Voted Best Sexual Harassment Training Solution in 2021 by The Balance SMB

How To Comply With The HIPAA Security Rule: The Complete Guide

The HIPAA Security Rule is a set of regulations that protects any individually identifiable health information created or held by covered entities and their business associates. The rule was developed to ensure the privacy and security of these records, and helps maintain trust between patients and healthcare providers.

This blog post will explore what the HIPAA Security Rule means for healthcare professionals, and how they can comply with it.

Note: If you want to stay compliant under HIPAA and avoid any unnecessary fines, try EasyLlama's training. Our HIPAA course can help your company avoid any violations and unnecessary fines. Get in touch with us today for a free trial.

What is the HIPAA Security Rule?

The Security Rule, under the The Health Insurance Portability and Accountability Act, requires covered entities to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all ePHI data.

ePHI, which stands for electronic Protected Health Information, is any information that can identify a patient and pertains to past, present, or future physical or mental health.

The Security Rule ensures that electronic patient records are kept confidential by setting forth requirements for when data should be encrypted, when it should be decrypted to allow authorized access, and which devices can read or write data in an ePHI system.

It describes the different levels of safeguards that must be implemented to properly protect ePHI. For example, "access controls'' keep data hidden from any unauthorized users, while "audit controls'' track who has accessed information so they can determine if anyone is violating security protocols. 

Why is the Security Rule important? 

Because ePHI can be used by identity thieves to commit fraud, covered entities must protect this information from their employees, business associates (agencies that receive or store ePHI on behalf of covered entities), and any subcontractors they hire to perform services. If ePHI is not protected, identity thieves may use it for their own benefit—such as obtaining health care services under another person's name. The Security Rule helps ensure that when data moves in or out of covered entity's facilities, the data will be secure against theft or loss.   

How can I comply with these standards? 

Hospitals and private medical practices are expected to follow information security best practices in order to protect their patients' personal data. This includes keeping antivirus software up-to-date, restricting remote access by employees, ensuring web browsers use encryption when sending sensitive information, using two-factor authentication for secure logins, updating passwords regularly, avoiding unsecured Wi-Fi networks, and encrypting all mobile devices.

Healthcare providers are also expected to train employees on how they should handle electronic protected health information, since the most successful security measures are usually those that are implemented by individuals themselves.

What’s “confidentiality” under HIPAA?

The HIPAA Security Rule requires that healthcare providers maintain the confidentiality of patient information. When we talk about “confidentiality”, we mean that any identifiable health information is not made public without the consent of the patient.

What’s “integrity” under HIPAA?

The HIPAA Security Rule also ensures that ePHI has not been altered or destroyed in an unauthorized way.

What’s “security” under HIPAA?

Lastly, the HIPAA Security Rule covers security measures that can prevent unauthorized access to a patient's ePHI. This means all forms of PHI identifiers must be safeguarded against fraud and unlawful physical access. Access controls should allow users to view data only if they have a valid reason for doing so.

What are the Security Rule Requirements?

The HIPAA Security Rule requires healthcare providers to take measures that ensure the following:

  • ePHI is only accessible by people who are authorized to see it
  • Unauthorized users can't access patient data
  • Any changes made to patient data are tracked 
  • Only trustworthy employees have access to ePHI 
  • Any electronic PHI data is transmitted securely via documented standards 
  • At least one person whose job includes overseeing security procedures for all covered entities 
  • Any paper records containing PHI should be kept locked up
  • Electronic PHI must be encrypted when being transferred across public networks 
  • If any of these rules are broken, the healthcare provider must document all of them

Standards of the HIPAA Security Rule

The three standards of the HIPAA Security Rule include: 

  • Administrative safeguards 
  • Physical safeguards
  • Technical safeguards

What are Administrative Safeguards? 

Administrative safeguards are policies and procedures put in place to guarantee the security of ePHI and assure compliance with the Security Rule. This section covers training and documentation requirements for employees who do not have access to sensitive health information, as well as those who do. They include:

Security Management Process

A covered entity must put in place security measures to help protect the privacy of patient information. Conducting a thorough HIPAA risk assessment is one of the requirements of this standard.

 A risk assessment can help identify what assets are most critical, where they are located, and who has access to them. From these findings, an organization can create targeted strategies for protecting their data.

A HIPAA risk assessment must be done on an annual basis and should also occur when a new activity or technology is introduced. The security measures resulting from the risk assessment must be documented and available for review by any regulatory reviews.   

Workforce Security

Covered entities need to make sure their employees understand what they can and cannot do with ePHI. They need to communicate this information clearly to ensure that PHI is not shared with unauthorized users or used in unapproved ways. 

Internal policies must prohibit employees from accessing PHI without a business need, such as requesting records of family members under their medical insurance plan. Employees who violate these protocols should face disciplinary action, up to and including termination of employment if necessary.   

Privacy Management

These procedures apply to all aspects of a covered entity's business practices, including training employees and developing internal policies. Privacy management procedures must be put in place for all actions involving PHI, from changing employee email passwords to photocopying patient records during office visits.   

Security Awareness & Training

Since most security issues originate with human error, it is critical that covered entities conduct regular security awareness training for all employees.

 In these training sessions, employees should learn how to handle PHI appropriately and the importance of protecting ePHI from unauthorized use or access. Employees who do not follow proper protocols should have their work reviewed by supervisors and face disciplinary action if necessary.   

What are Physical Safeguards?

The HIPAA Security Rule requires physical safeguards to protect ePHI against unauthorized use, access, modification, or disclosure. Physical safeguards are the measures taken to safeguard personal information within electronic data systems, equipment, and the facilities in which they are housed from unlawful access.

Physical safeguards include: 

Workstations and Work Areas

Physical safeguards include ensuring workstation screens do not face public areas and securing mobile computing devices such as laptop computers and smartphones in lockable cases when they are unattended by employees working with ePHI. 

Additionally, all sensitive information (paper and electronic) must have restricted access, and all employees should lock up PHI when it is not being used.   

Off-Site Storage

 HIPAA requires covered entities to implement physical safeguards for off-site records storage facilities. In these situations, covered entities must ensure that facility management has implemented appropriate security measures to protect ePHI from unauthorized use or disclosure if the records are lost or destroyed in a disaster.   

What are Technical Safeguards?

Technical Safeguards help protect ePHI against tampering and theft. These safeguards include policies on disposal of PHI after use, access controls limiting who can see the data, encryption to protect data in transit (i.e., Bluetooth), and security audit trails to track activity on systems where ePHI is stored. 

Device and Media Controls

Technical safeguards must be implemented on electronic and mobile devices, such as password protection and encryption of files to prevent unauthorized access before the device is lost or stolen.   

Workstation Access Controls

Many computer workstations have multiple users accessing ePHI while logged in at the same time. In these cases, covered entities must implement a mechanism for controlling what a user can view when it is another employee's turn on the shared machine. 

For example, an employee might have their own login with restricted permissions while someone else has administrative rights to view all data on the system.   

Encryption

Encryption uses a mathematical algorithm to convert data into a code that is unreadable by unauthorized individuals. It is commonly used when sending ePHI over the Internet and in the storage of ePHI on mobile devices.

Covered entities are required to encrypt ePHI whenever it is stored or transmitted off-site (i.e., in cloud databases).   

Audit Trails and Data Backups

Many computer systems maintain log files tracking system activity and user actions, such as downloads, updates, and deletions. These files can be used to identify security breaches if they show activity outside of normal parameters.’

Audit trails must be reviewed at least annually for potential PHI access issues. In addition, technology exists that automatically backs up computer information either daily or weekly so that the data is not lost in the event of a system crash.   

What are the penalties for violating the HIPAA Security Rule?

Criminal penalties of up to $50,000 and/or imprisonment for up to one year may be imposed on individuals who knowingly obtain or disclose ePHI in violation of the HIPAA Security Rule. 

Criminal penalties are also possible against organizations that knowingly fail to comply with requirements under the HIPAA Security Rule. The following are examples of punishable actions: 

  • Accessing an individual's ePHI without authorization
  • Disclosing ePHI to someone who is not allowed access, such as a person's employer
  • Using an electronic device or paper record to intentionally access PHI that is not specifically listed in the "minimum necessary" provision
  • Copying or removing records containing ePHI without authorization
  • Obtaining information by, trickery, misrepresentation, coercion, or force
  • Selling PHI for personal gain
  • Disclosing ePHI to a relative or friend without first obtaining authorization
  • Permitting employees' relatives and friends access to ePHI
  • Allowing an employee's non-work use of work computers
  • Not having a business associate contract in place with any entity that creates, receives, maintains, or transmits PHI on the organization's behalf

What about the HITECH Act?

The HITECH Act of 2009 extended the HIPAA Security Rule's obligations on business associates. It was created to encourage and enhance the use of electronic health records (EHRs) by healthcare providers, as well as other information technology.

The Act also tightened up the language of HIPAA to eliminate any potential loopholes. This helped in ensuring that business associates of HIPAA-covered entities complied with HIPAA Rules and that notifications were sent to harmed individuals if their medical data was compromised.

What is "minimum necessary" PHI disclosure? 

Covered entities must limit the disclosure of ePHI to only that information that is relevant and necessary in relation to each individual's care. This standard is called the minimum necessary standard.

For example, a covered entity may need to disclose that an individual has diabetes to their health plan, but it would be unnecessary and inappropriate for the provider to disclose details about treatment or medication

How does HIPAA affect the Electronic Medical Record (EMR)?

The adoption of EMRs has significantly increased since the Security Rule was published. But EMRs are complicated systems that contain electronic PHI, so they require extensive security measures to keep ePHI safe. Your organization must have a plan in place for implementing physical, technical, and administrative requirements to safeguard all ePHI.