity performs periodical reviews of potential risks and the efficiency of their security measures.
- Security Personnel: A covered entity shall designate an individual responsible for the development and implementation of security policies and procedures.
- Information Access Management: A covered entity shall implement role-based access to minimize authorized access to ePHI.
- Workforce Training and Management: A covered entity shall provide training to its staff members who work with ePHI. This training must cover their policies and procedures, along with obligations under the HIPAA Act.
- Evaluation: A covered entity shall perform regular assessments of their compliance with the Security Rule.
- Facility Access and Control: A covered entity shall limit physical access to their physical facility.
- Workstation and Device Security: A covered entity shall implement policies and procedures concerning the acceptable use of computer systems and electronic media. These policies and procedures should also cover the removal, disposal, transfer, and re-use of electronic media.
- Access Control: A covered entity shall implement technical measures to limit access to ePHI to authorized personnel.
- Audit Controls: A covered entity shall implement procedural, hardware, and software measures for recording access and other activities associated with ePHI.
- Integrity Controls: A covered entity shall ensure that ePHI is not altered without authorization or destroyed.
- Transmission Security: A covered entity shall implement technical measures to prevent unauthorized access to ePHI during transmission.
If an organization is dealing with healthcare data or is a business associate, HIPAA compliance becomes mandatory. While there is no official certificate program to demonstrate HIPAA compliance, many cybersecurity companies offer credentials and recognition that an organization’s security practices are in line with HIPAA Security Rule requirements. Get in touch with our security experts today to understand how we help organizations in demonstrating HIPAA compliance.