HIPAA Security Rule
What is the HIPAA security rule?
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that came into force in 1996 in order to ensure the privacy and security of health information whether it is electronic or not and also to maintain health insurance to unemployed people. HIPAA’s most important aspects for IT security is the HIPAA Security Rule, which establishes standards in order to protect the confidentiality, integrity and availability of Electronic Protected Health Information (ePHI) and which compliance, violations’ investigation and consequences procedures are guided by the enforcement rule. Compliance with the Security Rule is required since 2005 (2006 for small health plans) and the Office of Civil Rights (OCR) is responsible to help entities for it through compliance activities and applies financial penalties in case of non-compliance.
To note that HIPAA is not the only law concerned by security of ePHI. Indeed, the omnibus rule of the The Health Information Technology for Economic and Clinical Health (HITECH) act of 2009 modifies and completes it. There are also federal and states’ laws related to health information.
For more info, see: https://www.privacyrights.org/consumer-guides/health-privacy-hipaa-basics#what is hipaa
What information is protected under the HIPAA Security Rule?
The HIPAA Security Rule is applied to health information shared electronically such as Medical records, communication records (emails between patients and doctors), information in the insurer’s information system, health care services and goods billing information and any other ePHI created, used, stored, and transmitted by or to concerned entities.
The Security Rule ensures the Privacy Rule requirements only to one type of information under the Privacy Rule. Indeed, instead of concerning written or verbal information, it applies only to information shared electronically.
Who is Affected by the HIPAA Security Rule?
HIPAA requires organizations to comply with its Security Rule; otherwise, penalties can apply. Those organizations can be:
- Covered entities fitting in one of the following categories:
- Health care provider, which could be any health care professional (doctor, dentist, pharmacist etc.) or organization (hospital, clinic, nursing homes etc.)
- Health plans or health payers such as private health insurances, Medicare, Medicaid etc.
- Health care clearinghouses whose role is to put health information in a standard format that could be used by health care providers or health plans.
- Business associates, which are individuals or entities that might be contracted by covered entities in order to support them in one of the following services: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. The contract should include compliance to HIPAA rules terms.
Other stakeholders could be concerned by the HIPAA rules such as subcontractors that act on behalf of business associates and hybrid entities that have a health component as part of their business (a university with a health center, for example) and which is the only one required to comply with HIPAA.
Not every organization or individual is covered by HIPAA, even though health information is accessible for them. For instance, life and long-term insurance companies, automobile insurance with health benefits, some alternative medicine practitioners, and so forth.
How is ePHI protected under the HIPAA security rule?
In order to protect ePHI and make sure about the confidentiality, integrity and availability of the data, covered entities should:
- set and implement reasonable and appropriate physical and non-physical safeguards (applicable to business associates as well)
- set and implement procedures to limit the availability and use of the data only when necessary
- make and run training programs for the personnel in data privacy and security matters in order to comply with the HIPAA security rule.
The HIPAA Security Rule requirements
Due to the heterogeneity of covered entities, the HIPAA Security Rule is flexible and only requires us to take into account the size, organizational structure, and available resources of the covered entities as well as the potential risks to ePHI and their consequences while setting security measures.
Covered entities must also adapt their security measures to the changing environment when needed through a flowing security management process.
The HIPAA security rule requires concerned individuals and entities to have a security plan that contains the following safeguards:
- Administrative safeguards
Defined as “administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
- Technical safeguards
Defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Each covered entity is free to choose the appropriate technical safeguard to implement in the organization.
- Physical safeguards
Defined as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
The following tables explain the standards for each safeguard as well as their implementation specifications and specify whether they are required or addressable by the HIPAA Security Rule. Note that addressable safeguards give more flexibility to covered entities which are responsible for finding more adaptable measures to ensure compliance with the concerned safeguards.
Security management process, which requires the organization to “Implement policies and procedures to prevent, detect, contain and correct security violations.”
- Implementation specification: Risk Analysis (Required), Risk Management (Required), Sanction Policy (Required), Information System Activity Review (Required).
Assigned Security Responsibility, which requires the organization to “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”
Workforce Security, which requires the organization to “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.”
- Implementation specification: Authorization and/or Supervision (Addressable), Workforce Clearance Procedure (Addressable), Termination Procedures (Addressable).
Information Access Management, which requires the organization to “Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”
- Implementation specification: Isolating Health Care Clearinghouse Functions (Required), Access Authorization (Addressable), Access Establishment and Modification (Addressable).
Security Awareness and Training, which requires the organization to “Implement a security awareness and training program for all members of its workforce (including management).”
- Implementation specification: Security Reminders (Addressable), Protection from Malicious Software (Addressable), Login Monitoring (Addressable), Password Management (Addressable).
Security Incident Procedures, which requires the organization to “Implement policies and procedures to address security incidents.”
- Implementation specification: RESPONSE AND REPORTING (Required)
Contingency Plan, which requires the organization to “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
- Implementation specification: Data Backup Plan (Required), Disaster Recovery Plan (Required), Emergency Mode Operation Plan (Required), Testing and Revision Procedures (Addressable), Applications and Data Criticality Analysis (Addressable).
Evaluation, which requires the organization to “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”
Business Associate Contracts and Other Arrangements, which stipulates that, “A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information.”
- Implementation specification: WRITTEN CONTRACT OR OTHER ARRANGEMENT (Required).
Access control, which requires the organization to “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”
- Implementation specification: Unique User Identification (Required), Emergency Access Procedure (Required), Automatic Logoff (Addressable), Encryption and Decryption (Addressable).
Audit Controls, which requires the organization to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Integrity, which requires the organization to “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
- Implementation specification: MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION (Addressable).
Person or Entity Authentication, which requires the organization to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Transmission Security, which requires the organization to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
- Implementation specification: Integrity Controls (Addressable), Encryption (Addressable)
Facility Access Controls, which requires the organization to “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
- Implementation specification: Contingency Operations (Addressable), Facility Security Plan (Addressable), Access Control and Validation Procedures (Addressable), Maintenance Records (Addressable).
Workstation Use, which requires the organization to “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
Workstation Security, which requires the organization to “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”
Device and Media Controls, which requires the organization to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
- Implementation specification: Disposal (Required), Media Re-Use (Required), Accountability (Addressable), Data Backup and Storage (Addressable).
The combination of the three complementary safeguards required by the HIPAA security rule (administrative, technical and physical) is the holistic approach that every covered entity should consider in order to ensure the confidentiality, integrity and availability of ePHI through the assignment of the security officer as well as its security management process and all its elements, audit, and defining the security terms with its business associates supported by the training of the workforce in order to comply with the HIPAA Security Rule and to avoid sanctions of non-compliance for personnel as well as the organization.