The Health Insurance Portability and Accountability Act, or HIPAA, is a legislation which provides security provisions and data privacy, to keep patients’ medical information safe. It came into effect in 1996, but 2005 was when the notion of electronic patient health information, or ePHI, and the protection thereof was introduced. In 2005, HIPPA security rules were laid down in the form of three security safeguards – administrative, physical, and technical – which must be observed for HIPAA compliance. With the data volume and monetary value of ePHI growing exponentially, and cybersecurity issues looming large on a global scale, understanding these safeguards has become mandatory for all companies in medical and healthcare industries.
What is HIPAA Security Rule?
U.S. Department of Health and Human Services defines the Security Rule as “national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”
As medical and healthcare industries – just as any other industries – go electronic in handling PHI for higher efficiency and productivity, the security risks involving the ePHI grow multiply. Therefore, HIPAA Security Rule was imposed as an extension to the Privacy Rule of the equivalent legislation, stating that all ePHI must be properly secured from unauthrozied access, whether the data is at rest or in motion. Furthermore, the fundamentals of Security Rule are based on the flexibility, scalability, and technology neutrality to encourage as many companies as possible to improve ePHI protection against various threats from inside and out. Thus the companies are allowed the adequate time to identify the needs and to adopt new technologiesfor the betterment of patient care and the safety of ePHI. To comply with the HIPAA Security Rule, companies are required to implement the three distinct, yet closely related types of safeguards that may sound ambiguous at first: administrative, physical, and technical.
“…administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The administrative safeguards cover over half of the HIPAA security requirements, focusing on the execution of security practices for the protection of ePHI. The administrative safeguards implement policies that prevent, detect, contain, and correct security violations. Moreover, they should be understood as the foundation of the Security Rule, as the companies are better off to tailor their HIPAA security measures by working around these five following safeguards.
- Security management process – identification and analysis of potential risks to ePHI, and subsequent implementation of security measures to reduce or, even better, eliminate those risks to a reasonable and appropriate level.
- Security personnel – designation of qualified individual for responsibilities regarding development and implementation of security policies for ePHI security.
- Information access management – enforcement of policies and procedures that limit the uses and disclosures of ePHI to a level of “minimum necessary.”
- Workforce training and management – provision of training for and management of workforce responsible for handling of ePHI, and appropriate sanctions against violation of the policy and procedures.
- Evaluation – periodic assessment on the companies’ ability to meet the HIPAA requirements through the security policies and procedures
By laying down a solid administrative groundwork for ePHI security and HIPAA compliance, companies can establish an organization-wide policies and procedures that dictate data security and the action plan to follow should the unexpected breaches occur.
“…physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
From physician’s home PC to designated data centers for university hospitals, ePHI resides in various electronic assets and media. Physical safeguards are the implementation standards to physical access to information systems, equipment, and facilities:
- Facility access and control – limitation of physical access to facilities that contain ePHI, with the exception of authorized access.
- Workstation and device security – implementation of policies and procedures regarding workstations and electronic media, in addition to the transfer, removal, disposal, and re-use of them for the appropriate protection of ePHI.
These physical safeguards, combined with the administrative and technical safeguards, work to ensure that ePHI are neither tempered on nor leaked through thousands of devices and assets.
“…the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Perhaps the most talked-about of all, the technical safeguards are the final pieces of HIPAA Security Rule. One of the fundamental concepts of the HIPAA Security Rule is technology neutrality, which means that the rule does not require companies to adopt specific technologies. Thus the companies independently identify and satisfy their specific ePHI security needs based on these specific safeguards:
- Access control – implementation of technical policies and procedures for access only by authorized personnel.
- Audit controls – implementation of technical mechanisms to record and examine access and other activities in systems that contain or use ePHI.
- Integrity controls – implementation of policies and procedures, as well as technical measures, to ensure that ePHI is not improperly altered or destroyed.
- Transmission security – implementation of technical measures that restrict unauthorized access to ePHI in motion over electronic network.
Applied to all ePHI, the technology safeguards help companies to regulate ePHI access, use, and transmission – in other words, technical safeguards aim to protect ePHI at times where it is at most vulnerable state. Not limited to mandatory measures specified by governing authorities, companies can implement their own measures suitable for the companies’ size, industry, ePHI data volume, and etc. With growing concerns for cybersecurity threats, it is no surprise that technical safeguards are extremely crucial for medical and healthcare organizations, as well as cybersecurity companies.
Modern technologies provide efficiency and productivity when handling patient information electronically and that naturally lead to better care for patients; however, it is a double-edged sword. ePHI keeps growing in volume and value, and it attracts interests from not only companies but also cybercriminals. Thus HIPAA Security Rule was enforced to protect sensitive patient information from inherent security risks of the digital world. However, it is no easy task to meet the requirements of safeguards, and noncompliance of HIPAA ranges between $100 and $50,000 per violation. Therefore, companies must make ePHI security as a part of their daily routine and continuously monitor the situation to avoid any legal circumstances.