HIPAA Security Rule
The HIPAA Security Rule is a subpart of the HIPAA Privacy Rule inasmuch as the Privacy Rule applies to all Protected Health Information (PHI) created, received, stored, or transmitted by a covered entity or business associate, whereas the Security Rule applies to PHI created, received, stored, or transmitted electronically (ePHI). The reason for their being a separate Security Rule is because ePHI is more vulnerable to remote attacks.
The HIPAA Security Rule was originally published in 2003 to provide safeguards for the confidentiality, integrity and availability of electronic PHI – both at rest and in transit. The introduction of the HIPAA Security Rule was, at the time, intended to address the evolution of technology and the movement away from paper processes to those managed by computers.
The HIPAA Security Rule was described by the Health and Human Resources´ Office for Civil Rights as “an ongoing, dynamic process that will create new challenges as covered entities´ organization and technologies change”. Although few changes were introduced in the Final Omnibus Rule of 2013, adherence to the HIPAA Security Rule took on a new importance with a revision to the criteria for reporting a breach of PHI.
Whereas prior to 2013, covered entities only had to report a breach of PHI if the breach presented a significant risk of harm to the patient´s finances or reputation; breaches, losses and inappropriate disclosures of PHI now have to be reported to the Office of Civil Rights unless it can be proven “there is a low probability that the data will be used improperly”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As a result of this revised criteria – an increase in fines for a breach of PHI and the extension of the HIPAA Security Rule to cover “Business Associates” – healthcare organizations and other HIPAA covered entities started to look more closely at the administrative, physical and technical safeguards of the HIPAA Security Rule, and implementing appropriate mechanisms to prevent a breach of PHI.
The Administrative, Physical and Technical Safeguards
The administrative, physical and technical safeguards of the HIPAA Security Rule stipulate the risk assessments that have to be conducted and the mechanisms that have to be in place to:
- Restrict unauthorized access to PHI,
- Audit who, how and when PHI is accessed,
- Ensure that PHI is not altered or destroyed inappropriately,
- Make sure people are who they say they are (ID authentication), and
- Prevent the unauthorized disclosure of PHI when it is being communicated.
If mechanisms are not put in place to comply with the “addressable” safeguards of the HIPAA Security Rule, the reasons why must be documented. There has been in the past a misconception that “addressable” safeguards are optional, but this is not the case. An addressable safeguard must be implemented unless a substitute measure achieves the objective of the safeguard with equal (or greater) protection, or it can be shown that the safeguard is not applicable in a specific scenario.
An example of an “addressable” safeguard is the encryption of PHI in transit. The encryption of PHI in transit is necessary because copies of SMS and email messages remain on service providers´ servers indefinitely. SMS and emails can also be intercepted and their contents read when they are transmitted over public cellphone networks or public WiFi. There is no appropriate substitute for encrypting PHI in transit, so the only justifiable reason for healthcare organization not encrypting its SMS and email messages is because communications containing PHI remain within a private communications network and are protected by a firewall on their server.
For many healthcare organizations, maintaining communications behind an internal firewall is not an acceptable scenario. It would mean that lab reports and test results could not be delivered by email, on call doctors would be unable to receive information about their patients other than by word of mouth, and community nurses would spend more time traveling to escalate patient concerns than they would caring for their patients.
Complying with the administrative, physical and technical safeguards of the HIPAA Security Rule also means that the 80% of healthcare providers that rely on personal mobile devices to support their workflows would have to abandon the speed and convenience of modern technology and return to the archaic paging system. Fortunately solutions exist to resolve these issues.
How Technology Aids Compliance with the HIPAA Security Rule
When the HIPAA Security Rule was enacted, the Department of Health and Human Services acknowledged that technology is always advancing. However, the HHS did not want to tie healthcare organizations down to a specific technology that could be out-of-date with a few years. Consequently the administrative, physical and technical safeguards of the HIPAA Security Rule are “technology neutral” – enabling covered entities to find the most appropriate solutions for their individual circumstances.
Different covered entities have selected different mechanisms in order to comply with the HIPAA Security Rule. Secure messaging solutions have enabled the secure communication of PHI without losing the speed and convenience of mobile technology; web filtering solutions have mitigated the risk of surveillance malware being responsible for a HIPAA breach, and secure email archiving ensures that medical records attached to emails are encrypted and stored in a HIPAA compliant location.
With mechanisms in place to ensure only authorized personnel have access to PHI, and a timestamped audit trial to monitor how it is handled, these technologies are unlikely to be out-of-date in the near future. Indeed, cloud security is a blossoming industry that will only evolve to meet new challenges as technology advances, working practices change or revisions are made to the existing regulations.
The Advantages of Technology to the Healthcare Industry
In addition to helping healthcare organizations comply with the HIPAA Security Rule, HITECH and the Meaningful Use incentive program, there are multiple advantages of implementing technological solutions for the healthcare industry.
Secure Messaging
Secure messaging has been shown to accelerate the communications cycle by eliminating phone tag. Medical professionals are now advised when their messages have been received and read; and, as text messages are generally responded to quicker than emails, responses are usually received in less time.
Web Filtering
Although implemented to prevent inadvertent downloads of malware, web filtering has the added advantage of preventing employees from engaging in cyberslacking. If the filtering parameters are set to exclude most non-work related online activities, productivity increases, potential HR issues are avoided and the workplace becomes more user friendly.
Secure Text Archiving
Healthcare organizations that implement secure text archiving may not see an increase in productivity, but they will release an incredible amount of storage space on their computer systems. The indexing on emails and their content will also enable healthcare organizations to retrieve important documents quicker if required for discovery or compliance audits.
HIPAA Security Rule FAQs
Why does the Security Rule have “required” and “addressable” safeguards?
Because the HIPAA Security Rule applies to many different types of organizations, it was felt that if all the safeguards were “required” safeguards it would place an unnecessary burden on many Covered Entities. Consequently, the Security Rule requires Covered Entities to implement some safeguards, but allows a degree of flexibility with “addressable” safeguards if an existing or substitute measure achieves the objective of the safeguard with equal (or greater) protection, or it can be shown that the safeguard is not applicable in a specific scenario.
How can Covered Entities ensure “people are who they say they are”?
There are various ID authentication methods used by Covered Entities and Business Associates to control access to ePHI and monitor activity – such as password managers with event logging capabilities. However, it is important Covered Entities also implement and enforce policies to prevent credential sharing when shared credentials can provide access to systems containing ePHI.
How can surveillance malware result in a breach of HIPAA?
Surveillance malware (also known as “spyware”) enables cybercriminals to log keystrokes such as login credentials for healthcare systems. With this information, cybercriminals can remotely access the systems and exfiltrate ePHI to commit identity theft and healthcare fraud. Other types of malware can impact the availability of ePHI (for example ransomware) or corrupt data so it is unreliable.
What prompted the changes to the HIPAA Security Rule in 2013?
Many of the changes to the HIPAA Security Rule were attributable to the passage of the HITECH Act in 2009. HITECH paved the way for CMS´ Meaningful Use incentive program and concerns existed that the increased adoption of technology may result in an increased incidence of data breaches – especially as more data would likely be transmitted between Covered Entities and Business Associates.
Will there likely be further changes to the Security Rule in the future?
While the text of the Security Rule has not changed since 2013, the way in which the Rule is applied has changed in response to the COVID-19 health emergency and also the Cybersecurity Safe Harbor provision in 2021. Changes to the HIPAA Privacy Rule are currently being discussed, and these may have an impact on the content and/or the application of the HIPAA Security Rule in the near future.
