OSHA & HIPAA Compliance Made Easy
OSHA & HIPAA Compliance Made Easy
With 25+ years of OSHA experience and one of the nation's only Certified HIPAA Professionals, Smart Training makes compliance not only manageable but easy! We want to address your concerns, so comment and have your questions answered by the experts!
Smart Training

What are the HIPAA Security Rule Safeguards?

What are the HIPAA Security Rule Safeguards?

10/2/2020 10:42:54 AM   |   Comments: 0   |   Views: 130

What is the HIPAA Security Rule?

The Security Rule is a part of the Health Insurance Portability and Accountability Act (HIPAA). It applies only to electronic Protected Health Information (ePHI). The HIPAA Security Rule outlines regulations to protect against breaches of ePHI. Covered entities must abide by the Security Rule.

What is the Importance of the Security Rule?

Technology is always advancing. It makes it easier for healthcare employees to access patient records. 

But technology poses a serious security risk. The Security Rule is important to protect your patients and your practice.

ePHI is very valuable. A breach can negatively affect a patient for life. Breaches also impact your practice. A HIPAA fine can be as high as $1.5 million in a given year. 

Is the Security Rule Flexible with Changing Technology?

The Security Rule is designed to be “technology-neutral.” It facilitates the use of the latest and best technologies. The standards within the Security Rule do not require specific protective technologies. Instead, it gives practices technological freedom when it comes to meeting standards.

What are the goals of the Security Rule?

The law consists of administrative, physical, and technical safeguards. These safeguards have been put in place to: 

  • Restrict unauthorized access to ePHI
  • Audit who, how, and when ePHI is accessed
  • Ensure that ePHI is not altered or destroyed inappropriately 
  • Make sure people are who they say they are
  • Prevent unauthorized disclosures of ePHI

What PHI is Protected?

These are the different types of data that covered entities must keep secure:

  • Data in motion: data moving through a network
  • Data at rest: data that is kept in databases, servers, flash drives
  • Data in use: data that is being created, retrieved, updated, or deleted
  • Data disposed: data that has been discarded

Are Addressable Specifications Optional?

If an implementation specification is “required,” it must be implemented.

But are addressable specifications optional? No. Addressable specifications do allow for flexibility, though. In meeting addressable specifications, a covered entity will do one of the following:

  • Put in place the addressable specification
  • Implement one or more alternative security measures to accomplish the same purpose
  • Not implement either an addressable specification or an alternative

The covered entity must document their choice. But cost alone is not a sufficient reason to not implement a safeguard.

How to Decide what Addressable Specifications to Implement

Covered entities must perform a risk analysis. The risk analysis helps the covered entity determine whether:

  • An addressable specification should be implemented
  • An alternative exists

The covered entity must document:

  • The results of the risk analysis
  • Any decisions made about addressable specifications

Why Perform a HIPAA Risk Assessment?

The risk assessment is a requirement under HIPAA. 

The risk assessment objective is to identify potential risks and vulnerabilities of ePHI. A covered entity is required to protect any ePHI that their organization creates, receives, maintains, or transmits.

The Three Safeguards

These Security Rule safeguards ensure the confidentiality, integrity, and security of ePHI.

What are the HIPAA Security Rule Safeguards?

Technical Safeguards

These are technical security measures that guard against unauthorized access to ePHI. Technical safeguards focus on technology. These safeguards consist of access controls, audit controls, and integrity controls.

Physical Safeguards

These safeguards relate to the physical security of data, as well as who has access to where it is stored. Practices need to protect physical computer systems, as well as servers and buildings from natural disasters and hacking. The physical safeguards also address workstation and device security.

Administrative Safeguards

Administrative safeguards require that a Privacy Officer is designated to identify and analyze potential risks to the integrity of ePHI. The Privacy Officer must implement security measures to reduce the risk of breaches.

Is your Practice HIPAA Compliant?

Smart Training has informative training modules to help employees comply with HIPAA. For example, HIPAA 101 and a training for your Privacy Officer

If HIPAA is a challenge, Smart Training can help you with your compliance needs.


You must be logged in to view comments.
Total Blog Activity
Total Bloggers
Total Blog Posts
Total Podcasts
Total Videos
Sally Gross, Member Services Specialist
Phone: +1-480-445-9710
Email: sally@farranmedia.com
©2022 Hygienetown, L.L.C., a division of Farran Media, L.L.C. • All Rights Reserved
9633 S. 48th Street Suite 200 • Phoenix, AZ 85044 • Phone:+1-480-598-0001 • Fax:+1-480-598-3450