top of page
Writer's pictureSam Khan

Guarding Electronic-Protected Health Information: Compliance with HIPAA's Security Rule

Updated: Jun 15, 2023



Setting the Stage: an Overview of HIPAA Compliance


In our past HIPAA articles, we embarked on an exploration of the Health Insurance Portability and Accountability Act (HIPAA), dissecting its general framework and highlighting the requirements surrounding the use and disclosure of Protected Health Information (PHI). In this Article, we shift our focus toward a crucial component that ensures HIPAA's effective implementation: compliance with HIPAA’s Security Rule.


The enforcement scrutiny under HIPAA relaxed somewhat during the COVID-19 pandemic. However, with the conclusion of the Public Health Emergency (PHE) on May 11, 2023, this leniency has ended. We're now entering a phase where compliance is paramount to avoid potential compliance pitfalls including following a HIPAA breach.


We've recently seen a surge of cautionary tales. Breaches not only trigger HIPAA's notification rules but also expose entities to investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). These investigations often come with potential monetary penalties and corrective action plans. Ultimately, OCR's primary concern is whether an entity has adopted and implemented sufficient procedures, policies, safeguards, and training of personnel to protect the privacy and security of PHI, and to ensure such information is readily accessible to patients. In relation to patient access, proposed HIPAA regulations may soon raise the bar for organizations. If enacted, these regulations will require a faster turnaround time (reduced from 30 to 15 days) for fulfilling patient record requests.


HIPAA compliance encompasses various domains, each playing a significant role in safeguarding the safety, privacy, and integrity of PHI. The foundation of HIPAA compliance lies in clearly defined policies and procedures. Key elements include the HIPAA notice of privacy for patients, which informs them how their PHI will be used or disclosed, and a HIPAA compliance manual for internal compliance within entities. Additionally, every entity should consider forming a privacy compliance committee, led by a privacy officer, to ensure adherence to the law. Covered Entities (CEs) are required to have Business Associate Agreements (BAAs) in place with all Business Associates (BAs) and their subcontractors, outlining their responsibilities to safeguard PHI.


It's also imperative to train personnel on how to use, disclose, and secure PHI properly in line with HIPAA’s standards. Training should also inform on the procedures to follow in the event of potential breaches. And, of course, safeguards are critical. Regular audits and risk analyses are vital components of these safeguards.


In this installment of our HIPAA series, we'll delve into the aspect of compliance, specifically focusing on the safeguards outlined in the HIPAA Security Rule. As we navigate these safeguards, we'll unravel their implications and the nuances of implementing them in real-world scenarios. Join us on this mission-critical journey as we aim to unravel the intricacies of the HIPAA Security Rule and bolster the compliance initiatives within. Please note, however, that other federal and state laws might also apply, and therefore, should be considered in forming your organization’s compliance program. This Article focuses solely on HIPAA.



HIPAA's Security Rule: Protection of Electronic-Protected Health Information


The Security Rule of HIPAA specifically applies to electronic-Protected Health Information (ePHI), a subset of PHI that is created, received, maintained, or transmitted electronically. Unlike other forms of data, ePHI excludes information on paper, faxes, and spoken words. Let's spotlight ePHI and uncover the safeguards that HIPAA's Security Rule has put in place to protect this digital data.


The Security Rule establishes three types of safeguards required for compliance: administrative, physical, and technical. Each category encompasses different security standards that have their own unique roles in the protection of ePHI. Within each category, there are various security standards each having two types of implementation specifications: required and addressable. As you will see, despite what the names might suggest, both are necessary. Backwards, let's work.



Implementation Specifications: Required & Addressable


The "required" specifications are non-negotiable in that they must be followed without deviation. The Covered Entity (CE) or Business Associate (BA) must adopt and implement the specifications exactly as dictated by the Security Rule. However, the Security Rule doesn't explicitly state how to meet the requirements. It doesn't offer a step-by-step guide or a checklist of actions to ensure that you meet these required specifications. Instead, it embraces a principle of flexibility in that regard.


The Security Rule's approach might seem paradoxical–imposing required specifications but offering no precise route to compliance. But you should note that this is a deliberate part of its design. It allows for adaptability in the face of the varying forms and sizes of entities handling ePHI and their vastly different goals and objectives. It's this flexibility that makes HIPAA both challenging and accommodating.


Contrary to what the term may suggest, "Addressable" specifications are not optional. They don’t grant a free pass to CEs or BAs to ignore those specifications. Rather, addressable specifications provide a more tailored approach for CEs or BAs allowing them to evaluate their own unique situations and determine the best way to implement the standards. This evaluation involves a thorough analysis to determine what is "reasonable and appropriate” for each organization. The evaluation should assess an organization’s potential risks and vulnerabilities based on the ePHI they handle, and balance them with the size, complexity, and capabilities of their operations.


In essence, the "addressable" implementation specification doesn't hand entities a one-size-fits-all solution. Instead, it prompts them to actively address each requirement in a manner that aligns with their specific circumstances, reinforcing the Security Rule's commitment to adaptability and practicality in safeguarding ePHI. When working with an "addressable" implementation specification, a few scenarios can arise, each requiring a different approach:


1) If the addressable measure is deemed reasonable and appropriate, the entity must implement this specification and document the decision. Documenting the decision to do so is a crucial part of this process, providing evidence of adherence to the Security Rule.


2) If the measure is not deemed reasonable and appropriate, but the standard cannot be met without additional safeguards, an alternative safeguard must be implemented with the decision and rationale documented. Again, it's important to document the decision, provide the rationale behind it, and clearly identify the alternative safeguard.


3) If the measure is not reasonable and appropriate, but the standard can be met without an alternative measure, the entity does not need to implement the addressable specification or an alternative. However, even in such a case, it's necessary to document the decision and the rationale for not doing so, as well as to document how the standard is otherwise met.


Remember, all the standards set forth by the Security Rule are "required." It's about finding a balance between these requirements and what is reasonable and appropriate for your specific situation. The end goal is the same: to protect ePHI and ensure its integrity, confidentiality, and availability. This flexible, yet accountable approach encourages CEs and BAs to proactively safeguard ePHI in a way that best suits their unique circumstances.



The Safeguard Trio: Administrative, Physical, & Technical


The Security Rule sets forth three essential categories of safeguards for ensuring compliance: administrative, physical, and technical. Each of these categories comprises distinct security standards that play specific roles in the protection of ePHI. Let’s explore each one in detail.


I. Administrative Safeguards


Administrative safeguards under the HIPAA Security Rule refer to the management and oversight mechanisms, human resources involvement, and policies and procedures used to protect ePHI. These safeguards are critical for establishing the framework and continuity of ePHI security.


1) Management and Oversight: The management team plays a crucial role in ensuring the safety of ePHI by monitoring and directing actions that impact the security of ePHI. This could involve setting security policies, coordinating responses to security incidents, and driving the implementation of security measures.


2) Human Resources Involvement: A company's human resources department also plays a significant role in safeguarding ePHI. This could entail overseeing employee training on HIPAA compliance, monitoring adherence to security policies, and managing access permissions to systems holding ePHI.


3) Policies and Procedures: Defining clear and comprehensive policies and procedures is a critical component of administrative safeguards. These directives serve as the playbook for what employees must do to ensure the security and integrity of ePHI. They might include protocols for accessing ePHI, reporting potential security breaches, and maintaining the ongoing security of electronic health information.


Together, these administrative safeguards provide a comprehensive structure to ensure the safety and integrity of ePHI, providing the backbone to a robust and effective HIPAA compliance program. Further, per HIPAA's Security Rule, the following are nine specific administrative standards that each CE or BA must adhere to. Let's briefly outline each one of these:


1) Security Management Process: This standard is a central piece of the administrative safeguards. It encompasses risk analysis, risk management, sanction policy, and information system activity reviews.


2) Assigned Security Responsibility: This standard requires that a specific individual or role within the organization should be assigned responsibility for securing ePHI.


3) Workforce Security: This standard ensures that there are policies and procedures in place to ensure that all members of the workforce have appropriate access to ePHI, and to prevent those who should not have access from obtaining it.


4) Information Access Management: This standard relates to the implementation of policies for authorizing access to ePHI consistent with the applicable requirements of HIPAA’s Privacy Rule.


5) Security Awareness and Training: It is required to have an ongoing security awareness and training program for all members of the workforce (including management).


6) Security Incident Procedures: Policies and procedures must be in place to address security incidents and should specify response and reporting procedures for such incidents.


7) Contingency Plan: Contingency planning includes data backup plans, disaster recovery plans, and emergency mode operation plans to ensure the availability, integrity, and security of ePHI under adverse circumstances.


8) Evaluation: Organizations must periodically conduct technical and non-technical evaluations to ensure that their security safeguards align with the Security Rule.


9) Business Associate Agreements: HIPAA mandates that CEs have specific written contracts with their BAs to ensure the protection of ePHI.


These standards provide a framework for the administrative safeguards a CE or BA needs to put in place to secure ePHI effectively. Now let’s explore a few examples relating to administrative safeguards including conducting a risk analysis, implementing a sanction policy, and ensuring an information activity review.


Exploring Example #1: Risk Analysis


Risk analysis stands as a critical component within the framework of administrative safeguards under the HIPAA Security Rule. It requires entities to conduct a thorough assessment of potential risks and vulnerabilities that could potentially impact the confidentiality, integrity, and availability of ePHI.


This assessment is not just a mere procedural requirement. Rather, it plays an instrumental role in the decision-making process pertaining to the implementation of "addressable" specifications. A comprehensive risk analysis forms the bedrock upon which an entity designs and implements its security protocols and procedures.


Another essential aspect to remember is that the results of this analysis serve as a baseline for security processes. They provide a point of reference to determine whether the measures in place are adequate and effective.


The government places significant importance on these risk analyses. If there is an inquiry or audit, one of the first documents the authorities will likely ask to see is your organization's risk analysis. This underscores the vital importance of conducting a robust and thorough risk analysis to ensure the highest level of ePHI security.


Exploring Example #2: Sanction Policy


A sanction policy forms a key part of the administrative safeguards under the HIPAA Security Rule. This policy emphasizes that there are tangible consequences for non-compliance with the implemented security policies and procedures.


The intent of the sanction policy is to ensure that all workforce members understand their responsibilities toward safeguarding ePHI. It mandates the application of suitable sanctions against those workforce members who fail to adhere to the security policies and procedures in place. These sanctions serve a dual purpose. On one hand, they act as a deterrent, discouraging negligent or careless behavior that could put the security of ePHI at risk. On the other hand, they underline the seriousness of the organization's commitment to maintaining the highest levels of security and confidentiality in handling ePHI.


In essence, a sanction policy provides a clear message to all employees and staff: Compliance with security protocols is not optional, but mandatory, and any breach will have consequences.


Exploring Example #3: Information System Activity Review


The information system activity review is a critical aspect of the administrative safeguards implemented under the HIPAA Security Rule. It involves deploying systems and processes on your hardware and software to monitor and detect potential unauthorized or otherwise inappropriate access, use, maintenance, or disclosure of ePHI. Key elements of an information system activity review include:


i. Audit logs: These are detailed records that capture events occurring within an organization's systems and networks. They keep track of who accesses ePHI, what data was accessed, when it was accessed, and from where, providing a comprehensive trail of all activities.


ii. Access reports: These reports offer a thorough analysis of who has access to specific pieces of ePHI. It showcases any potential unauthorized or inappropriate access to ePHI.


iii. Security incident tracking reports: These reports document and detail any security incidents that occur within the system. They keep track of what happened, when it happened, how it was resolved, and any necessary steps taken to prevent similar incidents in the future.


By regularly reviewing these reports, an organization can detect patterns of unauthorized or inappropriate access, swiftly take corrective action, and adjust its security measures as needed. This rigorous activity review plays a vital role in maintaining the integrity and confidentiality of ePHI.


II. Physical Safeguards


The physical safeguards, as stipulated under the HIPAA Security Rule, primarily concern the protection of tangible assets, specifically those that can impact the safety and integrity of ePHI. These safeguards are designed to secure the physical environment where data is stored and accessed. They include measures to protect electronic systems, equipment, and the data they hold or transmit, from threats, environmental hazards, and unauthorized intrusion. For instance:


1) Protection from theft: Implementing secure storage locations, lockable storage cabinets, and controlled access areas can help protect hardware storing ePHI from theft.


2) Fire protection: Fire safety measures such as fire extinguishers, smoke detectors, and fire suppression systems are crucial in safeguarding physical hardware from fire damage.


3) Flood protection: Locations susceptible to flooding should have proper drainage systems, water leak detection systems, and data should be stored at higher levels to prevent water damage.


4) Hardware protection: Regular maintenance of hardware, use of surge protectors to guard against power fluctuations, and deploying appropriate cooling systems in server rooms can prevent system crashes.


Physical safeguards ensure the secure storage and handling of hardware and other tangible assets that hold or process ePHI, thereby reducing the risks of unauthorized access, damage, and data loss. There are four notable physical standards for ensuring a secure environment.


1) Facility Access Controls: These safeguards relate to controlling and limiting physical access to the facilities that house ePHI to prevent unauthorized access. It involves implementing procedures to allow only authorized personnel access to secure areas, maintaining visitor logs, and controlling access to electronic information systems. We will delve deeper into this standard later.


2) Workstation Use: This standard pertains to policies and procedures that dictate how workstations, where ePHI is accessed, should be used. These measures may include rules for viewing sensitive information in public areas, locking computers when unattended, and guidelines for maintaining a clean desk.


3) Workstation Security: This standard is focused on implementing physical safeguards for each workstation that has access to EPHI to prevent unauthorized access. It may involve using privacy screens, physically securing computers and peripherals, and controlling physical access to workstations.


4) Device and Media Controls: This standard pertains to the policies and procedures that govern how data is moved within and outside of the facility. It includes measures for the secure disposal or reuse of devices and media, data backup and storage, and the accountability of hardware and electronic media.


These physical standards are vital to ensuring the integrity and confidentiality of ePHI in a healthcare environment. They highlight the importance of not just electronic security, but also the physical security of the spaces where sensitive data is accessed and stored. As promised, let’s now delve into an example–facility access control.


Example: Delving into Facility Access Control


Facility Access Control serves as a key physical safeguard under HIPAA's Security Rule, revolving around policies that regulate the physical access to facilities, rooms, and hardware storing ePHI. This safeguard underscores the necessity to restrict unauthorized physical entry, all the while ensuring authorized access is unimpeded. Here are its components:


i. Contingency Operations (Addressable Specification): These operations establish (or identify) the procedures that allow facility access in support of the restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.


ii. Facility Security Plan (Addressable Specification): This plan outlines the physical security controls, like surveillance cameras or security guards, put in place to prevent unauthorized access to areas where ePHI is stored. It may include procedures for verifying a person's access privileges before allowing them entry into a secure area.


iii. Access Control and Validation Procedures (Addressable Specification): These procedures determine how the facility will control and validate a person’s access to the buildings, rooms, and hardware based on their role or function, including visitor control and control of access to software programs for testing and revision.


iv. Maintenance Records (Addressable Specification): These records document repairs and modifications to the physical components of a facility that are related to security, like hardware, walls, doors, and locks. Such records can help in tracking the facility's physical security status and the effectiveness of implemented controls.


As these components are "addressable", you must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment. Based on the assessment, you must implement the specification, document the decision, or implement an equivalent alternative measure if reasonable and appropriate.


III. Technical Safeguards


Technical safeguards form a pivotal layer of the HIPAA Security Rule, as they encompass automated processes and systems employed to protect ePHI and control access to it. Here are the key components of this safeguard category:


1) Access Control: This represents a set of procedures that grants access to ePHI only to those software programs, users, or processes that have been granted access rights. It ensures that only authorized individuals can access electronic protected health information.


2) Audit Controls: These are mechanisms that record and examine activity in systems that contain or use ePHI. They serve to monitor access and activity related to information systems for unauthorized access, modification, or deletion.


3) Integrity: This control ensures that ePHI is not improperly altered or destroyed. It also includes mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.


4) Person or Entity Authentication: This ensures that persons or entities seeking access to ePHI are who they claim to be. Effective authentication requires presenting proof of identity before system access is granted.


5) Transmission Security: These are measures put in place to protect ePHI whenever it is transmitted or received over an electronic network. It comprises two aspects: integrity controls and encryption. Integrity controls ensure that ePHI is not improperly modified without detection until it is disposed of while encryption makes ePHI unreadable, undecipherable, and unusable to unauthorized individuals during transmission.


The application of these technical safeguards is critical for maintaining the confidentiality, integrity, and accessibility of ePHI, as well as for managing potential risks and vulnerabilities. These safeguards work in tandem with the administrative and physical safeguards to form a robust compliance program to protect against unauthorized access or breaches of ePHI. Now let’s explore a technical safeguard example–access control.


Example: Systems Access Control


Under the technical safeguards of the Security Rule, systems access control is a crucial standard to understand and comply with. It focuses on the implementation of software and hardware mechanisms to permit only authorized individuals to access ePHI. The access control standard consists of the following components:


i. Unique User Identification (Required Specification): This specification mandates that each user of a system containing ePHI must have a unique identifier. This ensures that actions taken on ePHI can be traced back to the individual user, adding an extra layer of security and accountability.


ii. Emergency Access Procedure (Required Specification): In the event of an emergency, there must be established procedures to ensure that ePHI can be accessed by authorized personnel. This can involve backup systems or procedures that can bypass normal security protocols in a controlled manner during a crisis.


iii. Automatic Logoff (Addressable Specification): This provision is aimed at reducing the risk of unauthorized access to ePHI by automatically signing off an inactive user session after a predetermined time. This can protect against situations where a workstation is left unattended while still logged in to a system containing ePHI.


iv. Encryption and Decryption (Addressable Specification): This requirement involves the use of algorithms and ciphers to convert ePHI into an unreadable format unless decrypted using a unique key. By encrypting ePHI, healthcare entities can better protect the information during storage and transmission, reducing the risk of unauthorized access or breaches.


Each of these components plays a vital role in ensuring that access to ePHI is strictly controlled, monitored, and recorded, providing an effective approach to technical security within the healthcare environment.



Common Pitfalls in HIPAA Security Rule Compliance


Compliance with HIPAA's Security Rule is a crucial aspect of any healthcare entity's operations subject to HIPAA. However, certain areas often present challenges that can lead to non-compliance or security breaches. Here are some of the most common trouble areas:


1) Sharing Usernames/Passwords: Shared login credentials pose a significant risk as they can lead to unauthorized access, make it harder to track who is accessing ePHI, and potentially breach the Unique User Identification requirement.


2) Unencrypted Devices: Portable devices such as laptops and USBs often contain ePHI. If these devices are lost or stolen and the data isn't encrypted, it could lead to significant breaches of patient information.


3) Incomplete Risk Analysis: Failing to conduct a thorough risk analysis can leave vulnerabilities unaddressed and make the system susceptible to breaches.


4) Misdirected Emails: Emails containing ePHI can be accidentally sent to the wrong recipients, leading to unauthorized disclosure of patient information.


5) Unauthorized Access: Snooping in the electronic medical record, or unauthorized viewing of patient information by employees or staff, is a common issue.


6) Phishing Attacks: Falling for phishing emails can give cybercriminals access to systems containing ePHI. Regular assessments and ongoing training can go a long way here.


7) Use of Personal Email Accounts: Transmitting ePHI through personal email accounts that may not have the same security measures as the official systems is a significant risk.

8) Remote Access Vulnerabilities: If workforce members use personal and unsecured devices to access ePHI, it can open up potential vulnerabilities for data breaches.


9) Ransomware Attacks: These involve malicious software that encrypts data and demands a ransom for its release. Health care entities are common targets for ransomware attacks due to the sensitive nature and high value of the data they hold.


By understanding these common pitfalls, your organization can better strategize to mitigate these risks and ensure robust compliance with HIPAA's Security Rule. If you have any questions, please feel free to contact your preferred health care lawyer. I’m here to help.





 

117 views0 comments

Recent Posts

See All

Comments


bottom of page