What Are HIPAA Safeguards?
HIPAA safeguards protect the confidentiality, integrity, and availability of protected health information. HIPAA requires you to implement what are referred to as administrative, physical, and technical safeguards.
To implement administrative safeguards you must first perform a risk analysis. Performing a risk analysis helps you to determine what security measures are reasonable and appropriate for your organization.
When conducting a security risk analysis you:
- Evaluate the likelihood and impact of potential risks to ePHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and the rationale for adopting those measures; and
- Maintain continuous, reasonable, and appropriate security protections.
Administrative safeguards must include:
- Implementing security and risk management processes.
- Designating a security official, who will be responsible for the development and implementation of Security Rule policies and procedures. As a healthcare CISO, this will likely be you.
- Implementing workforce security measures such as designating and creating processes for PHI access levels, preventing unauthorized PHI access, and training employees.
- Implementing policies and procedures to address security incidents.
- Establishing policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI.
- Performing a periodic technical and nontechnical evaluation that establishes the extent to which security policies and procedures meet the requirements of the Security Rule.
Physical safeguards protect the physical security of your offices where PHI or ePHI may be stored or maintained.
Physical safeguards must include:
- Facility access and control measures to limit physical access to facilities, while allowing authorized access to ePHI.
- Workstation and device security including specifying proper use of and access to workstations and electronic media, in the form of written policies and procedures. Policies and procedures must also dictate processes for the transfer, removal, disposal, and re-use of electronic media.
Common examples of physical safeguards include:
- Alarm systems;
- Security systems; and
- Locking areas where PHI is stored.
Technical safeguards include measures to restrict and track access to ePHI.
In addition to firewalls, encryption, and data backup, technical safeguards should include:
- Access controls to limit ePHI access to only authorized individuals.
- Audit controls to track who access what data, how long they access it for, and how frequently they access it.
- Integrity controls to ensure that ePHI has not been, and will not be, improperly altered or destroyed.
- Transmission security to prevent unauthorized access to ePHI that is transmitted over an electronic network.
How Can You Make Sure You’re Covered?
Even as a seasoned Chief Information Security Officer, it can be difficult to keep track of what your organization needs to have in place to be HIPAA compliant, especially as HIPAA rules and regulations change over time. This is why you should work with a HIPAA expert to ensure that you are doing everything that is required of you.
Compliancy Group gives you all the tools that you need to be a successful healthcare CISO. We assign you a dedicated Compliance Coach to walk you through every step of implementing an effective HIPAA compliance program.
- Guided risk assessment, and other required HIPAA self-audits
- Gap identification and remediation
- HIPAA Security, Privacy, and Breach Notification policies and procedures
- Employee HIPAA, policy and procedure, and cybersecurity training
- Business associate agreements
- Incident response and audit support
Get the HIPAA guidance and support you need by speaking with us today!