Whereas the HIPAA Privacy Rule provides guidance on how PHI may be stored, maintained, and transmitted (i.e., either on paper, orally, or electronic) in order to protect the sensitive nature of PHI, the Security Rule is concerned with ensuring that appropriate and reasonable safeguards are in place in order to prevent a breach of patients’ electronic protected health information, or ePHI.
Specifically, the Security Rule focuses on the implementation of various security standards that establish safeguards for ePHI, including Administrative, Physical, and Technical components.
Security Rule Standards
These three standards around the Security Rule are actionable. This means that when a doctor decides to integrate technology into clinical practice, the standards should be applied to the use of that technology, “appropriately and reasonably.”
Administrative
The Security Rule defines Administrative Safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” These includes standards around:
- Security Management Process (including risk analysis and risk management);
- Assigned Security Responsibility(e.g., identifying a security officer for your practice);
- Workforce Security (e.g., identifying who in the practice needs access to different types of ePHI to carry out their specific duties);
- Information Access Management, which is closely related to the Assigned Security Responsibilitystandard, but provides additional guidance on implementing specific role-based access to or barriers to patients ePHI;
- Security Awareness and Training, which includes establishing protection from malicious software, password management, etc.;
- Security Incident Procedures, to establish policies and procedures for when the security of ePHI is compromised;
- a Contingency Plan, for when there is an emergency, power outage, or disaster that places ePHI at risk;
- Evaluation, which requires CEs to regularly determine if their administrative safeguards adequately protect ePHI;
- and finally, a standard around Business Associate Contracts and Other Arrangements, which offer guidance on how contracted third parties handle ePHI on the CE’s behalf.
Physical
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” These include standards around:
- Facility Access Controls, which determines who has access to the physical premises where the electronic records are maintained;
- Workstation Use, which requires CEs to specify what functions related to access to ePHI can be completed at specific work stations within a practice;
- Workstation Security, which is concerned with ensuring that appropriate physical safeguards are in place at designated workstations, such as keeping the workstation in a secure room/area (e.g., in a nurse’s station);
- Device and Media Controls, which requires CEs to implement practices that determine how hardware containing ePHI is disposed of, backed-up, repurposed, or transported from a facility;
Technical
The Security Rule defines technical safeguards as “the technology and policy and procedures for its use that protect electronic protected health information and control access to it.” While the Security Rule does not require specific technology solutions, its focus (like the other standards) is to help CEs to identify reasonable and appropriate security measures based on certain standards, specifically:
Access Control, or, using certain technological specifications to determine who in the practice is able to read, write, modify, or communicate data using any electronic system’s resources. These must be implemented via the following specifications:
- Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity;
- Emergency Access Procedure: Establish procedures for obtaining necessary protected health information during an emergency;
- Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity;
- Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI;
Audit Controls, or, using hardware or software or office procedures that record and examine activity in information systems that contain or use ePHI. Different systems possess varying capabilities to audit activity, but establishing basic audit controls or protocols can help to identify possible security violations.
Integrity, requiring CEs to implement policies and procedures to protect ePHI from “improper alteration or destruction.
- As a part of this process, CEs must identify or create a Mechanism to Authenticate ePHI as a part of the Security Risk Analysis to ensure that ePHI is not altered or destroyed in order to ensure its integrity.
Transmission Security, where CEs must implement technical security measures to protect against unauthorized access to ePHI that is “transmitted over an electronic communications network.” Networks covered under transmission security include e-mail, over the Internet, or through private point-to-point networks. To implement the Transmission Security Standard, the CE must take into consideration the Integrity and Encryption standards discussed above.