The Security Rules are the standards for electronic patient health information (ePHI), which is the subset of what is covered by the HIPAA Privacy Rule. It establishes national standards for securing private patient data that is electronically stored or transferred. This rule requires implementation of three types of safeguards, but you can think of these like “categories”.
Breaking down the HIPAA Security Rule makes understanding it just a little easier. The safeguards set in place are crucial to protecting ePHI. There are administrative, physical and technical safeguards all of which are necessary for safely holding ePHI.
Administrative safeguards are the documented policies and procedures for managing daily operations, conduct and access of workforce members to ePHI, and the selection, development, and use of security controls. This section is broken down into nine standards focusing on internal organization, policies, procedures, and maintenance of security measures that protect ePHI. The nine standards under the administrative safeguards section include:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
These safeguards make up over half of the HIPAA Security requirements, so, needless to say, they’re essential in complying with The Security Rule. Overall, these safeguards are the administrative functions which should be enforced in accordance with the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
Physical safeguards are the physical measures, policies, and procedures to protect electronic information systems, buildings, and equipment. The four physical safeguards include:
- Facility Access Controls
- Workstation Use
- Workstation Safety
- Device & Media Controls
Each of these is required at any locations that houses, processes, has access to, or transmits ePHI.
Electronic Personal Health Information can be found in the most unusual and unexpected places sometimes, including internet files and metadata. Always take extra precautionary steps when handling any device that could potentially have ePHI stored.
Technical safeguards are the standards focused on using technical security measures to protect ePHI in all of its physical states. A clinician should determine which security measures and specific technologies are appropriate to implement in their organization, while always taking risk analysis into consideration. The five technical safeguards include:
- Access Controls
- Audit Controls
- Integrity Controls
- Authentication Controls
- Transmission Security
There are various ways a facility can meet the implementation specifications. The general rule states that entities may take into account the cost of various security measures in relation to the size, complexity, and capabilities of the organization. However, it is not permissible to use cost as the sole decision making process for implementing a standard.
The Security Rule is put in place to protect physicians, health professionals, and business associates hired by an organization, as well as anyone who may come into contact with any ePHI documentation. Although it may seem daunting and overwhelming, chances are most of these procedures are already in place within an organization. To be sure you are compliant, take it step by step, and for a more in depth understanding.