The HIPAA Security Rule is the portion of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that governs how electronic protected health information (PHI) must be safeguarded.
It is the companion to the HIPAA Privacy Rule, which governs how PHI may be used and disclosed. Both the HIPAA Privacy and Security Rule are enforced by the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR).
Unlike the Privacy Rule, however, the Security Rule (HIPAA) only applies to electronic protected health information; paper records should be secured, but they are not subject to HIPAA security rule requirements.
All health care entities, and all organizations that use health information, must appoint an official to oversee their HIPAA Compliance. This official is responsible for the documentation of policies and procedures to support the safeguards, and must oversee their implementation.
Who Enforces The HIPAA Security Rule?
Enforcement of the HIPAA Security Rule is uneven, and can occur through one of three channels. The Office for Civil Rights has a random audit plan, but the numbers are extremely small and the odds of any one organization getting audited are miniscule.
The Office for Civil Rights will also investigate upon a patient complaint, if the complaint is weighty and specific enough. (Like any public-facing function, the OCR gets its share of cranks). The most common means of enforcement of the HIPAA Security Rule occurs after a breach of PHI.
All breaches, regardless of size, must be reported to HHS, and major breaches typically result in an OCR investigation. This is a long and unpleasant process, during which a very thorough inspection of the organization is done, and its current state is compared to the full rigor of the HIPAA Security and Privacy Rules.
The big, headline-grabbing news of “millions in fines” typically result from this sort of investigation, where an organization has not only lost ePHI but has not even attempted to comply with the HIPAA Security Rule. A common finding cited during these investigations is “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI”.
Need Help RIGHT NOW with HIPAA?
Mention you read this blog, and get a free 30 minute session with one of our HIPAA consultants.
HIPAA Security Rule Requirements
The HIPAA Security rule requirements state that business associates and covered entities must implement specific administrative, physical, and technical safeguards. The first, and probably most important one, is a security risk analysis.
Conduct a Security Risk Analysis
The organization must analyze the security risks to its electronic Protected Health Information (ePHI). The risks that are analyzed must then be managed to reduce them to a “reasonable and appropriate” level.
This requirement for a risk analysis is how the HIPAA security rule stays current with rapidly changing health information technology. HIPAA was passed in 1996, a lifetime ago in technology terms. Rather than re-legislate every few years and introduce new safeguards, the writers of HIPAA chose to include this “catch-all” term that placed the burden of updating and keeping current onto the covered entities and business associates themselves.
Interested in Learning More About How HIPAA Can Impact You? Read these Blogs.
What Exactly is “Reasonable & Appropriate” Defined As?
However, this is not as bad as it sounds. The phrase “reasonable and appropriate” means different things to different organizations. What is “reasonable and appropriate” for a giant like Walmart is not “reasonable and appropriate” for a physician practice with one doctor. “Reasonable and appropriate” can and should take into account the size and resources of the organization, the existing technology in use, other competing priorities, and the threats facing the organization.
One example of “reasonable and appropriate” is password strength. How complex, and how frequently changed, a password must be is a decision that is left to each organization, who must decide on a reasonable and appropriate setting for themselves.
HIPAA Security Rule Safeguards
The HIPAA Security Rule requires 54 specific safeguards that are specified in the text of the Security Rule. These safeguards are organized in three types: Administrative safeguards, physical safeguards, and technical safeguards.
Administrative safeguards include the security risk analysis and risk management plans mentioned in the previous paragraph. Other administrative safeguards include things like sanctioning misuse of information, appointing a Security Officer, implementing logical access control procedures, and having a disaster recovery plan.
Physical safeguards include securing the area where ePHI is used, and having a physical access control system such as proximity badges or keys. Alarms, cameras, and secure disposal of hard drives are also examples of physical safeguards.
Technical safeguards are what most people probably think of when they hear the phrase “HIPAA Security”. Examples of technical safeguards include things like screen locking, passwords, and data encryption both at rest on a hard drive and in transit across the internet.
Some of these safeguards are listed as Required, and some as Addressable. The meaning of a Required safeguard is self-evident, though of course it must be implemented in a “reasonable and appropriate” fashion as discussed above. The word Addressable does not mean “Optional”, however.
An addressable safeguard is one for which the organization may implement one or more alternative security measures to accomplish the same purpose. The organization must decide whether a given alternative measure is reasonable and appropriate, and document its decision. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
HIPAA Privacy and the Security Rule
As stated above, the HIPAA Privacy Rule and the HIPAA Security Rule are two of the three Rules referred to as “HIPAA”. Both require a designated official to document and implement policies.
Both are descriptive, rather than prescriptive. They outline goals and principles to achieve, rather than specifics to follow. Both are applicable only to protected health information, though the Security Rule only applies to it in electronic format. Both tend to be enforced after the fact, when something bad has happened, rather than beforehand. Both tend to be viewed through a “technology-first” lens, where in our experience, people and process are equally if not more important.
Main Differences Between the Privacy & Security Rule
Perhaps the main difference between the Privacy and Security Rule is the notion of “reasonable and appropriate”. There is no equivocation or alternatives in the Privacy Rule. If the Privacy Rule requires a use of protected health information, there are no circumstances under which could change that use.
In contrast, the Security Rule allows alternative ways of meeting its requirements. In theory, for example, a password might not be required to access electronic PHI, if there were “reasonable and appropriate” alternatives. We have seen this accomplished by having the system be behind a secured door, in an area always staffed and supplemented with video cameras.
While such alternatives must not be the first impulse, and should be carefully considered and thoroughly documented, they are possible and they have been done. The Privacy rule allows no such alternative means. The use of protected health information is much more carefully restricted than the security of protected health information.
Ensuring You Comply with the HIPAA Security Rule
Want to make sure your organization is in full HIPAA compliance? Contact Techumen today.