What Is The HIPAA Security Rule?
How can you be certain that your patients’ electronic health information is adequately protected? The HIPAA Security Rule was created to help you answer that question more confidently.
The HIPAA Security Rule extends the HIPAA Privacy Rule to include electronic protected health information (ePHI). All ePHI must be properly secured from unauthorized access (a breach), whether the data is at rest or in transit.
The rule was designed to be flexible enough to cover all aspects of security without requiring specific technologies or procedures to be implemented. Each organization is responsible for determining what their security needs are and how they will accomplish them.
Who Does the Rule Apply To?
The HIPAA Security Rule applies to covered entities and their business associates (BA). If you’re a covered entity and you use a vendor or organization that will have access to ePHI, you need to have a written business associate agreement (BAA). A BAA states how ePHI will be used, disclosed and protected. If a breach occurs, busines associates are directly liable to the same penalties as covered entities.
What Measures Do You Need to Take?
The HIPAA Security Rule requires covered entities to implement security measures to protect ePHI. Patient health information needs to be available to authorized users, but not improperly accessed or used. There are three types of safeguards that you need to implement: administrative, physical and technical.
Administrative safeguards are the policies and procedures that help protect against a breach. They determine documentation processes, roles and responsibilities, training requirements, data maintenance policies and more. Administrative protections ensure that the physical and technical protections are implemented properly and consistently.
Physical safeguards make sure data is physically protected. They include security systems and video surveillance, door and window locks, and locations of servers and computers. They even include policies about mobile devices and removing hardware and software from certain locations.
Technical safeguards are the technology and related policies that protect data from unauthorized access. Each covered entity needs to determine which technical safeguards are necessary and appropriate for the organization in order to protect its ePHI. The Department of Health and Human Services states that you need to “establish a balance between the identifiable risks and vulnerabilities to ePHI, the cost of various protective measures, and the size, complexity and capabilities of the entity.”
Start with a Risk Analysis
A risk analysis is an assessment of potential vulnerabilities, threats, and risks to your organization’s ePHI. There isn’t an exact risk analysis methodology, but certain elements must be included:
- Scope analysis
- Data collection
- Vulnerabilities/threat identification
- Assessment of current security measures
- Likelihood of threat occurrence
- Potential impact of threat
- Risk level
- Periodic review/update as needed
What Happens If You’re Not HIPAA Compliant?
If you’re a covered entity, you are required by Federal law to comply with the HIPAA Security Rule, or you could face strict fines and penalties. Civil penalties range from $25,000 to $1.5 million per year. Criminal penalties can also be enforced for purposefully accessing, selling, or using ePHI unlawfully. Criminal penalties include heavy fines and imprisonment—up to $250,000 and ten years in prison.
What If a Breach Occurs?
Breaches can happen even with the most secure safeguards in place. In the case of loss, theft, or certain other impermissible uses, you must notify the affected patients. If the breach involves more than 500 individuals, you must also promptly notify the Secretary of the HHS and the media in the state or jurisdiction where the individuals live.
Keeping your health information secure is an ongoing process, and making security part of your office routine requires diligence. But it’s the only way to protect your patients’ information and to protect your organization from fines and penalties.