What is the HIPAA Security Rule?
The National Institute of Standards and Technology (NIST) wrote the security rule for healthcare. In fact, NIST has written the rules for many agencies. The security rule provided guidance in creating and implementing security for electronic data. The Department of Health and Human Services (DHHS) created the Security Standards Matrix to assist covered entities and their business associates in understanding this complex rule. With that said, it was and still is very complex and confusing.
In the following pages we hope to explain these security standards to give you a better understanding of what all of this means, so you can secure your data to the best of your ability.
First, the security rule is NOT just a scan of your computer network. Yes, this is necessary, but this is just a small portion of what is required.
A thorough security risk analysis (SRA) is an analysis of what you have in place to protect data, namely your Electronic Protected Health Information (ePHI). This analysis includes Administrative, Physical, and Technical Safeguards as well as Organizational Requirements, and Policies, Procedures, and Documentation you have in place to protect patient data.
Under the Security Rule, some covered entities are confused when the terms “Required” (R) vs “Addressable” (A) are used. The easiest way to explain this is, “Required” means, the security standard must be implemented as stated and all covered entities even small providers must adhere to the implementation specifications. “Addressable” means they are more than one method available to meet the same criteria, therefore more flexible based on the organizations size and method of workflow. So, rather than focusing on whether or not a security standard is required or not, focus on protecting patient data to the best of your ability.
Let’s get started!
The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The Administrative Safeguards comprise over half of the HIPAA Security requirements. As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.
Security Management Process 45 CFR § 164.308(a)(1)(i) This required security standard sets the outline for the entire security rule process by stating covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations.
Risk Analysis 45 CFR § 164.308(a)(1)(ii)(A) A risk analysis of your organization’s policies, procedures, and documentation to protect ePHI is required to be performed. This process includes Administrative, Physical, and Technical Safeguards you have in place. Most heavy fines from the Office for Civil Rights (OCR), which is the agency that enforces HIPAA, are assigned due to the lack of a thorough risk analysis.
Risk Management 45 CFR § 164.308(a)(1)(ii)(B) Once vulnerabilities have been identified, you are required to put a Risk Management Plan in place to bring risks and vulnerabilities to within reasonable and appropriate levels based on the size of the organization. One size does not fit all. Depending on how you access and store ePHI, will determine which security measures are necessary.
Sanction Policy 45 CFR § 164.308(a)(1)(ii)(C) A tiered sanction policy should outline what will happen to an employee should they violate a patient’s privacy, or the organizations policies and procedures. This will include additional training requirements, suspensions, and even termination.
Information System Activity Review 45 CFR § 164.308(a)(1)(ii)(D) This is how you will monitor your employees and authorized persons or companies that access your ePHI. This process can also detect outside access to your information system. This is commonly known as audit or access logs. This is a time-consuming task, and many organizations seek help from third parties to assist them.
Let Aris work with you for an easy online path to HIPAA compliance