In our first HIPAA article, we offered a little history on the Health Insurance Portability and Accountability Act and a general overview of how the Privacy and Security Rules evolved from it. In this post, we’re going deep into the murky depths of the Security Rule from a business standpoint.
HIPAA’s Security Rule may seem daunting at first, especially if you’re not an IT expert, but you don’t need a degree in computer science to understand the standards it establishes. At its core, the HIPAA Security Rule is about knowing what data you have, assessing the people and technology handling it, and finding where problems could arise. Survey, assess, plan, implement, and—most importantly—repeat. This is an easy way to think about and manage the requirements laid out in the Security Rule.
What Is the Security Rule?
The Security Rule sets the standards that entities creating, using, or transmitting electronic protected health information (ePHI) must implement in order to “ensure the confidentiality, integrity, and availability of ePHI . . . protect against any reasonably anticipated threats and hazards . . . [and] protect against reasonably anticipated uses or disclosures of such information not permitted by the Privacy Rule” (NIST). If you can imagine it happening to you, then you have to protect against it.
Confidentiality, Integrity, and Availability
The Security Rule uses this phrase throughout. It’s a key tenet of its purpose, but what exactly does it mean to ePHI?
- Confidentiality: Don’t allow anyone without proper permission to access ePHI, as described in the Privacy Rule, to see it.
- Integrity: Ensure that the ePHI created, maintained, or transmitted isn’t altered in any way.
- Availability: Ensure those with permission are able to access ePHI when they need it.
A quick way to think of these are “Don’t Show. Don’t Change. Can Use.” Keep these goals in mind when implementing the standards set forth in the Security Rule.
Understanding the Security Standards
The Security Rule consists of 18 security standards divided into three sections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Some of those security standards contain implementation specifications (36 in total), which provide more detailed instructions on what needs to happen to fulfill the security standard. The Security Rule designates these implementation specifications as either required or addressable.
Important! Do not confuse addressable with optional. All implementation specifications must be handled, but those marked as addressable may not be suitable for all businesses managing ePHI. Each business must assess its own situation to determine whether an addressable implementation specification is reasonable and appropriate. Once assessed, the business has to ask themselves:
- Is the specification reasonable and appropriate? Implement.
- Is the specification not reasonable or appropriate? Implement an alternate solution that would be.
- Are there no reasonable and appropriate ways to implement the specification? Do not implement.
All assessments and justifications for not implementing a specification as stated in the security standard must be fully documented.
Reasonable and Appropriate
This is another phrase that appears throughout the Security Rule. Since the Security Rule affects a wide variety of businesses, it was designed with flexibility of approach in mind. Many of its standards and implementation specifications explain what needs to be done but not how to do it. How is left up to the individual business to determine based on its use of ePHI and its environment.
The security standards general rule §164.306(b)(2) explains that when “deciding which security measures to use, a covered entity must take into account the following factors:
- The size, complexity, and capabilities of the covered entity.
- The covered entity’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.”
Flexibility, scalability, and technology neutrality are key features of the Security Rule that allow businesses of any size or function to use the same standards and adjust accordingly to the evolution of technology. It’s important to note that cost alone is not enough of a justification to not implement a security standard. All factors need to be considered together when dealing with addressable specifications.
Before diving into the nitty-gritty of each security standard and the implementation specifications, evaluate what your business already has in place. Some of the requirements may be satisfied by the current security infrastructure. Read all the security standards once to get a feel for what you need to be assessing, then take the time to determine what measures, policies, and hardware already protect your ePHI. Knowing where you stand can save you time and stress while working toward HIPAA compliance.
Below we’ll address each section in a high-level overview and mention some of the important standards you should be aware of. This won’t be a step-by-step breakdown of all the standards and implementation specifications. For that, the Department of Health and Human Services (HHS) produced the HIPAA Security Series papers, which are extremely helpful, as is National Institute of Standards and Technology’s (NIST) An Introductory Resource Guide for Implementing the HIPAA Security Rule.
Administrative Safeguards make up more than half of all the standards in the Security Rule; however, this is also where many of your current systems might already be established to satisfy the requirements with little to no alterations.
The standards and implementations categorized under Administrative Safeguards involve the process of planning, selecting, and managing a business’s protection of ePHI. This includes, but is not limited to, emergency preparedness plans, policies and procedures, contracts, and employee management and training.
This category is all about knowing what you have, planning for the future, and making sure everyone in the company knows how to enforce the confidentiality, integrity, and availability of ePHI. It’s not enough to simply implement these systems, though. Everything must be documented, accessible to all who need it, tested and reviewed periodically.
Important Standards to Note
Security Management Process §164.308(a)(1): This is the very first standard, and for good reason. Its implementation specifications require a risk analysis and continuous risk management. The information gathered in these steps will help with many of the other standards. The risk analysis can highlight areas of deficiency in your security that might otherwise appear only when a malicious actor finds and exploits it.
There is no single correct way to perform a risk analysis because all businesses have differing needs. If you are looking for where to start, there are many useful guides outlining the risk assessment process. The HHS’s HIPAA Series includes Basics of Risk Analysis and Risk Management, and Appendix E in NIST’s Introduction provides risk assessment guidelines. For a more comprehensive look at risk assessments, NIST also produced a Guide for Conducting Risk Assessments.
Workforce Security §164.308(a)(3) & Security Awareness and Training §164.308(a)(5): These two standards have seven addressable implementation specifications between them. These deal with verifying that employees have the correct access to ePHI according to the duties they perform, and that they are informed on how to protect themselves and ePHI from cybersecurity threats. It also deals with how management handles adding new employees and removing employee access as job duties change or if the employee leaves the company. Both management and employees are responsible in protecting ePHI, but they must be given the knowledge, tools, and policies to do so.
Contingency Plan §164.308(a)(7): This standard includes the creation or revision of several different emergency preparedness plans, including a Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan. Besides preparing both management and employees in what to do, who needs to do it, and where resources are in the event of an emergency, this standard also helps assess what hardware or software is critical to the confidentiality, integrity, and availability of ePHI. This allows better prioritization and distribution of limited resources. Such precise knowledge is especially important in facilities that provide direct patient care.
Physical Safeguards deal with the facility, hardware, and other physical mechanisms necessary to protect ePHI, as well as the policies and procedures that regulate them. These can range from locks on doors or security guards in times of disaster to employees logging off before leaving a workstation. If a person could walk into your office and access ePHI, the Physical Safeguards handle how to appropriately plan your security measures according to your needs.
Important Standards to Note
Device and Media Controls §164.310(d)(1): Given the portability of data in the daily functions of modern business, it’s vital that any movable media containing ePHI be strictly logged, tracked, and disposed of when no longer needed. Even one lost USB drive containing ePHI is a breach of the Security Rule. This standard relates to all types of removable media, including laptops, flash drives, CD/DVDs, hard drives, and portable backups. It also deals with the re-use of these materials within the office, which first requires the proper removal and destruction of all ePHI.
Technical Safeguards deal with the technology used to create, access, transmit, and protect ePHI, as well as the policies and procedures that govern it. The Security Rule remains intentionally vague on the specific technology used to fulfill these standards to allow for advances in technology and the changes in security needs against new cyber security threats. This flexibility is also what allows a variety of businesses to handle ePHI and still comply with HIPAA’s Security Rule.
Technical Safeguards address aspects such as user access, hardware and software use, transmitting ePHI digitally, and encryption for various purposes. The Risk Analysis and Risk Management specifications from Administration Safeguards are especially useful in determining the technological needs and policies to enforce.
Important Standards to Note
Integrity §164.312(c)(1): This standard refers directly back to the key phrase confidentiality, integrity, and availability discussed earlier. It’s not enough to protect ePHI from being accessed or transmitted improperly; ePHI must also be protected from improper tampering or destruction of data. Wrong or incomplete information can have drastic effects on patient lives and care, so the ability to authenticate the validity of ePHI is a vital part of its security.
Monitor and Update
A vital part of the Security Rule is not only assessments and creating policies but implementing them so all employees are aware of and following the rules. Systems should be in place to verify that employees receive the necessary training in ePHI security procedures and understand the consequences of not following the policy. Reassessment of policies and re-training of employees should occur periodically so outdated procedures can be re-written for the current threat environment. Cyber threats are ever evolving, so too should ePHI cyber protections.
While the Security Rule may feel a bit daunting, many of its requirements are best practices for any business. Knowing exactly what data you handle, how it’s processed, and who needs access to it provides you with an informed view of your business’s operations. Having a written and tested Disaster Recovery Policy, Contingency Policy, and Continuity of Operations Plan will save you time, money, and stress should an emergency occur.