Even after years since the Congress enacted HIPAA, healthcare providers are still confused about its specific aspects. This confusion leads to misconceptions and costs providers time, resources, and sometimes hefty fines for non-compliance.
An example of the most common myths is that if a provider’s database software is “HIPAA-compliant,” implementing processes and controls to address possible security gaps are unnecessary.
Another misconception is that HIPAA regulations apply only to electronically transmitted data.
As a result, we keep witnessing HIPAA violations that threaten patients’ security and privacy. For example, only in February 2020, more than 1,5 million patient records were breached. Software Hacking and IT incidents are responsible for over two-thirds of them (67%).
In the meantime, Personal Health Information (PHI) of over 21,000 patients was impermissibly disclosed because of improper disposal of physical documents and lost paperwork.
HIPAA law can seem overwhelming; but, knowing and preventing security and privacy risks will help you focus on running your business instead of being concerned about potential audit fines.
Healthcare providers can make sure that the patient data is safe by complying with HIPAA Security Rule requirements in three categories of safeguards: administrative, physical security, and technical security.
In this article, we cover these three components of the HIPAA law that you must be aware of when creating a HIPAA compliance strategy for your company.
The Administrative Safeguards of the HIPAA Security Rule
HIPAA Security rule defines administrative safeguards as: “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Half of HIPAA Security Requirements focus on Administrative safeguards that consist of the following nine aspects:
1. Security Management Process
Covered entities must set up a process to prevent, detect, and correct security violations and guide their employees in HIPAA compliance. Healthcare organizations must carry out risk analysis, risk management, implement sanction policy, and information systems activity reviews. Organizations should have a solid strategy to protect the integrity and confidentiality of PHI.
2. Assigned Security Responsibility
The healthcare organization must identify and appoint a HIPAA security and privacy officer(s). Depending on the organization’s size and technical capabilities, this role can be assigned to one person (a Privacy & Security Officer) or two employees.
3. Workforce Security
Organizations have to implement policies and procedures to supervise access of the employees to PHI and decide who has the authority to grant or remove this access.
4. Information Access Management
Covered entities must ensure that they grant access to PHI only to entities and individuals who need it for valid reasons. For example, an organization has to restrict PHI access to partner organizations and subcontractors.
5. Security and Awareness training
Healthcare organizations must introduce security trainings for their workforce. They include regular reminders about privacy and security, implementation of password policies, protection against malicious software, and logins monitoring.
6. Security Incident Procedures
This standard requires organizations to enforce procedures to identify, report, and respond to security incidents. Entities must decide how employees will report the incidents and train them to react appropriately in various situations to protect PHI security.
7. Contingency Plan
The contingency plan must outline the organization’s strategies for recovering PHI access in case of a natural disaster or loss of power. The plan includes backup materials (backup storage or recovery disks) and procedures for ensuring the security of the PHI during emergency mode operations. Healthcare organizations must regularly test and update contingency plans.
Healthcare organizations must perform regular assessments to make sure that their HIPAA compliance procedures correlate with changes in their operations or business environments.
9. Business Associate Contracts and other arrangements
Covered entities must sign a BAA with anyone handling PHI to confirm that they will follow the HIPAA requirements and will appropriately safeguard the patient information. It includes creating, receiving, transmitting, and storing PHI.
The Physical Safeguards of the HIPAA Security Rule
Organizations must prevent physical removal of PHI from the facility and regulate access to PHI with internal policies and procedures.
Some examples of Physical Safeguards include swipe card systems to control access to the building, locks on file cabinets, and office doors that contain PHI, protection of computer screens from public view.
According to the HIPAA Security Rule, Physical Safeguards include four standards:
- Facility Access Controls
Healthcare organizations must enforce policies and procedures to regulate physical access to PHI. These procedures must include access in the event of an emergency, protection of facility and equipment from tampering, theft, and other unauthorized physical access.
To comply with HIPAA Physical Safeguards, the organization has to implement access validation procedures, for example, ID badges for the employees based on their role and visitor badges. Besides, it is necessary to document maintenance records that may affect PHI security, such as walls, doors, locks, and hardware.
- Workstation Use
This standard requires medical organizations to implement procedures that cover the proper use of workstations, such as desktops and laptops. These procedures should outline functions that these workstations perform and their physical security.
- Workstation Security
Covered entities must restrict PHI access to unauthorized users by implementing physical safeguards for every workstation with access to ePHI.
- Device and Media Controls
This standard governs policies and procedures that healthcare organizations must introduce to control disposal, accountability, reuse, and data backup and storage of hardware and electronic media that contain ePHI. Organizations are also required to keep accurate records of movements of this hardware and media and employees responsible for them.
The Technical Safeguards of the HIPAA Security Rule
The Technical Safeguards focus on technology that prevents data misuse and protects electronic PHI. Examples of these safeguards include unique user IDs, audit trails, encryption, and data verification policies. Although HIPAA does not specify a compliant software, the technology that an organization uses must adhere to all standards outlined in the Security Rule:
- Authentication and Access Control
Healthcare organizations must track and control access to ePHI by assigning a unique name to each user, implementing software for encryption and Decryption of the ePHI, and enforcing electronic procedures for automatic Logoff. Moreover, the entities must have procedures to verify the person’s identity requesting access to patient information.
This standard also calls for processes that enable emergency access to ePHI when necessary.
- Integrity and Audit Controls
Organizations must set up the software or hardware to record and audit activity in systems that contain ePHI.
Additionally, these standards outline the importance of having electronic systems to verify ePHI integrity to prevent unauthorized modifications or destruction of data.
- Transmission Security
Similar to other Technical Safeguards, Transmission Security standard calls for encryption of ePHI and measures to detect data modifications.
HIPAA Security Rule may seem quite complicated but is one of the most critical elements of HIPAA law. It focuses on the importance of being diligent when safeguarding patient information.
While the Security Rule gives organizations the freedom to establish specific policies and procedures necessary for them, it is vital to follow all regulations under this Rule.
Avoid hefty fines by implementing comprehensive policies and procedures to direct your employees to use and protect ePHI appropriately.
We hope that this article has helped you better understand the steps you need to take to ensure that you have proper safeguards.