What Specific HIPAA Security Requirements Does the Security Rule Dictate?
The Security Rule requires entities to analyze their security needs and implement appropriate, effective security measures in line with HIPAA security requirements.
The Security Rule does not dictate what specific HIPAA security requirements or measures must be used by a given organization of a particular size; as such, entities have some leeway to decide what security measures will work most effectively for them.
What the Security Rule does require is that entities, when implementing security measures, consider the following things:
- Their size, complexity, and capabilities;
- Their technical hardware, and software infrastructure;
- The costs of security measures; and
- The likelihood and possible impact of the potential risk to ePHI.
The Security Rule also requires that covered entities don’t “sit still” – covered entities must continually review and modify their security measures to ensure ePHI is protected at all times.
What are the Three Standards of the HIPAA Security Rule?
The HIPAA Security Rule contains what are referred to as three required standards of implementation. Covered entities and BAs must comply with each of these.
The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
What are Administrative Safeguards?
The Security Rule administrative safeguard provisions require CEs and BAs to perform a risk analysis. Performing a risk analysis helps you to determine what security measures are reasonable and appropriate for your organization.
A risk analysis process includes the following activities:
- Evaluating the likelihood and impact of potential risks to ePHI;
- Implementing appropriate security measures to address the risks identified in the risk analysis;
- Documenting the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintaining continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process.
What Are Physical Safeguards?
Physical safeguards protect the physical security of your offices where ePHI may be stored or maintained. Common examples of physical safeguards include:
- Alarm systems;
- Security systems; and
- Locking areas where ePHI is stored.
Physical safeguard control and security measures must include:
- Facility Access and Control Measures: Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI.
- Workstation and Device Security: Covered entities and business associates must:
- Implement policies and procedures to specify proper use of and access to workstations and electronic media.
- Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media.
What are Technical Safeguards?
Technical safeguards include measures – including firewalls, encryption, and data backup – to implement to keep ePHI secure. These safeguards consist of the following:
- Access Controls: Implementing technical policies and procedures that allow only authorized persons to access ePHI.
- Audit Controls: Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI.
- Integrity Controls: Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed.
- Transmission Security: Implement technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network.