What is the HIPAA Security Rule?
The Security Rule is a part of the Health Insurance Portability and Accountability Act (HIPAA). It applies only to electronic Protected Health Information (ePHI). The HIPAA Security Rule outlines regulations to protect against breaches of ePHI. Covered entities must abide by the Security Rule.
What is the Importance of the Security Rule?
Technology is always advancing. It makes it easier for healthcare employees to access patient records.
But technology poses a serious security risk. The Security Rule is important to protect your patients and your practice.
ePHI is very valuable. A breach can negatively affect a patient for life. Breaches also impact your practice. A HIPAA fine can be as high as $1.5 million in a given year.
Is the Security Rule Flexible with Changing Technology?
The Security Rule is designed to be “technology-neutral.” It facilitates the use of the latest and best technologies. The standards within the Security Rule do not require specific protective technologies. Instead, it gives practices technological freedom when it comes to meeting standards.
What are the goals of the Security Rule?
The law consists of administrative, physical, and technical safeguards. These safeguards have been put in place to:
- Restrict unauthorized access to ePHI
- Audit who, how, and when ePHI is accessed
- Ensure that ePHI is not altered or destroyed inappropriately
- Make sure people are who they say they are
- Prevent unauthorized disclosures of ePHI
What PHI is Protected?
These are the different types of data that covered entities must keep secure:
- Data in motion: data moving through a network
- Data at rest: data that is kept in databases, servers, flash drives
- Data in use: data that is being created, retrieved, updated, or deleted
- Data disposed: data that has been discarded
Are Addressable Specifications Optional?
If an implementation specification is “required,” it must be implemented.
But are addressable specifications optional? No. Addressable specifications do allow for flexibility, though. In meeting addressable specifications, a covered entity will do one of the following:
- Put in place the addressable specification
- Implement one or more alternative security measures to accomplish the same purpose
- Not implement either an addressable specification or an alternative
The covered entity must document their choice. But cost alone is not a sufficient reason to not implement a safeguard.
How to Decide what Addressable Specifications to Implement
Covered entities must perform a risk analysis. The risk analysis helps the covered entity determine whether:
- An addressable specification should be implemented
- An alternative exists
The covered entity must document:
- The results of the risk analysis
- Any decisions made about addressable specifications
Why Perform a HIPAA Risk Assessment?
The risk assessment is a requirement under HIPAA.
The risk assessment objective is to identify potential risks and vulnerabilities of ePHI. A covered entity is required to protect any ePHI that their organization creates, receives, maintains, or transmits.
The Three Safeguards
These Security Rule safeguards ensure the confidentiality, integrity, and security of ePHI.
These are technical security measures that guard against unauthorized access to ePHI. Technical safeguards focus on technology. These safeguards consist of access controls, audit controls, and integrity controls.
These safeguards relate to the physical security of data, as well as who has access to where it is stored. Practices need to protect physical computer systems, as well as servers and buildings from natural disasters and hacking. The physical safeguards also address workstation and device security.
Administrative safeguards require that a Privacy Officer is designated to identify and analyze potential risks to the integrity of ePHI. The Privacy Officer must implement security measures to reduce the risk of breaches.
Is your Practice HIPAA Compliant?
Smart Training has informative training modules to help employees comply with HIPAA. For example, HIPAA 101 and a training for your Privacy Officer.
If HIPAA is a challenge, Smart Training can help you with your compliance needs.