HIPAA Security Rule
The HIPAA Security Rule is focused explicitly on electronic protected health information (ePHI). It sets forth data protection standards and implementation specifications for all Covered Entities and Business Associates that access, store, maintain, or transmit ePHI.
Failure to comply with the HIPAA Security Rule can result in severe civil and criminal penalties. The HIPAA Security Rule preempts contrary state law, except for exception determinations made by the Secretary of the U.S. Department of Health and Human Services (HHS).
Let’s jump in and learn:
HIPAA Security Rule History
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. It was followed by the HIPAA Privacy Rule created by HHS in 2003.
The Privacy Rule focused on ePHI, including security, privacy, identifiers, transactions, and code sets. It set forth rules for how ePHI could be disclosed, effectively requiring patients to give permission for their information to be used for marketing, fundraising, or research. In addition, it allowed patients who privately funded healthcare to keep that information from health insurance providers.
“Any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” U.S. Department of Health and Human Services definition of ePHI |
Two years later, in 2005, the HIPAA Security Rule went into effect with a focus on ePHI used within the healthcare industry. The HIPAA Security Rule gave specific direction on security and privacy protections for patient data that covered entities had to have in place in order to be HIPAA compliant.
In 2006, HIPAA was strengthened on the enforcement front due to many covered entities failing to comply with the HIPAA Privacy and Security Rules. The HIPAA Enforcement Rule authorized the Department of Health and Human Services to investigate and fine covered entities for avoidable breaches of patients’ information.
With the HIPAA Enforcement Rule, there were significant penalties if the mandated safeguards were not followed. In addition, the Department's Office for Civil Rights (OCR) was given authority to pursue criminal charges against offenders, and individuals gained the right to file civil claims against covered entities for unauthorized disclosure of ePHI.
Among the key components of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was the change that covered entities and business associates (i.e., health plans, health care clearinghouses, and health care providers) had to abide by the HIPAA Privacy and Security Rules that govern the protection of patient information. The HITECH Act accelerated the adoption of electronic health records (EHRs).
Also part of the HITECH Act was the HIPAA Breach Notification Rule, with established requirements for patient notification in the event of a data breach or impermissible use of their ePHI. The HIPAA Breach Notification Rule requires covered entities to notify patients about any incidents related to them or their Business Associates.
The HIPAA Omnibus Rule of 2013 did not include much new legislation, but it clarified and augmented existing HIPAA and HITECH Act rules as well as merged HIPAA and HIPAA HITECH.
Key Dates in HIPAA History at a Glance
- August 1996—HIPAA signed into law
- April 2003—effective date of the HIPAA Privacy Rule
- April 2005—effective date of the HIPAA Security Rule
- March 2006—effective date of the HIPAA Breach Enforcement Rule
- September 2009—effective date of HITECH and the Breach Notification Rule
- March 2013—effective date of the Final Omnibus Rule
HIPAA Security Rule Risk Assessment
No specific methodology is provided by HHS for HIPAA Security Rule risk assessments, because of the significant differences in the size, complexity, and capabilities of Covered Entities and Business Associates. The HHS does, however, state that the objective of HIPAA Security Rule risk assessments is to identify potential risks and vulnerabilities related to the confidentiality, availability, and integrity of ePHI that a Covered Entity or Business Associate creates, receives, maintains, or transmits.
Several steps that should be taken as part of HIPAA Security Rule risk assessments include:
- Identify where ePHI is stored, received, maintained, or transmitted.
- Track and document potential threats and vulnerabilities.
- Evaluate security measures that are in place to safeguard ePHI.
- Assess whether the current security measures are used properly and if there are any gaps.
- Determine the likelihood of a “reasonably anticipated” threat.
- Scope the potential impact of unauthorized access to or breach of ePHI.
- Establish risk levels for vulnerability and impact combinations.
The results of HIPAA Security Rule risk assessments should be documented, and appropriate mitigation measures taken. HIPAA Security Rule risk assessments should be conducted periodically to account for changes in workflows, technologies, and rules. While the HHS does not dictate the frequency of reviews, it is suggested that they be conducted annually.
The HIPAA Security Rule Assessment Tool
In an effort to ease the burden of conducting a HIPAA Security Rule risk assessment, the OCR released a downloadable Security Risk Assessment (SRA) Tool in 2014. With more than 150 questions about confidentiality, availability, and integrity of all ePHI, the SRA Tool is designed to help small and medium-sized organizations independently conduct a risk assessment as directed by the HIPAA Security Rule.
A tool is provided to complete the questions and all information stored on the user’s system (i.e., no information is received, collected, viewed, stored, or transmitted by HHS). The results of the assessment are aggregated in a report. While not a guarantee of compliance, the SRA Tool helps organizations evaluate their compliance posture and identify vulnerabilities.
The HIPAA Security Rule Toolkit
The NIST HIPAA Security Rule (HSR) Toolkit is a self-assessment application for Covered Entities, Business Associates, and other related organizations (e.g., those that provide HIPAA Security Rule implementation, assessment, and compliance services), ranging in size from large national health plans to small health care providers. It was created to help organizations understand and implement systems to meet the requirements of the HIPAA Security Rule and assess the efficacy of deployments. It is also meant to identify conditions where ePHI could be disclosed without proper authorization or improperly modified.
The HSR Toolkit reviews the more than 40 implementation specifications identified in the HIPAA Security Rule. It covers:
- Basic security practices, including questions related to defining and managing access, backups, recoveries, and physical security
- Security failures, including legal items to handle after an incident, such as breach notifications
- Risk management questions, including how periodic reviews and evaluations as well as regular functions, such as continuous monitoring, are addressed
- Personnel issue questions include details about access to information as well as the onboarding and release of staff
HIPAA Security Rule Safeguards
The HIPAA Security Rule comprises three types of safeguards, which are categorized as either required (R) or addressable (A). For addressable specifications, Covered Entities and Business Associates assess whether the safeguard is reasonable and appropriate for their environment to protect ePHI. For those deemed addressable, documentation must be provided to explain that determination.
- Administrative safeguards
- Physical safeguards
- Technical safeguards
Administrative Safeguards
- Security management process
- Risk analysis
- Risk management
- Sanction policy
- Information system activity review
- Assigned security responsibility
- Workforce security
- Authorization and/or supervision
- Workforce clearance procedure
- Termination procedures
- Information access management
- Isolating health care clearinghouse function
- Access authorization
- Access establishment and modification
- Security awareness and training
- Security reminders
- Protection from malicious software
- Log-in monitoring
- Password management
- Security incident procedures—response and reporting
- Contingency plan
- Data backup plan
- Disaster recovery plan
- Emergency mode operation plan
- Testing and revision procedure
- Applications and data criticality analysis
- Evaluation
- Business Associate contracts and other arrangements
Physical Safeguards
- Facility access controls
- Contingency operations
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Workstation use
- Workstation security
- Device and media controls
- Disposal
- Media reuse
- Accountability
- Data backup and storage
Technical Safeguards
- Access control
- Unique user identification
- Emergency access procedure
- Automatic logoff
- Encryption and decryption
- Audit controls
- Integrity—mechanism to authenticate eEPHI
- Person or entity authentication
- Transmission security
- Integrity controls
- Encryption
HIPAA Security Rule Documentation
Among the required documentation for Covered Entities to maintain according to the HIPAA Security Rule is:
- Assigned security responsibility
Person or people responsible for developing and implementing security policies and procedures - Business Associate agreements
Written agreements or contracts for all vendors, contractors, and other Business Associates that create, receive, maintain or transmit ePHI on behalf of the HIPAA covered entity - Contingency plan
Policies and procedures for data backup, disaster recovery, and emergency-mode operations - Evaluations
Written results of the assessment of security plans and procedures related to HIPAA compliance - Security awareness and training
Materials that detail security awareness education programs for the entire workforce - Security incident procedures
Details about how incidents will be identified, remediated and reported - Security management processes
Details about policies and procedures for preventing, detecting, containing, and correcting violations, including risk analysis and management - Workforce security
Details about policies and procedures for managing employee access to ePHI, including authorization, supervision, clearance, and termination
Protections that Benefits Patients and Organizations
Like many regulations, the HIPAA Security Rule requires effort to maintain compliance with it. The upside of compliance is an overall up-leveling of security, which protects not just ePHI, but all other sensitive information. The HIPAA Security Rule also drives patient trust and loyalty, along with profitability and differentiation.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 9th March, 2022