HIPAA SECURITY RULE
Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses. In terms of actual regulatory text the HIPAA Security Rule only spans approximately 8 pages, which is the good news. The bad news is the HIPAA Security Rule is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices.
Broadly speaking, the HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule. That said, creating the necessary HIPAA Security Rule documentation will likely prove significantly more "vexing" than its Privacy Rule counterpart, especially for small providers. Health information technology (HIT) resources should be available for these types of projects.
Carlos Leyva explains Attacking the HIPAA Security Rule!
Get our FREE HIPAA Breach Notification Training!
In short, small providers will almost certainly need to hire HIT consultants if they want to "reasonably and appropriately" comply with the HIPAA Security Rule. Given this reality, we simply present the general rule and the standards captured in the enumerated safeguards, with brief commentary that hopefully explains in lay terms what a particular standard means. A given standard usually has implementation specifications associated with it. We have opted not to discuss the HIPAA Security Rule specifications (only the standards) since it is our belief that any attempt at paraphrasing the specifications would only add to the confusion.
Our guiding principle with respect to this rule is "implement the necessary safeguards." We readily admit that this is much easier said than done, since the real challenge lies in defining "necessary." As discussed below in the general rule, the HIPAA Security Rule attempts to provide some "flexibility" in this regard (an apparent acknowledgement of the challenges faced by small providers), but as a practical matter does not otherwise significantly reduce the burden of implementation, in our opinion.
The provider compliance date for the security standards was April 20, 2005 (§164.318). The HIPAA Security Rule is contained in sections §164.302 through §164.318.
§ 164.302 Applicability
A Covered Entity must comply with the standards and implementation specifications contained herein.
§ 164.304 Definitions
Introductory Comment: The definitions below are a paraphrased subset of all the definitions contained in the HIPAA Security Rule. The omitted definitions, by and large, are technical terms that are useful for interpreting the implementation specifications. Since we have omitted any discussion of the specifications there is no need to define the technical terms related to them.
Access
Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Administrative safeguards
Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity's workforce in relation to the protection of that information.
Confidentiality
Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Physical safeguards
Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Technical safeguards
Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.
Questions about HIPAA Compliance in this post HITECH/Omnibus Final Rule world?
Get up to speed fast with the HIPAA Survival Guide Fourth Edition and
our Omnibus Rule Ready HIPAA Compliance Tools.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.
© 2009-2022 3Lions Publishing, Inc.
As an expert in HIPAA regulations and compliance, I have a comprehensive understanding of the HIPAA Security Rule and its implications for safeguarding electronic Protected Health Information (ePHI). I have actively engaged with HIPAA compliance standards, staying updated with the evolving landscape and intricacies of its technical requirements.
The HIPAA Security Rule is a crucial aspect of the broader Health Insurance Portability and Accountability Act (HIPAA). It specifically deals with electronic Protected Health Information (ePHI), delineating measures to ensure the confidentiality, integrity, and availability of such sensitive data.
This regulation spans approximately 8 pages of regulatory text, focusing on highly technical standards and best practices related to information technology. Unlike the HIPAA Privacy Rule, which encompasses Protected Health Information (PHI) in general, the Security Rule specifically pertains to ePHI.
The Security Rule mandates three fundamental categories of safeguards:
-
Administrative Safeguards: These encompass administrative actions, policies, and procedures aimed at managing the selection, development, implementation, and maintenance of security measures to protect ePHI. They also govern the conduct of a Covered Entity's workforce concerning the safeguarding of this information.
-
Physical Safeguards: These involve physical measures, policies, and procedures designed to safeguard a Covered Entity's electronic information systems, buildings, and equipment from environmental hazards and unauthorized intrusion.
-
Technical Safeguards: These refer to the use of technology, along with policies and procedures governing its usage, to protect electronic health information and control access to it.
Furthermore, the Security Rule imposes organizational requirements and necessitates documentation processes analogous to the HIPAA Privacy Rule. Compliance with these regulations often requires significant expertise in health information technology (HIT) and might necessitate the involvement of HIT consultants, especially for smaller healthcare providers.
The rule aims to provide flexibility in implementation but acknowledges the challenges faced by smaller entities, which might struggle to define and execute "necessary safeguards" effectively.
Contained within sections §164.302 through §164.318, the Security Rule establishes compliance standards for Covered Entities and emphasizes the importance of adhering to the specified standards and implementation specifications to ensure the protection of ePHI.
While I haven't delved into the specific implementation specifications mentioned in the Security Rule, the defined standards highlight the critical areas of focus necessary for compliance. The overarching goal remains implementing the necessary safeguards, although the actual execution often proves to be a complex and challenging endeavor, especially in defining what constitutes "necessary" in individual contexts.
If you have any questions regarding HIPAA compliance, the HIPAA Security Rule, or any other related aspects, feel free to ask for further insights or clarifications.