HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule.
The HIPAA Security Rule outlines how “electronic protected health information” (ePHI) must be handled. But even within this slice of HIPAA there are parts that affect IT providers very little.
Below, we outline the parts of the HIPAA Security Rule that affect IT most.
What is the HIPAA Security Rule?
First, let’s be clear about the Security Rule. It’s not a rule – it’s a whole bunch of rules that fall under HIPAA.
The U.S. Department of Health and Human Services defines the Security Rule as the following sections of the Code of Federal Regulations Title 45:
- Part 160 – General Administrative Requirements
- Part 164 – Subpart A – General Provisions
- Part 164 – Subpart C – Security Standards for the Protection of Electronic Protected Health Information
Here’s the thing: only the last section above has a large number of requirements for IT. The rest of the Security Rule may be important for your lawyer or compliance officer to review, but it’s not something you will deal with regularly.
Important parts of the HIPAA Security Rule
So now that we’ve narrowed down the most important section of HIPAA for IT providers, let’s outline the five main parts of the Security Rule to be aware of:
- 164.308 – Administrative safeguards
- 164.310 – Physical safeguards
- 164.312 – Technical safeguards
- 164.314 – Organizational requirements
- 164.316 – Policies and procedures and documentation requirements
#1: Administrative safeguards (§164.308 )
Administrative Safeguards are the elements that have to be in place to manage a healthcare provider’s security.
They are functions that are designed to help manage, execute, and evaluate security measures that protect ePHI. They also help ensure proper management of business associates so that ePHI is properly protected.
Examples of the Administrative Safeguards that apply to any HIPAA-covered healthcare provider:
- Evaluations of existing security measures, as well an analysis of potential risks and vulnerabilities to ePHI
- Sanctioning system for those who fail to comply with security policies
- Review procedures for information system activity
- Identification of officials who implement security policies and procedures ( i.e. “assigned security responsibility”)
- Authorization measures to protect ePHI from unauthorized access or use
- Clearance procedures provided for workforce members, as well as mandatory security awareness and training programs
- Response and reporting procedures for addressing security incidents, such as physical break-ins, virus attacks, and lost or stolen passwords
- Contingency plans to respond to disruptions in critical business operations
Related: How AccessEnforcer Fits HIPAA
#2: Physical safeguards (§164.310 )
Physical safeguards prevent thieves from grabbing a system and running out the front door. They are the measures that physically protect information systems, as well as the buildings and equipment that handle or store healthcare data.
These safeguards are fairly straightforward and mostly require organizations to document how they will use, protect, and manage physical information systems. They are broken broken down into the following four types:
- Workstation use – The organization must lay out the appropriate functions for any electronic computing device, including laptops, desktops, and other devices that store electronic media. Though seemingly mundane, this is an important consideration since inappropriate use (such as using a workstation to visit online gambling sites) can expose the organization to greater risks.
- Workstation security – The organization must identify all workstations that have access to ePHI and whether or not access to a workstation needs to be restricted (i.e. keeping a workstation in a locked room).
- Facility access controls – Policies that protect and limit access to facilities where information systems are located must also be identified (i.e. authorization measures, ID badges, surveillance cameras).
- Device and media controls – The organization must document and follow measures for handling the receipt and removal of hardware and media that contain ePHI into and out of a facility.
#3. Technical safeguards (§164.312 )
The Security Rule gets more specific in the section on Technical Safeguards. Here HIPAA lists “implementation specifications” for IT systems that will handle and protect ePHI.
For example, standards are included for the following:
- Access controls – Healthcare organizations need systems in place to allow access to ePHI only to people and systems that have a legitimate reason. The access controls should include unique user identification, emergency access procedures, automatic logoff, and data encryption.
- Audit controls – Mechanisms must be in place to record and examine activity in formation systems that contain ePHI. These audits are helpful for determining if a security breach occurred.
- Integrity – Policies and procedures must be in place to protect health data from improper alteration or destruction. For example, health organizations need to validate that health data has not been tampered with.
- Authentication – People and entities that seek to access ePHI must be verified as legitimate. This can be accomplished by providing proof of identity, such as by supplying a password or pin, smartcard, or a biometric indicator.
- Transmission security – ePHI must also be protected from unauthorized access while in transit. This includes measures to ensure the data has not been modified while in transit, and the use of encryption to protect the data should the transmission be intercepted.
The Technical Safeguards in HIPAA’s Security Rule does list the types of protections healthcare organizations must have in place. However, it stops short of specifying the exact technology they should use (for example, organizations must use “encryption,” but a specific type is not specified).
Related: How AccessEnforcer Fits HIPAA
#4: Organizational requirements (§164.314 )
Healthcare organizations are required to have a contract or other agreement with their business associates under the Organizational Requirements. This section also specifies the criteria for the contracts.
For example, when your client hands you a BA agreement to sign, expect to see clauses that require you to do the following:
- Agree to implement safeguards to protect ePHI and ensure that any subcontractors do the same
- Agree to report any security incident you become aware of
- Authorize the client to terminate the contract if you violate any part of it
Note: the Organizational Requirements also include information for group health plans. This section may not affect you, but just be aware that that group plan sponsors must protect any ePHI they work with on behalf of the plan. This requirement must be listed in the plan document, using language similar to the safeguard requirements in business associate contracts.
#5: Policies and procedures and documentation requirements (§164.316 )
This section requires healthcare organizations to adopt Policies and Procedures to meet HIPAA’s guidelines. These items must be documented and maintained, and they can be changed at any time.
In case you are unsure of these terms:
- Security policy – a written outline of how you will protect and maintain the organization’s IT assets. The term “policy” may refer to a specific area, such as an email policy, or an overarching plan to protect all IT resources.
- Security procedure – a series of written steps to follow in a given situation. For example, a virus response procedure would list the steps to be taken once a computer on the system was shown to be infected by a virus.
HIPAA does not specify the policies and procedures organizations must have in place. However, it does require organizations to have them and document them.
The documents must be maintained for six years after their creation or last effective date, and they must be regularly updated to reflect any changes that may affect the security of ePHI.
Here you can find good examples of security policies and procedures used by the London School of Economics.
Thanks to the “Flexibility of Approach” provisions in HIPAA, your client can tailor their policies and procedures to fit the size and current practices of the healthcare establishment, as long as the following factors are considered:
- The size, complexity and capabilities of the organization
- The organization’s technical infrastructure, hardware, and software security capabilities
- The costs of security measures
- The probability and criticality of potential risks to ePHI
A solid understanding of these four sections of the Security Rule will help you know what type of requirements and safeguards you’ll need to follow when serving your healthcare clients.