What are the HIPAA Security Rule Broader Objectives?
The Security Rule is designed to protect the confidentiality of electronic protected health information, or ePHI. To the extent the Security Rule requires measures to keep protected health information confidential, the Security Rule and the Privacy Rule are in alignment. The HIPAA Security Rule broader objectives are to promote and secure the integrity of ePHI, and the availability of ePHI. These HIPAA Security Rule broader objectives are discussed in greater detail below.
What are the HIPAA Security Rule Broader Objectives: The Integrity of ePHI
The Security Rule defines the phrase “integrity” as “the property that data or information have not been altered or destroyed in an unauthorized manner.” The HIPAA Security Rule’s broader objectives promote the integrity of ePHI by requiring covered entities and business associates to protect ePHI from improper alteration or destruction.
ePHI that is improperly altered or destroyed can compromise patient safety. Covered entities and business associates must be able to identify both workforce and non-workforce sources that can compromise integrity. An example of a workforce source that can compromise the integrity of ePHI is when an employee accidentally or intentionally makes changes that improperly alter or destroy ePHI.
Such changes can include accidental file deletion, or typing in inaccurate data. An example of a non-workforce compromise of integrity occurs when electronic media, such as a hard drive, stops working properly, or fails to display or save information.
To ensure that the HIPAA Security Rule’s broader objectives of promoting the integrity of ePHI are met, the rule requires that, when it is reasonable and appropriate to do so, covered entities and business associates implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner (45 CFR § 164.312(c)(2)).
To determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed in an unauthorized manner, covered entities must consider the various risks to the integrity of ePHI identified during the security risk assessment. Once these risks have been identified, covered entities and business associates must identify security objectives that will reduce these risks.
What are the HIPAA Security Rule Broader Objectives: The Availability of ePHI
The second of the two HIPAA Security Rule broader objectives is to ensure the availability of ePHI. According to the Security Rule’s broad objectives, “availability” means “the property that data or information is accessible and usable upon demand by an authorized person. To ensure this availability, the HIPAA Security Rule requires that covered entities and business associates take the following measures:
Access authorization measures. Access authorization measures require a covered entity or a business associate to implement policies and procedures for granting access to ePHI to authorized persons, through workstations, transactions, programs, processes, or other mechanisms.
Access establishment and modification measures. Access establishment and modification measures require development of policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Access control and validation procedures. These procedures require covered entities and business associates to control and validate a person’s access to facilities based on their role or function.
Access control. Covered entities and business associates must implement technical policies and procedures for electronic information systems that maintain electronic protected health information, to allow access only to those persons or software programs that have been granted access rights.