Written by Emily Howard
HIPAA, or the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
The HIPAA Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the HIPAA Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security Rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. “Integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on-demand by an authorized person.
Healthcare organizations will be required to address the following four areas as defined by the Department of Health and Human Services (DHHS):
- Administrative procedures — Procedures for establishing and enforcing security policies.
- Physical safeguards — Safeguards that protect physical computer and network facilities.
- Technical security services — Services that protect, control, and monitor access to health care information.
The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI.
The administrative components are really important when implementing a HIPAA compliance program; you are required to assign a privacy officer, complete a risk assessment annually, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI).
As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions.
There are nine administrative safeguards with a total 18 compliance specifications:
Security Management Process
- Risk Analysis (required): Identify and analyze potential risks to e-PHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
- Sanction Policy (required): Implement sanction policies for employees who fail to comply.
- Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, etc.
Assigned Security Responsibility
- Officers (required): Designate HIPAA Security and Privacy Officers.
- Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
Information Access Management
- Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
- ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.
Security Awareness and Training
- Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
- Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.
- Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.
- Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.
- Response and Reporting (required): Identify, document, and respond to security incidents.
- Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.
- Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
- Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
- Periodic Evaluations (required): Perform evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
Business Associate Agreements
- Compliance Partners (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI. Physical safeguards are defined as physical measures, policies, and procedures that an organization uses to protect its electronic information systems, buildings and equipment from natural and environmental hazards and unauthorized intrusion. These standards must be implemented for both systems housed on the covered entity’s premises or at another location.
There are four standards in the Physical Safeguards sections, which breakdown into ten compliance standards:
Facility Access Controls
- Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
- Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
- Outline Requirements of Physical Space (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
- Physical Safeguards (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Device and Media Controls
- Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
- Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
- Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
- Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
Technical Security Services
The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be “technology neutral.”
Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
There are five standards listed under the Technical Safeguards section, breaking down into 9 sub-categories:
- Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
- Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
- Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
- Monitor systems (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
- Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
- Personnel Verification (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
- Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
- Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.