Overview of the HIPAA Security Rule
The Security Rule establishes standards for the protection of patients’ PHI and personally identifiable information (PII). It also creates a framework for regulatory compliance to protect PII and rules regarding notification of affected individuals in the event of a breach.
Purpose and Scope
According to the HHS, the Security Rule is designed to ensure that covered entities establish necessary safeguards to protect patient healthcare data and PII. This is in response to the exponential growth of PHI between both covered entities and noncovered entities.
The scope of the Security Rule is quite expansive, covering health plans, healthcare clearinghouses, and any healthcare provider who transmits health information.
4 Main Objectives
1. Ensure confidentiality of electronic PHI (ePHI).
As more patient data becomes available in digital formats, protecting ePHI is an absolute requirement.
2. Identify and protect against reasonably anticipated threats.
While not all cyberthreats can be identified in advance, covered entities are responsible to protect patients’ information against threats already in play.
3. Protect against impermissible uses or disclosures.
This is important for providers because it covers technology tools, people, and processes.
4. Ensure compliance by the covered entity’s workforce.
All members of covered entities must take the proper safeguards to ensure patient data privacy and security. This means covered entities need to educate employees on Security Rule requirements and train them on ensuring compliance.
HIPAA Security Rule Requirements
The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (PHI).
1. Administrative Safeguards
Administrative safeguards are intended to pinpoint and determine potential risks to PHI, and to put in place steps that reduce security risks and vulnerabilities. They also mandate that a security official be required to develop and implement the covered entity’s security rules and procedures. Providers also are required to regularly assess how effective their security guidelines are performing in meeting guidelines under the HIPAA Security Rule.
2. Physical Safeguards
Physical safeguards cover issues such as limiting unauthorized physical access to facilities, while still allowing authorized access to take place. Covered entities also are required to deploy policies and procedures covering proper handling of electronically stored data and electronic media containing PII and PHI.
3. Technical Safeguards
Technical safeguards are designed to put in place the right technical policies that ensure that only properly authorized persons can access digital records and other electronic information. This covers not only the hardware, software, and services required to capture, store, and manage healthcare and medical records, but also the security credentials and authentication procedures that govern access.
They also include encryption and other technologies designed to safeguard against improper access to PHI and ePHI over a digital network.
The HIPAA Breach Notification Rule
HHS defines a data breach as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Preventing breaches is an unquestioned priority for care delivery organizations for a wide range of reasons. However, in the event a breach does occur, the HIPAA Breach Notification Rule mandates that HIPAA-covered entities and their business associates provide notification following a breach of unsecured PHI.
In the event of a breach of unsecured PHI, covered entities must notify affected individuals about the breach. That notification typically is made either by sending physical mail or, if a patient has opted to receive correspondence from the covered entity by electronic media, the alert may be made via email.
Covered entities also must alert the HHS Secretary to the breach, and, in some cases, may have to notify media outlets. Additionally, third-party business associates must similarly alert affected individuals if the breach occurs at or by the business associate.
HIPAA Compliance and Enforcement
The HHS Office for Civil Rights oversees HIPAA compliance and enforcement for most HIPAA-covered entities. Because it is considered a law enforcement agency, most of the activities undertaken by the Office of Civil Rights are private and typically not publicized.
Compliance-related provisions are part of the HIPAA Enforcement Rule, which covers investigations, potential civil monetary penalties for violations, and procedures for hearings.
Best Practices for HIPAA Compliance
Covered entities should adopt smart business, technological, and operational practices to ensure that they are fully HIPAA-compliant at all times. These should cover steps such as risk assessment, monitoring of potentially unusual system activity, developing clear roles and responsibilities, and testing procedures in the event of an ePHI data breach.
Of course, putting in place the right technology tools, applications, and services is key to building the proper HIPAA compliance framework.
HHS also provides valuable tools to help covered entities understand best practices for HIPAA compliance. The Office for Civil Rights has produced a video presentation for HIPAA covered entities and business associates on “recognized security practices.” Topics include:
- The 2021 HITECH Amendment regarding recognized security practices
- How regulated entities can demonstrate recognized security practices are in place
- How OCR is requesting evidence of recognized security practices
- Resources for information about recognized security practices
- OCR’s answers to questions on recognized security practices
Internal training with employees — practitioners, medical staff, IT, cybersecurity, and all line-of-business employees — should be part of a regular regimen to ensure the entire organization takes the right steps to secure ePHI and PII.
Potential Trends in HIPAA Security Rule
Since it was first enacted, HIPAA has been a dynamic piece of legislation, regularly undergoing updates and expansions to reflect the changes in the healthcare industry and its increased use of digital technology. Some of the key areas that decision-makers at covered entities must understand and account for are:
1. Strengthened Cybersecurity Measures
Because of the ever-evolving threat landscape, healthcare organizations should put in place the budgets, processes, expertise, and tools in place to defend the organization against fast-emerging threats.
2. Emerging Technologies
Next-generation firewalls, anti-ransomware tools, threat intelligence services, cloud security, identity management, managed detection and response, endpoint security, and internet of medical things (IoMT) security are essential elements of a wider cybersecurity technology framework.
3. Enhanced Data Privacy and Consent
Healthcare organizations are increasingly tasked to comply with stronger data privacy and consent regulations, such as the General Data Protection Regulation (GDPR) in the EU and similar regulations currently in place across the US.
4. Third-Party Vendor Management
Business associates — persons or entities that perform functions using or disclosing PHI on behalf of a covered entity — must also comply with the Security Rule. Providers must regularly and routinely monitor how business associates and other third parties are interacting with PHI and PII, and that they are following appropriate guidelines for the handling and protection of that data.
5. Increased Collaboration and Information Sharing.
Just as HIPAA regulations in general, and the Security Rule specifically, are ever-changing, so are the steps necessary to ensure compliance and the confidentiality of patient data.
The dramatic increase in the use of specialized healthcare delivery means that patient information is being shared with greater frequency and with a wider array of systems. This increases the potential for breaches and regulatory problems, prompting organizations to find more ways to collaborate to protect patient data, especially in interconnected healthcare delivery processes.
The diverse nature of care continuity — hospitals, acute care facilities, urgent care, doctors offices, ambulatory care, and telemedicine — means that this trend toward greater collaboration among providers is especially mission critical.
Learn about how Palo Alto Networks is the cybersecurity leader of choice for hospitals and health systems worldwide. Visit www.paloaltonetworks.com/healthcare.
HIPAA Security Rule FAQs