The Health Insurance Portability and Accountability Act (HIPAA) provides necessary data privacy for patients and lists a range of security provisions that organizations need to implement to protect medical information. Due to the exponential increase in cyber-attacks involving data breaches, HIPAA is now more relevant than ever for organizations which store, process, and transmit electronic protected health information (ePHI). It provides a list of technical, physical, and administrative safeguards which healthcare-related entities need to implement.
The HIPAA Security Rule contains the standards which organizations need to implement to achieve HIPAA compliance. These rules apply to any user, be it a person, system, or third-party who has access to ePHI. It consists of three distinct parts which are the technical, physical, and administrative safeguards; and within each component, there are items which are required and others which are addressable circumstantially.
Required Versus Addressable – What is the Difference?
HIPAA’s Security Rule contains technical, physical, and administrative safeguard measures divided into two distinct categories, required and addressable. The difference between the two is that the implementation of required safeguards is compulsory, whereas addressable safeguards provide organizations with a certain degree of flexibility. For example, if the application of an addressable safeguard is not reasonable or relevant, the organization can deploy an alternative or introduce no safeguard at all.
HIPAA Technical Safeguards
HIPAA’s technical safeguards list five implementation specifications, two of which are required, and three are addressable.
Required Technical Safeguards
1 – Access Control
Under HIPAA, organizations must implement measures which limit access to ePHI. This requirement states that data must be accessed securely and protected by a centralized solution which manages the identity of users accessing the data. Usernames and passwords are sufficient to meet this requirement, but it is important to note that the system must be able to identify unique users, so individual accounts are necessary for every user accessing the data.
2 – Activity and Log Monitoring
Monitoring who has access to sensitive medical information and when they access it is another required HIPAA technical safeguard. As such, organizations must implement technologies which actively monitor systems and comprehensively audit when someone accesses data. Furthermore, the monitoring solution must also be able to provide the identity of the user in question.
Addressable Technical Safeguards
1 – Authenticate Electronic Personal Health Information
Under this requirement, HIPAA states that healthcare providers who store or transmit sensitive medical information should have the ability to confirm the integrity of medical data. Not only do they need to verify its integrity but they must also be able to ascertain if it has been altered or destroyed in an unauthorized manner.
2 – Implement Encryption and Decryption
This HIPAA technical safeguard recommends that devices used by authorized users should have the capability to encrypt messages before they leave the corporate network. Similarly, they must also have the ability to decrypt messages when they are received.
3 – Facilitate Automatic Logoff of Devices
Unattended devices are security threats. As such, HIPAA recommends that users log off devices once they have completed interacting with sensitive medical information. Furthermore, organizations should also implement technologies which automatically log off users when their session has been inactive for a set period.
HIPAA Physical Safeguards
In addition to technical safeguards, HIPAA compliance also lists four physical safeguards, two of which are required.
Required Physical Safeguards
1 – The Use and Positioning of Workstations
HIPAA states that healthcare organizations must implement policies which restrict the use of workstations that have access to ePHI. Furthermore, these workstations must be protected by physical measures which ensure no unauthorized individual can view the information on their screens.
2 – Mobile Device Management
Organizations who allow users to access sensitive medical information on their mobile devices must be able to remove data from a device if a user leaves the organization, or if their device is lost or stolen. As such, healthcare providers who need to comply with HIPAA must implement some form of Mobile Device Management (MDM) solution.
Addressable Physical Safeguards
1 – Physical Access Control
Organizations who store ePHI on their premises should put physical access control measures in place. These measures need to prevent unauthorized individuals from physically accessing any secure area that stores the data. Implementing physical access controls which manage access via keycard or biometrics is a good option. These solutions not only limit access but also record any movements into and out of a secure environment.
2 – Hardware Inventory
HIPAA requires any healthcare organization processing ePHI to maintain an inventory of all the hardware which stores the relevant data. Furthermore, the act prescribes the keeping of records which detail any hardware item movements and requires the creation of an exact copy of the information on the relevant device before moving it.
HIPAA Administrative Safeguards
The HIPAA administrative safeguards detail the policies and procedures which enforce HIPAA’s privacy and security rules. There are seven administrative safeguards, with four of them categorized as required for HIPAA compliance.
Required Administrative Safeguards
1 – Conducting Risk Assessments
HIPAA defines the role of a Security Officer within a healthcare organization. A crucial task that forms part of this role’s responsibilities is to identify which areas within the enterprise store and process ePHI. Furthermore, once the identification process is complete, the security officer must also determine the potential vulnerabilities by conducting regular security assessments.
2 – Implement a Risk Management Policy
Organizations managing electronic healthcare information must also implement a risk management policy. This policy should contain details about risk assessment exercises as well as the implementation of relevant security measures. HIPAA also states that the risk management policy should include the appropriate sanctions which are pertinent to employees who fail to comply with HIPAA requirements.
3 – Develop a Contingency Plan
HIPAA also requires organizations to develop a contingency plan which ensures business continuity in the event of a disaster. If an organization already has a Disaster Recovery (DR) plan in place, it must provide the necessary safeguards which ensure the integrity of any sensitive medical data while the organization is in DR mode.
4 – Restrict Third Party Access
Restricting third-parties from accessing confidential medical information is another required HIPAA administrative safeguard. Even though secure access control meets this requirement, HIPAA requires healthcare organizations to enforce this measure by including the relevant terms in formal Business Associate Agreements.
Addressable Administrative Safeguards
1 – Employee Security Awareness Training
HIPAA recommends that all employees working for the healthcare provider attend some form of security awareness training. In addition to the general cybersecurity best practices such as how to spot a phishing attack and how to identify malware, this training should also cover the HIPAA relevant policies and procedures.
2 – Testing of the Contingency Plan
Periodic testing of the contingency plan is recommended to make sure the healthcare provider’s Disaster Recovery and Business Continuity plans meet the stated HIPAA requirements. As with any other data protection solution, regular testing ensures the contingency program is capable of protecting the business and highlights any gaps which need rectification.
3 – Reporting of Security Incidents
Under HIPAA’s Breach Notification Rule, informing any affected entities of a data breach involving ePHI is mandatory. However, under the administrative safeguards, containing security incidents before they develop into a data breach are deemed addressable.
Implementing HIPAA’s Security Rule Safeguards Makes Good Business Sense
HIPAA’s technical, physical, and administrative safeguards are not only essential to achieving HIPAA compliance for healthcare organizations, but make good business sense for every enterprise. Protecting your organization by implementing many of the HIPAA safeguards ensures your business complies to good cybersecurity practices. Not only does this protect your organization from possible cyber attacks, but it also assures your stakeholders you have appropriate processes and procedures in place, which ultimately builds trust in your brand and your business.
JMARK has been helping healthcare businesses in Springfield and Tulsa increase their success with the help of innovative I.T. solutions for thirty years. The driving force behind everything we do is to help our clients move their business forward and achieve their goals. To learn more about how we can help you meet HIPAA compliance by implementing innovative technology solutions and improving your security processes, contact us today.