HIPAA Security

 The HIPAA Security Rule plays a crucial role in safeguarding patients’ electronically stored protected health information (ePHI). Here’s a bit more detail on how the Security Rule works and the importance of conducting a risk analysis:

  1. Administrative Safeguards: These include policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. Examples include security management processes, workforce training, and access controls.
  2. Physical Safeguards: These measures are put in place to protect the physical access to ePHI, such as facility access controls, workstation security, and device and media controls.
  3. Technical Safeguards: Technical measures involve the technology and the policies and procedures for its use, aimed at protecting ePHI and controlling access to it. Examples include access controls, audit controls, encryption, and transmission security.

The Security Rule requires covered entities to conduct a risk analysis as part of their security management processes. A risk analysis helps organizations identify potential risks and vulnerabilities to ePHI and implement measures to mitigate those risks effectively. The risk analysis process typically involves:

  1. Identifying Potential Risks: This involves identifying all potential threats to the confidentiality, integrity, and availability of ePHI. It includes assessing both internal and external risks.
  2. Assessing Current Security Measures: Organizations need to evaluate the effectiveness of current security measures in place to protect ePHI.
  3. Determining the Likelihood and Impact of Threats: This step involves analyzing the likelihood of each identified threat occurring and the potential impact on the confidentiality, integrity, and availability of ePHI.
  4. Implementing Safeguards: Based on the findings of the risk analysis, organizations should implement appropriate safeguards to mitigate identified risks effectively.
  5. Periodic Review and Updates: Risk analysis is not a one-time process; it should be periodically reviewed and updated to address changes in the organization’s environment, technology, and potential risks.

By conducting a thorough risk analysis and implementing appropriate safeguards, covered entities can ensure compliance with the HIPAA Security Rule and better protect patients’ ePHI from unauthorized access, use, or disclosure.

All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology.
Those entities must put in place administrative, physical and technical safeguards

to maintain compliance with the Security Rule and document every security compliance measure.

Administrative safeguards

HIPAA defines administrative safeguards as, “Administrative actions, and policies and procedures, to manage the selection, development,
implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s
workforce in relation to the protection of that information.” (45 C.F.R. § 164.304).

These are, like the definition says, policies and procedures that set out what the covered entity does to protect its PHI. Rather than actual physical
safeguards or technical requirements, these requirements cover training and procedures for employees of the entity, whether or not they have direct access to PHI.
Physical safeguards

Physical safeguards involve access both to the physical structures of a covered entity and its electronic equipment (45 CFR §164.310). ePHI and the computer systems
in which it resides must be protected from unauthorized access, in accordance with defined policies and procedures. Some of these requirements can be accomplished by
using electronic security systems, but physicians should not rely on use of certified electronic health records technology (CEHRT) to satisfy their Security Rule compliance obligations.
Technical safeguards

Technical safeguards encompass the technology, as well and the policies and procedures for its use, that protect ePHI and control access to it. They are often the most difficult
regulations to comprehend and implement (45 CFR §164.312).
A flexible approach

The Security Rule incorporates the concepts of scalability, flexibility and generalization. In other words, the regulations do not expect the same security precautions from small
or rural providers as are demanded of large covered entities with significant resources. Security is recognized as an evolving target, and so HIPAA’s security requirements are not
linked to specific technologies or products. HHS has stated it is focused more on what needs to be done and less on how it should be accomplished.

The security regulations consist of a 3-tiered system of requirements. First, there is a series of standards, legal requirements that all entities are expected to meet. Second,
there may be implementation specifications that provide detailed instructions and steps to take in order to be in compliance with the standard.

In an effort to make the Security Rule more flexible and applicable to covered entities of all sizes, some implementation specifications are required, while others are only addressable.
Required implementation specifications must be implemented by all covered entities. Addressable implementation specifications require a covered entity to assess whether the specification
is a reasonable and appropriate safeguard in the entity’s environment.

If the specification is reasonable and appropriate, the covered entity must implement the specification. If a covered entity determines that an addressable implementation
specification is not reasonable and appropriate, it must document its assessment and basis for its decision and implement an alternative mechanism to meet the standard addressed by the implementation specification.
Risk assessment

To comply with the Security Rule’s implementation specifications, covered entities are required to conduct a risk assessment to determine the threats or hazards to the security of ePHI
and implement measures to protect against these threats and such uses and disclosures of information that are not permitted by the Privacy Rule.

A risk assessment should be tailored to the covered entity’s circumstances and environment, including the following:

Size, complexity and capabilities of the covered entity
The covered entity’s technical infrastructure, hardware and software security capabilities
The probability and criticality of potential risks to ePHI
The costs of security measures

Note, however, that HHS has made it clear that cost alone is not a sufficient basis for refusing to adopt a standard or an addressable implementation specification. Fortunately,
the rules are not prescriptive and a number of tactics can achieve compliance. To assist physicians with the risk-assessment process, the U.S. Department of Health & Human Services (HHS) Office of Civil Rights
has developed a downloadable “Security risk assessment tool.”
Required documentation

Behind every security compliance measure is a documentation requirement. Practically every facet of HIPAA compliance requires that policies and procedures be created and implemented. These documents must be retained
for at least six years (and state requirements may mandate longer retention periods).

Policies may be changed at any time, so long as the accompanying documentation is also updated. Regulations require periodic review of policies and responses to changes in the ePHI environment.

AMA Education Center: HIPAA security rule compliance through effective risk assessment
Guide to Privacy and Security of Health Information (PDF)
Health information technology
HIPAA privacy and security toolkit: Helping your practice meet compliance requirements (PDF)
HIPAA security rule: FAQs regarding encryption of personal health information (PDF)

This resource is provided for informational and reference purposes only and should not be construed as the legal advice

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>