HIPAA Security Rule
HIPAA Security Rule
The HIPAA Security Rule was originally enacted in 2004 to provide safeguards for the confidentiality, integrity and availability of electronic PHI – both at rest and in transit. The introduction of the HIPAA Security Rule was, at the time, intended to address the evolution of technology and the movement away from paper processes to those managed by computers.
The HIPAA Security Rule was described by the Health and Human Resources´ Office for Civil Rights as “an ongoing, dynamic process that will create new challenges as covered entities´ organization and technologies change”. Although few changes were introduced in the Final Omnibus Rule of 2013, adherence to the HIPAA Security Rule took on a new importance with a revision to the criteria for reporting a breach of PHI.
Whereas prior to 2013, covered entities only had to report a breach of PHI if the breach presented a significant risk of harm to the patient´s finances or reputation; breaches, losses and inappropriate disclosures of PHI now have to be reported to the Office of Civil Rights unless it can be proven “there is a low probability that the data will be used improperly”.
As a result of this revised criteria – an increase in fines for a breach of PHI and the extension of the HIPAA Security Rule to cover “Business Associates” – healthcare organizations and other HIPAA covered entities started to look more closely at the administrative, physical and technical safeguards of the HIPAA Security Rule, and implementing appropriate mechanisms to prevent a breach of PHI.
The Administrative, Physical and Technical Safeguards
The administrative, physical and technical safeguards of the HIPAA Security Rule stipulate the risk assessments that have to be conducted and the mechanisms that have to be in place to:
- Restrict unauthorized access to PHI,
- Audit who, how and when PHI is accessed,
- Ensure that PHI is not altered or destroyed inappropriately,
- Make sure people are who they say they are (ID authentication), and
- Prevent the unauthorized disclosure of PHI when it is being communicated.
If mechanisms are not put in place to comply with the “addressable” safeguards of the HIPAA Security Rule, the reasons why must be documented. There has been in the past a misconception that “addressable” safeguards are optional, but this is not the case. An addressable safeguard must be implemented unless a substitute measure achieves the objective of the safeguard with equal (or greater) protection, or it can be shown that the safeguard is not applicable in a specific scenario.
An example of an “addressable” safeguard is the encryption of PHI in transit. The encryption of PHI in transit is necessary because copies of SMS and email messages remain on service providers´ servers indefinitely. SMS and emails can also be intercepted and their contents read when they are transmitted over public cellphone networks or public WiFi. There is no appropriate substitute for encrypting PHI in transit, so the only justifiable reason for healthcare organization not encrypting its SMS and email messages is because communications containing PHI remain within a private communications network and are protected by a firewall on their server.
For many healthcare organizations, maintaining communications behind an internal firewall is not an acceptable scenario. It would mean that lab reports and test results could not be delivered by email, on call doctors would be unable to receive information about their patients other than by word of mouth, and community nurses would spend more time traveling to escalate patient concerns than they would caring for their patients.
Complying with the administrative, physical and technical safeguards of the HIPAA Security Rule also means that the 80% of healthcare providers that rely on personal mobile devices to support their workflows would have to abandon the speed and convenience of modern technology and return to the archaic paging system. Fortunately solutions exist to resolve these issues.
How Technology Aids Compliance with the HIPAA Security Rule
When the HIPAA Security Rule was enacted, the Department of Health and Human Services acknowledged that technology is always advancing. However, the HHS did not want to tie healthcare organizations down to a specific technology that could be out-of-date with a few years. Consequently the administrative, physical and technical safeguards of the HIPAA Security Rule are “technology neutral” – enabling covered entities to find the most appropriate solutions for their individual circumstances.
Different covered entities have selected different mechanisms in order to comply with the HIPAA Security Rule. Secure messaging solutions have enabled the secure communication of PHI without losing the speed and convenience of mobile technology; web filtering solutions have mitigated the risk of surveillance malware being responsible for a HIPAA breach, and secure email archiving ensures that medical records attached to emails are encrypted and stored in a HIPAA compliant location.
With mechanisms in place to ensure only authorized personnel have access to PHI, and a timestamped audit trial to monitor how it is handled, these technologies are unlikely to be out-of-date in the near future. Indeed, cloud security is a blossoming industry that will only evolve to meet new challenges as technology advances, working practices change or revisions are made to the existing regulations.
The Advantages of Technology to the Healthcare Industry
In addition to helping healthcare organizations comply with the HIPAA Security Rule, HITECH and the Meaningful Use incentive program, there are multiple advantages of implementing technological solutions for the healthcare industry.
Secure messaging has been shown to accelerate the communications cycle by eliminating phone tag. Medical professionals are now advised when their messages have been received and read; and, as text messages are generally responded to quicker than emails, responses are usually received in less time.
Although implemented to prevent inadvertent downloads of malware, web filtering has the added advantage of preventing employees from engaging in cyberslacking. If the filtering parameters are set to exclude most non-work related online activities, productivity increases, potential HR issues are avoided and the workplace becomes more user friendly.
Secure Text Archiving
Healthcare organizations that implement secure text archiving may not see an increase in productivity, but they will release an incredible amount of storage space on their computer systems. The indexing on emails and their content will also enable healthcare organizations to retrieve important documents quicker if required for discovery or compliance audits.
HIPAA Security Rule FAQs
Why does the Security Rule have “required” and “addressable” safeguards?
Because the HIPAA Security Rule applies to many different types of organizations, it was felt that if all the safeguards were “required” safeguards it would place an unnecessary burden on many Covered Entities. Consequently, the Security Rule requires Covered Entities to implement some safeguards, but allows a degree of flexibility with “addressable” safeguards if an existing or substitute measure achieves the objective of the safeguard with equal (or greater) protection, or it can be shown that the safeguard is not applicable in a specific scenario.
How can Covered Entities ensure “people are who they say they are”?
There are various ID authentication methods used by Covered Entities and Business Associates to control access to ePHI and monitor activity – such as password managers with event logging capabilities. However, it is important Covered Entities also implement and enforce policies to prevent credential sharing when shared credentials can provide access to systems containing ePHI.
How can surveillance malware result in a breach of HIPAA?
Surveillance malware (also known as “spyware”) enables cybercriminals to log keystrokes such as login credentials for healthcare systems. With this information, cybercriminals can remotely access the systems and exfiltrate ePHI to commit identity theft and healthcare fraud. Other types of malware can impact the availability of ePHI (for example ransomware) or corrupt data so it is unreliable.
What prompted the changes to the HIPAA Security Rule in 2013?
Many of the changes to the HIPAA Security Rule were attributable to the passage of the HITECH Act in 2009. HITECH paved the way for CMS´ Meaningful Use incentive program and concerns existed that the increased adoption of technology may result in an increased incidence of data breaches – especially as more data would likely be transmitted between Covered Entities and Business Associates.
Will there likely be further changes to the Security Rule in the future?
While the text of the Security Rule has not changed since 2013, the way in which the Rule is applied has changed in response to the COVID-19 health emergency and also the Cybersecurity Safe Harbor provision in 2021. Changes to the HIPAA Privacy Rule are currently being discussed, and these may have an impact on the content and/or the application of the HIPAA Security Rule in the near future.
Find Out More about the HIPAA Security Rule
To find out more about the HIPAA Security Rule and secure messaging, you are invited to download and read our “HIPAA Compliance Guide” – a comprehensive white paper that elaborates on the administrative, physical and technical safeguards of the HIPAA Security Rule and how technology resolves the issues that these safeguards might create within a healthcare environment.
The information about technological solutions for complying with the HIPAA Security Rule provides more detail than has been included in this article, and it is supported by case studies from healthcare organizations that have implemented technological solutions in order to comply with the HIPAA Security Rule. Vendor contact details are also included in the guide if you have any questions about which technology is the most appropriate solution for your healthcare organization.