HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.
There are two types of implementation specifications: “required” and “addressable.” Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.
To meet the addressable specifications you can either a) implement as directed in the rule; b) implement one or more alternatives that will give you the same results; c) not implement at all. If you decide on the latter, it’s advisable to create documentation that outlines how you came to that decision; i.e., the factors you considered and the results of a risk assessment you used to base your decision.
It’s important to emphasize that the addressable specifications are not optional. You just have a little more flexibility in how you implement those pieces.
The Security Rule has three parts:
1) Technical Safeguards
2) Physical Safeguards
3) Administrative Safeguards
HIPAA Technical Safeguards include:
- Access control
- Audit controls
- Person or entity authentication
- Transmission Security
There are four required standards to meet under the Technical Safeguards.
- Access Control: Unique User ID- Every user must be assigned a unique ID that is used to track activity.
- Access Control: Emergency Access Procedure- Have procedures that allow you to access ePHI in the case of an emergency.
- Audit Control: Activity Oversight- You must have a system in place to record and review all ePHI activity logs.
- Person or Entity Authentication- You must confirm that a person who desires access to ePHI is who they say they are.
There are also five addressable Technical Safeguard standards.
- Access Control: Automatic Log-off- Set up auto log off systems for all workstations.
- Access Control: Encryption- Have a system to encrypt and decrypt ePHI.
- Integrity: Mechanism to Authenticate ePHI- Authenticate ePHI to verify its integrity.
- Transmission security: Integrity Oversight- Ensure that ePHI is not modified without detection.
- Transmission security: Encryption Control- Develop a system that encrypts ePHI whenever deemed appropriate.
See link to Advanced Encryption Standards (AES) here.
The four standards to address here are:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
Under these sections, there are four required implementation standards to note:
- Workstation Use – you must create policies and procedures that outline the proper functions to be performed by electronic devices and the appropriate business use of workstations.
- Workstation Security- similar to the one above, this standard asks you to implement safeguards for workstations that contain ePHI and limit access to authorized users.
- Device and Media Control- Media Re-Use- implement procedures for ePHI removal before the device or media is available for re-use.
- Device and Media Control- Disposal- Implement policies and procedures for the final disposal of ePHI and any hardware associated with its storage.
Next, you have six remaining addressable Physical Safeguard implantation standards:
- Facility Access Controls: Contingency Operations- Create and implement a disaster plan for emergencies to restore any lost data.
- Facility Access Controls: Facility Security Plan- Implement policies and procedures to protect the facility and it’s equipment from access, tampering, and/or theft.
- Facility Access Controls: Access Control and Validation Procedures- Implement procedures to control and validate a person’s facility access based on their role or function; i.e., staff and visitor badges, control of access to software testing & editing.
- Facility Access Controls: Maintenance Records- Implement policies and procedures to document repairs and upgrades to the physical components related to security; i.e. Hardware, locks, bolts, and doors.
- Device and Media Controls: Accountability- Maintain documentation for hardware and electronic media
assigned to people responsible for them.
- Device and Media Controls: Data Backup and Storage- Create a retrievable, exact copy of ePHI, as needed, before movement of equipment or hardware.
The administrative piece is vital when starting a HIPAA compliance program. Over half of the HIPAA Security requirements are under this section. The administrative safeguards are “administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of your workforce in relation to protected information.”
You are required to designate a privacy officer, complete document a risk assessment annually, train employees, review policies and procedures, and complete Business Associate Agreements or BAAs, with all your partners handling PHI.
There are nine standards in the Administrative Safeguards section. They are:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
There are eleven required Administrative safeguard standards.
- Security Management Process: Risk Assessment- Conduct and document a risk analysis to review ePHI storage and use to assess where their are vulnerabilities in your systems.
- Security Management Process: Risk Management- Implement measures to reduce a risks
- Security Management Process: Sanction Policy- Implement appropriate sanctions against employees who fail to comply with security protocols
- Security Management Process: Information Systems Activity Reviews- Regularly review system activity, logs, audit trails, and the like.
- Assigned Security Responsibility: Officers- Designate in house HIPAA Security and Privacy Officers.
- Information Access Management: Multiple Organizations- Ensure that ePHI is not accessed by other partner entities like a parent company, a subsidiary, contractors, or subcontractors- that shouldn’t have access.
- Security Incident Procedures: Respond and Document- Respond and document all security incidents.
- Contingency Plans: Contingency Plans- Implement policies and procedures that ensure the availability of ePHI backups and the retrieval of any lost data.
- Contingency Plans: Emergency Mode- Establish procedures to allow for critical business operations to protect ePHI in the event of an emergency.
- Evaluations: Perform cyclical evaluations to make changes to in your business operations should any HIPAA laws change.
- Business Associate Agreements (BAAs): Implement contractual agreements to ensure your partners’ compliance with all HIPAA laws. Choose partners who have similar agreements in with others in place.
There are also seven addressable standards under the Administrative Safeguards.
- Workforce Security: Employee Oversight- Implement policies and procedures to ensure all members of your workforce have appropriate access when their role calls for it and has that access removed when necessary.
- Information Access: Access Authorization- Implement policies and procedures for granting access to ePHI that monitor and allow access to ePHI.
- Security Awareness and Training: Security Updates- Cyclically send security reminders to about security and privacy policies to all employees.
- Security Awareness and Training: Protection Against Malware- Create policies and procedures that safeguard your systems against malicious software.
- Security Awareness and Training: Log-in Oversight- Implement monitoring of logins and reports of inconsistencies within your systems.
- Security Awareness and Training: Password Controls- Assure that there are systems in place for creating, protecting, retrieving, and editing passwords.
- Contingency Plans: Update and Review- Assess the relative criticality of specific applications and data in support of other contingency plan components.