Home » Healthcare » HIPAA Compliance in 2015, Part II: How Does My Organization Comply with the Security Rule?

HIPAA Compliance in 2015, Part II: How Does My Organization Comply with the Security Rule?

As explained in Part I: Why Does My Organization Need to Become HIPAA-Complaint?, HIPAA compliance is vital to the longevity of your company. And nowadays, it simply must be done. So what’s actually involved in becoming compliant?

HIPAA’s Security Rule

There are many facets to HIPAA compliance, one major one being the Security Rule. As stated by Department for Health and Human Services states, the Security Rule requires that organizations:

  1. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  2. Protect against reasonably anticipated, impermissible uses or disclosures; and
  3. Ensure compliance by their workforce.

The Rule is comprised of Administrative Safeguards, Physical Safeguards and Technical Safeguards.  These safeguards combine to create the standards that covered entities and business associates must meet to protect the confidentiality, integrity and availability of the health information that resides on their IT systems. Before talking about how these controls are implemented, let’s detail each of the three Safeguard families.

HIPAA’s Security Rule Administrative Safeguards

Per the Security Rule, Administrative Safeguards comprise the “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Or, in plain English, the Administrative Safeguards are a set of controls that, if implemented, will provide the foundation for a HIPAA compliance program. They are geared towards creating a properly organized internal environment that can support the other HIPAA controls. For context, the following are a few control examples from the Administrative Safeguards:

  • Implement policies and procedures to prevent, detect, contain and correct security violations.
  • Conduct a comprehensive risk assessment of the potential threats to the confidentiality, integrity and availability of electronic protected health information (ePHI).
  • Implement policies to ensure all workforce members have proper access to ePHI.
  • Implement a security awareness and training program for all workforce members.
  • Implement contingency plans and disaster recovery plans.
  • Ensure proper Business Associate Agreements (BAAs) are enforced.

HIPAA’s Security Rule Physical Safeguards

The Security Rule’s Physical Safeguards set forth the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Pretty self-explanatory – the controls govern the physical, brick-and-mortar, tangible, non-logical system components. Here are some controls from the Physical Safeguard family:

  • Implement policies and procedures to limit physical access to the information systems and/or the facilities that house the information system.
  • Document repairs and modifications to the facility (e.g. locks, doors, cameras, walls).
  • Implement policies and procedures that specify the proper use and security of workstations and the physical attributes of the area housing the workstations (e.g. screen blockers, location of printers, use of laptops, use of storage media).
  • Implement policies and procedure that govern that disposal, reuse, back-up, and chain of custody of hardware and electronic media.

HIPAA’s Security Rule Technical Safeguards

HIPAA’s Technical Safeguards are defined as, “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” These requirements apply directly to the information system itself, and how it logically protects the ePHI that resides on or is transmitted by the system. Accordingly, whereas the Physical Safeguards are facilities-centric, the Technical Safeguards are computing-centric. Here are some examples of the controls found in the Technical Safeguard family:

  • Implement technical policies and procedures to allow logical access to ePHI only to those persons or programs that have proper access rights.
  • Implement encryption and decryption mechanisms.
  • Implement audit controls that record and examine system activity.
  • Implement procedures to adequately authenticate users to ensure the user is the one claimed.
  • Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.

How Do I Approach the Security Rule and Incorporate Its Requirements Into My Organization?

First off, there’s a threshold question that needs to be answered: Is my organization even subject to HIPAA’s Security Rule?

The answer is “yes” if the organization is a “covered entity” or a “business associate.”

Covered Entities

Covered Entities include health care providers (doctors, hospitals, clinics), health plans (insurance carriers, HMOs, Medicare/Medicaid) and healthcare clearinghouses (companies that handle large amount of health data).

If your organization falls into one of these categories, then HIPAA compliance is mandated.

Business Associates

Business Associates are those companies that maintain, process, store or otherwise handle ePHI on behalf of a covered entity. Examples include accounting firms, medical transcription companies, third-party administrators and document storage companies.

After the passage of the HIPAA Omnibus Rule, the Security Rule was broadened to subject business associates to its requirements. Basically, business associates had to comply with the Security Rule as if they were a covered entity. This means that if a business associate violates HIPAA, it is subject to the fines and penalties levied by the government. It wasn’t always this way. Prior to the Omnibus Rule, business associates were liable only according to the contract they had in place with the covered entity they supported. This is yet another reason why HIPAA compliance today is becoming a priority – it applies to more organizations.

Implementation of the Security Rule

The Security Rule is only one aspect of HIPAA’s compliance framework. The Privacy Rule sets forth an array of different and additional controls, as does its Breach Notification Rule. So compliance with the Security Rule does not equate to full HIPAA compliance.

That said, compliance with the Security Rule is based heavily on policy and procedure creation, and ensuring that personnel roles are understood in relation to those policies and procedures. In addition, a robust technical system configurations and implementing adequate logical mechanisms to protect and maintain ePHI is absolutely necessary. It’s very useful to conduct a risk assessment of your organization’s current state of HIPAA compliance, or hire a consultant, like Lunarline, to do it for you.  From there, you can determine what areas are weak or non-existent, and create you strategic plan of attack.

Like many other compliance frameworks, HIPAA control implementation is best achieved if the true context of the framework is appreciated and understood. Part of this challenge is knowing what HHS expects to see, and what areas of the Security Rule HHS deems most important. This knowledge comes with experience, which we have a lot of. Contact us to discuss your HIPAA compliance needs.

About Joshua Merkel

Josh is Lunarline's Director of Privacy. He is a licensed attorney and holds CIPP and CIPM certifications. In addition to data privacy consulting, Josh acts as a subject matter expert supporting HIPAA compliance assessments, and leads FISMA/NIST efforts for several clients.