What Do the HIPAA Security Standards Require Organizations to Do?
The HIPAA security standards and HIPAA security procedures require healthcare providers to protect electronically stored protected health information about a patient. The HIPAA Security Rule requires providers and their business associates to implement specific administrative, physical, and technical safeguards.
HIPAA security standards, or HIPAA security procedures, require organizations to undertake four basic security measures. These include:
◈ Ensuring the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, stores, or transmits.
◈ Protecting against any reasonably anticipated threats or hazards to the security or integrity of such information.
◈ Protecting against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
◈ Ensure the covered entity or business associate’s workforce complies with the HIPAA Security Rule.
These basic security measures are built into required technical safeguards, physical safeguards, and administrative safeguards.
HIPAA Security Standards: Technical Safeguards
HIPAA Security Rule technical safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Technical safeguards address access controls, data in motion, and data at rest requirements. Organizations must implement technical safeguard policies and procedures. Enforcement of these policies and procedures ensures that ePHI access is restricted to only those individuals who have been granted access rights. Enforcement ensures that unauthorized workforce members do not transmit, use or disclose electronic protected health information.
HIPAA Security Standards: Physical Safeguards
HIPAA security standards, or HIPAA security procedures, also require organizations to ensure that electronic data is kept physically secure. Electronic data is kept physically secure through facility access controls, workstation use security measures, and device and media controls.
A “facility” is a physical location where PHI-related functions are performed. Facility access controls are implemented by developing contingency operations and facility security plans. Contingency operations are HIPAA security procedures outlining what a provider must do in the event of data loss as a result of a disaster or emergency. Providers must have an emergency mode operations plan that indicates what systems should be restored first. The HIPAA security standards do not require that the plan follow an exact format, but the HIPAA security standards do require that a plan that is reasonable and appropriate, taking into account an entity’s size and operations, be created and maintained.
Facility security plans are policies and procedures outlining what individuals have authorization to access facilities and equipment (i.e., computer terminals, servers, databases) containing ePHI. Individuals who do not have such authorization may be required by a covered entity to sign a confidentiality agreement, under which the individual agrees to avoid accessing PHI, and under which the individual agrees to keep confidential any ePHI accidentally discovered through no fault of their own.
Physical safeguards also include access control and validation procedures. These requirements serve to align a workforce member’s access to ePHI with their role in the organization. Physical safeguards also require organizations to keep maintenance records, such as records of outside services coming into the facility. Policies and procedures that document repairs and modifications to a facility’s physical components, must be maintained.
Physical safeguards must address workstation use and security. Workstation access must be regulated to ensure unauthorized individuals do not access ePHI. Workstations must be physically secured to prevent unauthorized PHI use or disclosure.
Physical safeguards must also address device and media controls. Here, entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”
HIPAA Security Standards: Administrative Safeguards
HIPAA Security Rule administrative safeguards consist of administrative actions, policies, and procedures. These actions, policies, and procedures are used to manage the selection, development, and implementation of security measures.
45 CFR § 164.308(a) contains the administrative safeguard “commandments.” It requires covered entities and business associates to:
◈ Implement a security management process that includes a security risk analysis, a sanctions policy and a risk management policy.
◈ Designate a security official, who will be responsible for the development and implementation of Security Rule policies and procedures.
◈ Implement workforce security measures, through policies and procedures. These policies and procedures outline who has and who does not have ePHI access, and prohibit those workforce members who are not given access to ePHI, from obtaining it.
◈ Implement policies and procedures for authorizing access to electronic protected health information.
◈ Implement a security awareness and training program for all workforce members, including management.
◈ Implement policies and procedures to address security incidents (data breaches).
◈ Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.
◈ Perform a periodic technical and nontechnical evaluation that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the Security Rule.