The purpose of the Security Rule is to establish national standards to protect electronic protected health information (ePHI) by ensuring its confidentiality, integrity, and availability. Organizations and systems must comply with the Security Rule to safeguard sensitive health data from unauthorized access, theft, or damage, which not only protects patient privacy but also helps maintain trust in the healthcare system.
What is the Security Rule?
According to the HHS summary of the Security Rule: “The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.
HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities.”
HIPAA is divided into several rules, with the Security Rule being part of Title II, the Administrative Simplification provisions. Title II requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. Within this title, the Security Rule complements the Privacy Rule, which sets standards for the protection of privacy of health information.
The general requirements and flexibility required by organizations are defined within § 164.306 of the Rule. This section stresses the need to ensure ePHI is confidential, intact, and accessible when needed by authorized personnel. It also mandates protection against anticipated threats or unauthorized uses and disclosures of this information.
The rule offers flexibility, allowing entities to adapt the requirements based on their size, capabilities, and the nature of their technical infrastructure. This means whether a small clinic or a large hospital, each can implement security measures appropriate to their scale and needs without being tied to specific technologies.
The safeguards defined by the Security Rule are divided into three main categories:
Administrative Safeguards (§ 164.308)
These are policies and procedures designed to show how the entity complies with the act, and include.
- Risk analysis and management
- Security personnel
- Information access management
- Training and management
Physical Safeguards (§ 164.310)
These involve the protection of electronic systems, buildings, and equipment from natural and environmental hazards, and unauthorized intrusion. These include provisions such as
- Facility access and control
- Workstation and device security
Technical Safeguards (§ 164.312)
These pertain to the technology that protects ePHI and controls access to it. Provisions include
- Access control
- Audit controls
- Integrity controls
- Transmission security
Other guiding sections of the Security Rule include 164. 314 which set the organizational requirements for covered entities and 164. 316 which sets out the policies and procedures to adopt the security Rule.
See also: A guide to HIPAA's rules
Who needs to comply with the Security Rule?
Covered entities
- Health plans: This category encompasses health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that pay for health care, such as Medicare and Medicaid.
- Healthcare clearinghouses: These entities process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. This includes billing services and community health management information systems.
- Healthcare providers: This group includes providers who transmit any health information in electronic form in connection with transactions for which the HHS has adopted standards. Common examples are doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
Business associates
These are persons or entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate.
Common examples of business associates include:
- Data processing firms: Companies that help covered entities process or store protected health information.
- Billing companies: Organizations that handle coding and billing data.
- Shredding companies: Businesses that assist covered entities in the disposal of documents containing protected health information.
- IT providers: Companies that manage a covered entity's data security, software, or systems involving access to protected health information.
- Legal services: Lawyers who may access protected health information when providing legal services to a covered entity.
The Security Rule requirements for healthcare organizations
According to the HHS FAQs section, “Covered entities should look to § 164.306 of the Security Rule for guidance to support decisions on how to comply with the standards and implementation specifications contained in §§ 164.308, 164.310, 164.312, 164.314, and 164.316.”
The general and flexibility requirements:
- Covered entities must protect ePHI from unauthorized access, ensure its accuracy and reliability, and make it accessible when needed.
- Entities must guard ePHI against any reasonably anticipated threats or hazards.
- Entities must make sure ePHI is not used or disclosed improperly.
- Entities must train and manage their workforce to comply with these security policies and procedures.
- The Security Rule allows entities to tailor their security measures based on their size, capabilities, and the nature of their ePHI handling.
- Entities are free to choose security technologies that best fit their needs without being mandated to use specific solutions.
- When implementing security measures, entities should consider their operational characteristics and the potential risks to ePHI.
Administrative requirements:
- Identify and address potential risks to ePHI.
- Appoint someone to be responsible for overseeing ePHI security.
- Train staff on how to handle ePHI securely and manage access to it.
- Have a plan for responding to emergencies that affect systems containing ePHI.
Physical requirements:
- Control access to facilities to keep out unauthorized people.
- Secure workstations and devices to prevent unauthorized access to ePHI.
Technical requirements:
- Implement systems that limit access to ePHI to only those who need it to do their jobs.
- Encrypt ePHI to make it unreadable to unauthorized people.
- Keep logs that record who accessed ePHI and what they did with it.
- Protect ePHI from unauthorized access as it is being transmitted.
Organizational requirements:
- Covered entities must have contracts with their business associates ensuring that they protect ePHI.
- When formal contracts are not feasible, other arrangements that ensure the protection of ePHI must be in place.
- Contracts or arrangements must specify that business associates will implement necessary safeguards to prevent unauthorized ePHI use or disclosure.
Policy and procedural requirements:
- Covered entities must implement and maintain policies and procedures appropriate to comply with the Security Rule.
- All policies, procedures, and actions related to the Security Rule must be documented and maintained in written (electronic or paper) form.
- Documentation must be retained for at least six years from the date of creation or last effective date, whichever is later.
- Documentation must be available to those responsible for implementing the procedures.
Which systems need to comply with the Security Rule?
Several commonly used systems and tools within healthcare organizations might not immediately be recognized as needing to comply with the HIPAA Security Rule, yet they handle or interact with ePHI and therefore must be secured. These include:
- Email systems
- Mobile devices
- Electronic health records (EHR) systems
- Pharmacy management systems
- Hospital information systems
- Health information exchanges (HIEs)
- Telemedicine platform
- Cloud storage services
- Scheduling software
- Fax machines
- Electronic visitor management systems
- Remote access systems
- Online communication tools
- Wearable health devices
- Data backup systems
The Security Rule requirements for systems
- Access control unique user identification (Required): Systems must assign a unique name or number for identifying and tracking user identity in electronic information systems.
- Emergency access procedure (Required): Systems must have procedures that enable continuation of business processes for protection of the security of ePHI while operating in emergency mode.
- Automatic logoff (Addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI to prevent unauthorized access, especially in storage and during transmission over open networks.
- Audit controls (Required): Implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
- Integrity controls (Addressable): ePHI should not be altered or destroyed in an unauthorized manner, possibly including mechanisms to authenticate ePHI, such as digital signatures.
- Transmission security (Addressable): Implement security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network, including considerations for encryption.
- Entity authentication (Required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
See also: HIPAA Compliant Email: The Definitive Guide
The basics of assessing organizational compliance
General security management
- Have you conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI?
- Do you have a formal security management process in place that addresses the results of the risk assessment?
- Are there policies and procedures in place to prevent, detect, contain, and correct security violations?
Assigned security responsibility
- Is there a designated security official who is responsible for developing and implementing security policies and procedures?
Workforce security
- Have you implemented procedures to make sure appropriate access to ePHI that comply with the minimum necessary rule?
- Are there adequate controls to authorize access to ePHI based on the user or entity’s role within the organization?
Information access management
- Do you have policies and procedures in place to ensure that access to ePHI is granted based on the minimum necessary requirements?
- Are there processes to review and modify a person’s access to ePHI as necessary?
Security awareness and training
- Do you provide regular security training to all members of your workforce regarding the safe handling of ePHI?
- Are there ongoing awareness programs that address issues such as password protection, security incident reporting, and malware?
Security incident procedures
- Are there established and implemented procedures to identify and respond to suspected or known security incidents?
- Do you have mechanisms in place to document and investigate security incidents and their outcomes?
Contingency plan
- Have you developed and tested contingency plans including data backup, disaster recovery, and emergency mode operations?
- Are these contingency plans regularly updated and tested to ensure they are effective in case of an actual emergency?
Evaluation
- Do you periodically conduct evaluations to determine whether the technical and non-technical security measures are adequate to meet the requirements of the Security Rule?
Business associate agreements
- Are there contracts or other arrangements with business associates that comply with HIPAA requirements to ensure the protection of ePHI?
- Do you regularly review and update business associate agreements to ensure compliance and address changes in business practices?
Physical safeguards
- Are physical measures, policies, and procedures in place to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion?
- Is access to facilities containing ePHI controlled and monitored?
Technical safeguards
- Have you implemented technical security measures to guard against unauthorized access to ePHI transmitted over an electronic network?
- Do you utilize encryption and decryption as necessary to protect ePHI, especially when transmitted over open networks?
Audit controls
- Are there mechanisms in place to record and examine activity in systems that contain or use ePHI?
See also: Top 12 HIPAA compliant email services
FAQs
What is the Privacy Rule?
The Privacy Rule establishes national standards to protect individuals' medical records and other personal health information.
What are the other Administrative simplification rules?
The other Administrative Simplification rules under HIPAA include the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.
What is the difference between addressable and required controls under the Security Rule?
Required controls are mandatory and must be implemented by the covered entity, while addressable controls must be assessed by the entity to determine if they are reasonable and appropriate in their environment; if so, they should be implemented, or if not, an equivalent alternative measure must be adopted or the decision against implementation must be documented.