HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule.
The HIPAA Security Rule outlines how “electronic protected health information” (ePHI) must be handled. But even within this slice of HIPAA there are parts that affect IT providers very little.
Below, we outline the parts of the HIPAA Security Rule that affect IT most.
First, let’s be clear about the Security Rule. It’s not a rule – it’s a whole bunch of rules that fall under HIPAA.
The U.S. Department of Health and Human Services defines the Security Rule as the following sections of the Code of Federal Regulations Title 45:
Here’s the thing: only the last section above has a large number of requirements for IT. The rest of the Security Rule may be important for your lawyer or compliance officer to review, but it’s not something you will deal with regularly.
So now that we’ve narrowed down the most important section of HIPAA for IT providers, let’s outline the five main parts of the Security Rule to be aware of:
Administrative Safeguards are the elements that have to be in place to manage a healthcare provider’s security.
They are functions that are designed to help manage, execute, and evaluate security measures that protect ePHI. They also help ensure proper management of business associates so that ePHI is properly protected.
Examples of the Administrative Safeguards that apply to any HIPAA-covered healthcare provider:
Related: How AccessEnforcer Fits HIPAA
Physical safeguards prevent thieves from grabbing a system and running out the front door. They are the measures that physically protect information systems, as well as the buildings and equipment that handle or store healthcare data.
These safeguards are fairly straightforward and mostly require organizations to document how they will use, protect, and manage physical information systems. They are broken broken down into the following four types:
The Security Rule gets more specific in the section on Technical Safeguards. Here HIPAA lists “implementation specifications” for IT systems that will handle and protect ePHI.
For example, standards are included for the following:
The Technical Safeguards in HIPAA’s Security Rule does list the types of protections healthcare organizations must have in place. However, it stops short of specifying the exact technology they should use (for example, organizations must use “encryption,” but a specific type is not specified).
Related: How AccessEnforcer Fits HIPAA
#4: Organizational requirements (§164.314 )
Healthcare organizations are required to have a contract or other agreement with their business associates under the Organizational Requirements. This section also specifies the criteria for the contracts.
For example, when your client hands you a BA agreement to sign, expect to see clauses that require you to do the following:
Note: the Organizational Requirements also include information for group health plans. This section may not affect you, but just be aware that that group plan sponsors must protect any ePHI they work with on behalf of the plan. This requirement must be listed in the plan document, using language similar to the safeguard requirements in business associate contracts.
This section requires healthcare organizations to adopt Policies and Procedures to meet HIPAA's guidelines. These items must be documented and maintained, and they can be changed at any time.
In case you are unsure of these terms:
HIPAA does not specify the policies and procedures organizations must have in place. However, it does require organizations to have them and document them.
The documents must be maintained for six years after their creation or last effective date, and they must be regularly updated to reflect any changes that may affect the security of ePHI.
Here you can find good examples of security policies and procedures used by the London School of Economics.
Thanks to the “Flexibility of Approach” provisions in HIPAA, your client can tailor their policies and procedures to fit the size and current practices of the healthcare establishment, as long as the following factors are considered:
A solid understanding of these four sections of the Security Rule will help you know what type of requirements and safeguards you’ll need to follow when serving your healthcare clients.
How to bend the security rule ‘reasonably’ and ‘appropriately’
Most business associates suffer data breaches
Avoid the business associate trap
HIPAA Compliance for IT Providers: Top 5 Questions
HIPAA for IT Providers: The most important rules to know