Guide to HIPAA Safeguards

HIPAA safe harbor law

Share this article on:

Requirements to implement HIPAA safeguards appear more often in the text of the Healthcare Insurance Portability and Accountability Act than is often acknowledged. While many sources are aware of the Administrative, Physical, and Technical Safeguards of the Security Rule, less specific requirements relating to HIPAA safeguards also appear in the Privacy Rule.

Compared to specific requirements of the Administrative, Physical, and Technical safeguards, most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of Covered Entities and Business Associates that have to comply with them. While this flexibility means it can be easier for certain organizations to comply with the HIPAA safeguards – and protect the privacy of PHI – other organizations may find the lack of guidance confusing.

To demonstrate the difference between the safeguards of the Security Rule and the safeguards of the Privacy Rule, we´ve provided a synopsis of the Security Rule Administrative, Physical, and Technical Safeguards to compare against the safeguards mentioned in the Privacy Rule Administrative Requirements. There is also a section relating to the Organization Requirements of the Privacy and Security Rules – both of which include further HIPAA safeguards.

HIPAA Security Rule Safeguards

The HIPAA Security Rule is dominated by the Administrative, Physical, and Technical Safeguards – the remainder of the Rule being assigned to General Rules, Organization Rules (discussed below) Documentation Requirements, and Compliance Dates. The General Rules provide an oversight of the what the HIPAA safeguards set out to achieve and claim to allow flexibility in the implementation of the safeguards by designating some of the implementation specifications as “addressable”.

Addressable implementation specifications are not as flexible as they may appear. Effectively, addressable specifications must be implemented unless they are “not reasonable or appropriate in the environment” or an alternative safeguard provides at least as much protection to ePHI as the addressable specification. In most circumstances, Covered Entities and Business Associates have no option but to implement addressable specifications in order to provide adequate protection.

HIPAA Administrative Safeguards

More than half of the Security Rule focuses on the HIPAA Administrative Safeguards (45 CFR § 164.308) – defined in the Security Rule as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information”.

To achieve the objectives of the HIPAA Administrative Safeguards, Covered Entities and Business Associates must appoint a Security Officer responsible for developing a security management program that addresses access controls, incident response, and security awareness training. The Security Officer is also responsible for conducting risk assessments and implementing policies and procedures to protect ePHI from threats and vulnerabilities.

HIPAA Physical Safeguards

The physical safeguards are measures, policies, and procedures intended to protect a Covered Entity’s or Business Associate’s buildings, equipment, and information systems from unauthorized intrusion and natural and environmental hazards. Compliance with these HIPAA safeguards not only involve securing buildings and controlling access to buildings, but also validating the identity of anyone with access to equipment and information systems hosting ePHI.

Compared to the Privacy Rule HIPAA Safeguards (below), the Physical Safeguards provide direct guidance on the measures Covered Entities and Business Associates should take to (for example) govern the movement of devices and media containing ePHI, document maintenance records for facilities in which ePHI is stored, back up data before moving equipment, and properly dispose of hardware ePHI is stored on to eliminate the possibility of unauthorized disclosures.

HIPAA Technical Safeguards

The HIPAA technical safeguards relate to the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it. Like the Physical Safeguards, the HIPAA technical Safeguards include fine details on the measures organizations should implement to protect ePHI from unauthorized access including audit controls, user verification, and automatic log-off so ePHI cannot be accessed by unauthorized users when devices are left unattended.

Despite being the shortest of the Security Rule HIPAA Standards, the technical standards make it clear that encryption is considered to be a significant factor in preventing unauthorized uses and disclosures. This point has been reinforced through several subsequent HHS publications – most notably a recent Fact Sheet that answers questions about ransomware and whether or not a ransomware attack is a reportable breach under the HIPAA Breach Notification Rule.

Privacy Rule HIPAA Safeguards

Compared to the HIPAA Security Rule Safeguards, the safeguards mentioned in the Administrative Requirements of the Privacy Rule lack direct guidance. According to 45 CFR § 164.530 a Covered Entity “must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information”. The only implementation specifications offered to support this standard are:

  • A Covered Entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
  • A Covered Entity must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

The reason the Administrative Requirements lack direct guidance is the inclusion of “other requirements of this subpart”. “This subpart” refers to the Privacy Rule; and as different Covered Entities apply different policies and procedures to comply with the Privacy Rule, it would be impossible to develop “one-size-fits-all” safeguards to protect the privacy of PHI in the same way as required and addressable safeguards protect the confidentiality, integrity, and availability of ePHI.

Organizational Requirements in the Privacy and Security Rules

Both the Privacy Rule and the Security Rule contain Organizational Requirements. The Organizational Requirements of the Privacy Rule (45 CFR § 164.105) apply to Covered Entities that are not whole units (hybrid entities) or that are not single units (affiliated entities), while the Organizational Requirements of the Security Rule (45 CFR § 164.314) relate to Business Associate contracts with subcontractors and relationships between group health plans and plan sponsors.

Additional HIPAA Safeguards for Hybrid Entities

An example of a hybrid entity is a teaching institution that provides healthcare facilities for staff, students, and the public. The institution is a hybrid entity because the provision of healthcare for staff is a non-portable benefit (and therefore exempt from HIPAA), the provision of healthcare for students is covered by FERPA (which pre-empts HIPAA), and only the provision of healthcare for the public is covered by HIPAA.

Hybrid entities have to implement appropriate HIPAA safeguards to ensure that any PHI collected, used, and maintained by the public healthcare component of its operations is not disclosed to the other components of its operations. This includes disclosures of PHI by healthcare professionals working for a hybrid entity when the healthcare professionals assist with medical procedures for staff, students, and the public.

Additional HIPAA Safeguards for Affiliated Entities

Affiliated Entities are legally separate Covered Entities under the same ownership or control that designate themselves a single Affiliated Covered Entity for the purposes of HIPAA compliance. Being affiliated enables Covered Entities within the group to disclose ePHI to each other without the need for individual Business Associate Agreements, which increases integration and efficiency. Affiliated Entities can also use common documentation and share the same Privacy and Security Officers.

The additional HIPAA safeguards in the Organizational Requirements prevent unauthorized disclosures to other business units under the same ownership or control that do not qualify as Covered Entities. For example, several hospitals within a healthcare system under the same ownership can designate themselves as an Affiliated Entity; but, if the parent organization is not a Covered Entity, ePHI cannot be disclosed to the parent organization.

Business Associate Contracts with Subcontractors

Most Covered Entities and Business Associates are familiar with the requirement to enter into a Business Associate Agreement before ePHI is disclosed by a Covered Entity to a Business Associate, but it is not so widely known that a Business Associate has to enter into a Business Associate Contract before disclosing ePHI with a subcontractor or another of the Covered Entity´s Business Associates acting as a subcontractor for the primary Business Associate.

Originally, Business Associates had to ensure any subcontractors to whom they disclosed ePHI had appropriate measures in place to comply with the HIPAA Administrative Safeguards of the Security Rule. However, this requirement was changed in the Final Omnibus Rule to “ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information”. Naturally, all assurances must be documented.

Relationships between Group Health Plans and Plan Sponsors

The relationship between group health plans and plans sponsors is similar to that between Covered Entities and Business Associates with the exception that there are some allowable uses and disclosures of ePHI allowed. In all other cases, group health plans must ensure the plan sponsor has implemented the administrative, physical, and technical safeguards required by the Security Rule before disclosing further ePHI to the group sponsor.

It is Important to Comply with All Applicable HIPAA Safeguards

Covered Entities and Business Associates must comply with all applicable HIPAA safeguards. Ignorance of the safeguards – or how to comply with them – is not a justifiable defense if an organization is audited by HHS´ Office for Civil Rights or investigated following a patient complaint or self-reported data breach. In the worst cases, substantial fines can be issued for noncompliance with safeguards organizations should have known about had they exercised due diligence.

HIPAA Safeguards FAQs

Are there further references to HIPAA safeguards in the Privacy Rule?

Yes. These can be found in the section of the Privacy Rule regarding “Other Requirements Relating to Uses and Disclosures of PHI” (45 CFR § 164.514). The relevant standards relate to limited data sets of de-identified PHI and the measures Covered Entities must have in place before disclosing limited data sets.

These include safeguarding any codes or mechanisms that could be used to re-identify PHI, entering into a data use agreement with the recipient of the limited data set, and ensuring the recipient has appropriate safeguards in place to prevent the use or disclosure of data – although de-identified – other than allowed by the data use agreement.

What security awareness training should a Covered Entity provide?

According to the HIPAA Administrative Safeguards, a security and awareness training program should be implemented for all members of the workforce – including management. The content of the program should be determined by a risk assessment to establish what threats exist to the confidentiality, integrity, and availability of ePHI.

It is important to be aware that the requirement to implement a security and awareness training program differs from the training requirements of the Privacy Rule inasmuch as all members of the workforce should undergo security awareness training regardless of their roles, and the program should be ongoing – rather than a one-off training session on policies and procedures.

How is it possible to govern the movement of devices and media in community nursing?

The standard relates to governing the movement of devices and media containing ePHI. If ePHI is stored on devices used in community nursing, the devices need to be configured to comply with the technical safeguards inasmuch as they should PIN-locked, data should be encrypted and password protected, and the transmission of ePHI should be done over secure channels.

With regards to monitoring the movement of devices and media at all at times, the physical safeguards do not stipulate around-the-clock monitoring. However, many community nursing units have “check-in” procedures to ensure the safety of nursing professionals in the community, and these procedures could be adapted to increase the governance of device movement.

Is a ransomware attack reportable if data is encrypted?

This depends. According to the HHS Fact Sheet there are circumstances in which a ransomware attack is reportable even if data is unreadable, unusable, and indecipherable by the attacker due to it being encrypted. This is because some full disk encryption systems automatically decrypt data when the system is powered on, and the operating system loaded.

The Fact Sheet does make it clear that a ransomware attack on unencrypted data is a reportable offence because, at the time of the attack, the attacker was in control of unsecured data and there is no way of knowing whether it was viewed and/or extracted or not. In these circumstances, it is impossible to prove a low probability that ePHI was compromised to avoid reporting requirements.

What are the penalties for failing to comply with the HIPAA safeguards?

The penalties for failing to comply with the HIPAA safeguards vary according to the nature of the violation, the extent of the harm caused by the violation, and the organization´s previous history of HIPAA compliance. There are four tiers of violation type depending on the degree of culpability, and penalties are calculated within these tiers per violation.

It is important to be aware it is not necessary to experience a data breach in order to be issued a penalty. Eleven Covered Entities were recently investigated and fined for failing to comply with patient right of access requirements – even though no data breach had occurred. All eleven also suffered operational disruption due to the requirement to comply with a corrective action.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On