HIPAA Security Rule: Explanation and Guidance

[45 CFR §§ 160, 162, 164]


Scope

The HIPAA Security Rule applies to HIPAA Covered Entities and their Business Associates. The Security Rule focuses on the safeguarding of electronic Personal Health Information (ePHI) that is created, received, used, or maintained by a Covered Entity. The Security Rule requires appropriate Administrative, Physical and Technical Safeguards to ensure the Confidentiality, Integrity, and Security of ePHI.

  • Addressable means that a covered entity has additional flexibility with respect to compliance with security standards. A covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based. [https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html]
  • Administrative Safeguards are administrative actions, policies, and procedures that manage the selection, development, implementation, and maintenance of security measures to protect electronic Personal Health Information (ePHI) and to manage the conduct of the Covered Entity’s or Business Associate’s workforce in relation to the protection of that ePHI. [45 CFR § 164.304].
  • Availability means that data or information is accessible and usable upon demand by an authorized person. [45 CFR § 164.304].
  • Confidentiality means the data or information is not made available or disclosed to unauthorized persons or processes. [45 CFR § 164.304].
  • Integrity means the data or information has not been altered or destroyed in an unauthorized manner. [45 CFR § 164.304].
  • Physical Safeguards are the physical measures, policies, and procedures to protect a Covered Entity’s or Business Associate’s ePHI systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusions. [45 CFR § 164.304].
  • Technical Safeguards are the technology – and the policies and procedures for its use – that protect ePHI and control access to it.
  • Workforce means paid or unpaid employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate.

General Rules [45 CFR § 164.306]

Covered Entities and Business Associates must:

  1. Ensure the Confidentiality, Integrity, and Availability of all ePHI that the Covered Entity or Business Associate creates, receives, maintains or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the Security or Integrity of such ePHI.
  3. Protect against any reasonably anticipated uses or disclosures of such ePHI that are not permitted or required under 45 CFR §§ 164.500 – 164.534.
  4. Ensure compliance with these requirements by its workforce.

The Security Rule is flexible and scalable, allowing Covered Entities to analyze their own needs and implement solutions for their specific environments. In deciding what security measures to use, the Covered Entity or Business Associate must take into account:

  1. Its size, complexity, and capabilities,
  2. Its technical infrastructure, hardware, and software security capabilities,
  3. The costs of security measures, and
  4. The probability and criticality of potential risks to ePHI.

Covered Entities must adopt, maintain, review, and update policies and procedures that are written, reasonable, and appropriate. These policies and procedures, along with written records of required actions, activities or assessments, must be maintained for six years after their creation date or last effective date, whichever is later.


AdministrativeSafeguards [45 CFR § 164.308]

A Covered Entity or Business Associate is required to implement or must address:

  1. Security Management: policies and procedures to prevent, detect, contain, and correct security violations. This includes:
    1. Risk Analysis (Required): an accurate and thorough evaluation of the likelihood and impact of risks to the Confidentiality, Integrity, and Availability of ePHI.
    2. Risk Management (Required): security measures implemented that are sufficient to reduce risks and vulnerabilities to a reasonable level as discussed in 45 CFR § 164.306(a).
    3. Sanction Policy (Required): application of appropriate sanctions against workforce members who fail to comply with security policies and procedures.
    4. Information System Activity Review (Required): procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports. 
  2. Security Responsibility: identify the security official who is responsible for the development and implementation of these policies and procedures.
  3. Workforce Security: ensure all workforce members have appropriate access to ePHI and prevent unauthorized workforce members from obtaining access to ePHI.
  4. Information (ePHI) Access Management: authorize access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
  5. Security Awareness and Training: implement training for all workforce members that addresses periodic security updates; procedures for malware detection and reporting; procedures for monitoring logins; and procedures for creating, changing and safeguarding passwords.
  6. Security Incident Procedures: identify and respond to suspected or known security incidents; mitigate harmful effects; and document security incidents and their outcomes.
  7. Contingency Plans: response to emergencies or other occurrences that damage systems that contain ePHI. This includes:
    1. Data Backup Plan (Required): creation and maintenance of retrievable exact copies of ePHI.
    2. Disaster Recovery Plan (Required): procedures to restore any loss of data.
    3. Emergency Mode Operation Plan (Required): procedures for business continuity and protection of ePHI while operating in emergency mode.
    4. Testing and Revision (Addressable): periodic testing and revision of contingency plans.
    5. Applications and Data Criticality Analysis (Addressable): assess relative criticality in support of other contingency plan components
  8. Evaluation: periodic technical and nontechnical evaluations based on standards implemented under the Security Rule and in response to environmental or operational changes that affect the security of ePHI.

Physical Safeguards [45 CFR § 164.310]

A Covered Entity or Business Associate is required to implement: 

  1. Facility Access Controls: limit physical access to ePHI systems and the facilities in which they are housed.
  2. Workstation Use and Security: specify the proper use of and access to workstations and electronic media. This must include policies and procedures for disposal of ePHI and the hardware or electronic media on which it is stored and procedures for removing ePHI from electronic media before it is made available for re-use.

Technical Safeguards [45 CFR § 164.312]

A Covered Entity or Business Associate is required to implement:

  1. Access Control: technical policies and procedures that allow only authorized persons to access ePHI.
  2. Audit Controls: hardware, software, or procedures to record and examine access and other activity in information systems that contain or use ePHI.
  3. Integrity Controls: policies, procedures and electronic measures to ensure that ePHI is not improperly altered or destroyed.
  4. Transmission Security: technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Compliance

Violation of HIPAA and the HIPAA Security Rule includes both civil and criminal penalties.

To assist in auditing compliance with HIPAA requirements, NIU follows guidelines and checklists established by the National Institute of Standards and Technology (NIST), specifically NIST’s Special Publication (SP) 800-66, Revision 1: An Introductory Resource Guide for Implementing the HIPAA Security Rule (https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final).