Guarding patient-protected health information is a mandatory aspect of healthcare today. HIPAA was originally set forth to regulate how and when medical information can be disclosed, but there were gaps. To fill these gaps, HHS developed a series of additional rules. The Security Rule is one of them.
WHAT IS HIPAA
The United States passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to improve the safety and privacy of medical information following the advent of electronic health records (EHR). Before this, there weren’t federal laws to regulate the protection and exchange of medical records.
Instead, these were fairly lawless times in this regard. While most healthcare providers would act reasonably, there were plenty of issues. For example, patients couldn’t always get copies of their medical records. Their employers, however, could acquire them via their health insurance provider.
Additionally, because EHR technology was fairly new, it was not a guarantee that these services were constantly updated for security. In many cases, there was little stopping these companies from using mediocre security measures to save money on development.
These issues and more continued until The Department of Health and Human Services (HHS) intervened by creating HIPAA. This defined important terms like protected health information (PHI) and set regulatory baselines for how medical information can be disclosed.
As the healthcare industry continues to evolve with the development of new, better technologies, HHS works hard to maintain protections. For example, consider how much the internet has changed since 1996.
Slate wrote an article about what the internet was like in 1996, citing that Americans with internet access spent an average of fewer than 30 minutes online every month. That’s wildly different than today. Now, many people spend 30 minutes online the moment they wake up.
Hacking was simpler, but there were far fewer resources to teach people how. There was no YouTube, there wasn’t even Google in 1996. If security guidelines today were the same as they were in 1996, it would likely be insufficient.
WHAT IS THE SECURITY RULE
In 2005, HHS passed the Security Rule as the second major regulatory addition to HIPAA. This came 2 years after HHS wrote the Privacy Rule, which enhanced patients’ rights and protections regarding protected health information.
The Privacy Rule limits who can receive patient information, what information can be disclosed, and how it must be disclosed. The Security Rule further bolsters these privacy improvements by preventing unauthorized disclosure via medical record system breaches.
The Security Rule accomplishes this goal by setting baseline regulations for the security systems that safeguard protected health information for covered entities. This rule also extends to their business associates, thanks to the HITECH Act of 2009.
These safeguards fit into 3 distinct categories.
HIPAA defines administrative safeguards as “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” (45 C.F.R. § 164.304).
The physical safeguards involve a covered entity’s electronic data and the physical systems that house it (45 CFR §164.310). These policies help ensure that only authorized users can access ePHI on the covered entity’s computer servers. Certified electronic health records technology (CEHRT) can fulfill some of these requirements, but likely not all.
The Technical safeguards cover the policies and procedures for the use of the technology used by covered entities to control access to ePHI (45 CFR §164.312).
Now, we will look more closely at the various Security Rule categories and the requirements of each.
WHAT ARE THE ADMINISTRATIVE SAFEGUARDS?
The administrative safeguards compose more than half of the new regulations introduced in the Security Rule. The full official list of administrative safeguard requirements can be found at 45 CFR § 164.308.
This is the longest of the 3 types of safeguards, but for good reason. With human error accounting for 95% of system breaches, setting up quality administrative security measures is especially essential.
These are separated into part A and part B. Part B allows covered entities to share records with business associates with a signed business associate agreement (BAA). The business associate must appropriately safeguard all protected health information created and/or received.
Part A covers all of the administrative safeguards required for covered entities and their business associates in 8 sections. In order to maintain compliance with the Administrative Safeguards of the HIPAA Security Rule, covered entities and business associates must:
- Set up a security management process. This must include a security risk analysis, a sanctions policy, and a risk management policy.
- Assign a security official to develop and implement the policies and procedures.
- Implement workforce security measures to manage which staff members can and cannot access PHI.
- Implement authorization procedures and policies to manage access to PHI.
- Set up a security awareness and training program for all team members.
- Create policies and procedures to address security incidents.
- Establish a contingency plan to respond to an emergency that damages ePHI systems.
- Perform periodic technical and nontechnical evaluations to determine if organization policies meet the Security Rule requirements.
If you would like a deeper look at this aspect of HIPAA, HHS created this “Security Series” administrative safeguards document. This document provides more detailed information about every aspect of administrative safeguards. It will help your organization successfully set up the required security measures detailed above.
WHAT ARE THE TECHNICAL SAFEGUARDS?
The technical safeguards cover the system requirements for digitally storing protected health information. The full official list of technical safeguard requirements can be found at 45 CFR § 164.308.
The technical safeguards fit into 5 sections. In order to be compliant with the technical safeguards of the HIPAA Security Rule, covered entities and business associates must:
- Implement policies that only allow access to systems that store protected health information to authorized users and software programs. This must use essential implementation specifications. These include creating unique user identification identifiers, an emergency access procedure, automatic logoff, and PHI encryption and decryption.
- Implement audit controls to log activity performed within information systems that house protected health information. This helps HHS to determine the root cause of each breach and whether an unauthorized individual accessed PHI.
- Ensure the integrity of medical information by implementing policies and procedures to prevent unauthorized individuals from editing or deleting PHI. This includes mechanisms to help guarantee that records have not been altered.
- Authenticate requestors’ identities before disclosing their electronically protected health information. Sending patient medical information to the wrong individual constitutes a HIPAA breach, and this is essential due diligence.
- Implement transmission security measures to ensure unauthorized individuals don’t breach PHI in transmission. This includes encrypting protected health information during the exchange.
While these are the baseline standards, healthcare organizations should always try to provide the best security possible. While the technical safeguards help prevent breaches of PHI, these guidelines are fairly static. True protection requires understanding and responding to the development of new methods and technologies utilized by hackers.
If you would like a deeper look at this aspect of HIPAA, HHS created this “Security Series” technical safeguards document.
WHAT ARE THE PHYSICAL SAFEGUARDS?
The physical safeguards outline requirements for the protection of physical protected health information. The full official list of physical safeguard requirements can be found at 45 CFR § 164.308.
The physical safeguards are separated into 4 sections. In order to be compliant with the physical safeguards of the HIPAA Security Rule, covered entities and business associates must:
- Implement facility access controls to ensure that only authorized individuals can access electronic health record systems in the facility. This includes contingency operations, a facility security plan, access control and validation procedures, and maintenance records.
- Define how workstations that can access electronically protected health information should be used. This includes defining the proper functions of the workstation and how these functions must be performed.
- Restrict access to physical workstations so only authorized personnel can access PHI. For example, if front office personnel can access electronic health records, a physical barrier only passable via a locked door could be installed to prevent unauthorized individuals from overpowering your staff to access the workstation.
- Implement policies and procedures to help with the receipt and removal of ePHI in hardware and electronic media. These regulations govern the movement of information moving in and out of facilities, as well as their movement within. These specifications include secure disposal, media re-use, accountability, and data backup and storage.
If you would like a deeper look at this aspect of HIPAA, HHS created this “Security Series” physical safeguards document.
DO THESE GUIDELINES PROTECT AGAINST BREACHES?
By separating the Security Rule guidelines into three categories, HHS manages to cover several threat vectors hackers would otherwise use to gain entry to sensitive medical information. Is this enough though to protect against HIPAA breaches?
The baseline regulations the Security Rule imposes are thorough, as HHS designed them to protect data from every angle. Unfortunately, the strict yet vague language of HIPAA makes it difficult to know what the true baseline is.
This is a point of frustration for many healthcare professionals, but there’s a good reason for it. As HHS wrote and improved HIPAA, they’ve cautiously avoided overwhelming small healthcare organizations. They understand that both security needs and budgets vary wildly across the spectrum and fear that overly stringent regulations could force small organizations to shut down.
As such, if guidelines aren’t specific, healthcare organizations should always budget for strong security measures. HIPAA fines can reach up to 1.5 million per violation category per year. This can quickly outweigh the costs of adequate security.
In cases of HIPAA violations, HHS determines the severity of the penalties by considering two main factors. The first is the damage of the breach, which is impacted by the breach size and the type of information. The second is the culpability and response of the covered entity or business associate responsible for the breach.
Consider the exact text of 45 CFR § 164.308 (e ii) of the technical safeguards. This says covered entities and business associates must: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
This is great because encryption is important whenever anybody shares sensitive information digitally. But a quick google search will reveal that there are many types of encryption. How can you avoid selecting an insufficient type of encryption?
CHARTREQUEST HELPS GUARANTEE COMPLIANCE
ChartRequest doesn’t just comply with HIPAA regulations, we strive to provide the safest platform possible. When your team uses our platform, our stringent security measures (that exceed Security Rule compliance) protect them.
Our best-in-class security infrastructure uses 128 to 256-bit SSL end-to-end encryption to protect user information. Additionally, we utilize several advanced security measures to prevent attacks from all angles. Among these include:
- Redundant firewall protection,
- Redundant web application protection
- DoS and DDoS mitigation
- Monitored intrusion detection
- VPN/SSL and multi-factor authentication for server management
- Protection against MITM attacks, IP spoofing, Port Scanning, and Packet Sniffing
Not only are requests easier for your team to fulfill, but they’re also easy for requestors to create. After navigating to our app via the ChartRequest button on your website, your patients can follow our streamlined workflow to create their requests in just minutes.