HIPAA Security Rule
In order to safeguard patient health data, the US Department of Health and Human Services (HHS) was directed under Title II of HIPAA, to develop a series of guidelines and standards. In addition, the HHS developed two decrees to ensure these new guidelines and standards were clear and effective. Today, they are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
As the official title of the HIPAA Security Rule suggests, the HIPAA Security Rule was created in order to define the exact stipulations required to safeguard electronically Protected Health Information (ePHI). In other words, the Security Rule regulates how this information is stored, secured, and transmitted between electronic devices.
Let’s take a closer look at the HIPAA Security Rule and what it entails…
Who Needs to Follow The HIPAA Security Rule?
Organizations that store, process, and/or transmit ePHI are required to implement security controls and comply with the HIPAA Security Rule. Both covered entities and business associates are responsible for appropriately safeguarding patient information.
This means that healthcare providers, software vendors and startups that work with protected health information (ePHI) must address HIPAA Security Rule standards in order to maintain HIPAA Compliance.
Security Standards for the HIPAA Security Rule
There are three categories of standard protections that need to be assessed when it comes to implementing the measures of the HIPAA Security Rule. They are as follows:
Physical Safeguards for PHI
Physical safeguards These refer to how physical controls are implemented into digital devices that store ePHI, including:
- Who has access to hardware: as employees must have a relevant level of authorization in order to access ePHI, this safeguard ensures only relevant personnel are granted access
- How employee workstations access PHI and are secured
- How third-party IT professionals are trained when it comes to accessing and repairing in-scope equipment containing ePHI
- How old or faulty equipment is disposed of and replaced
Organizations utilizing public cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure will see many physical security standards within their signed BAA. The Business Associates Agreement (BAA) outlines HIPAA Security Rule responsibilities and will define how the cloud provider addresses many physical safeguards.
164.310(a)(1) | Facility Access Controls |
164.310(a)(2)(i) | Contingency Operations |
164.310(a)(2)(ii) | Facility Security Plan |
164.310(a)(2)(iii) | Access Control Validation Procedures |
164.310(a)(2)(iv) | Maintenance Records |
164.310(b) | Workstation Use |
164.310(c) | Workstation Security |
164.310(d)(1) | Device and Media Controls |
164.310(d)(2)(i) | Disposal |
164.310(d)(2)(ii) | Media Re-use |
164.310(d)(2)(iii) | Accountability |
164.310(d)(2)(iv) | Data Backup and Storage |
Technical Safeguards for PHI
Technical These safeguards refer to the technical aspects of any networked computers or devices that transmit information containing ePHI when communicating with each other, including enhanced network security, perimeter firewalls, cybersecurity access control and authentication protocols, etc.
Organizations should ensure they have developed proper security standards and have implemented appropriate processes to meet requirements including:
- Access control
- Encryption (at-rest and in-transit)
- Audit logging
- Networking and firewall
- Antivirus and intrusion detection
164.312(a)(1) | Access Control |
164.312(a)(2)(i) | Unique User Identification |
164.312(a)(2)(ii) | Emergency Access Procedure |
164.312(a)(2)(iii) | Automatic Logoff |
164.312(a)(2)(iv) | Encryption and Decryption |
164.312(b) | Audit Controls |
164.312(c)(1) | Integrity |
164.312(c)(2) | Mechanism to Authenticate Electronic Protected Health Information |
164.312(d) | Person or Entity Authentication |
164.312(e)(1) | Transmission Security |
164.312(e)(2)(i) | Integrity Controls |
164.312(e)(2)(ii) | Encryption |
Administrative Safeguards for PHI
Administrative In short, these safeguards cover how an enterprise creates and sets up their employee policies and procedures, ensuring they comply with the Security Rule. Teams must establish administrative policies to meet HIPAA Security Rule administrative safeguard requirements. Policies should address topics including:
- Employee training
- Security roles
- Incident and breach response
- Contingency planning
- System access
- Configuration management
Policies should be written in plain-English and understandable by employees. Additionally, teams should set realistic goals that fit into the organization’s budget and capabilities. Security teams that unrealistic policies are less likely to enforce set security standards.
164.308(a)(1) | Security Management Process |
164.308(a)(1)(ii)(D) | Assigned Security Responsibility |
164.308(a)(3) | Workforce Security |
164.308(a)(4) | Information Access Management |
164.308(a)(5) | Security Awareness Training |
164.308(a)(6) | Security Incident Procedures |
164.308(a)(7) | Contingency Plan |
164.308(a)(8) | Evaluation |
164.308(b) | Business Associate Contracts and Other Arrangements |
HIPAA Security Rule Checklist
Be sure to consider the following checklist to help you comply with the HIPAA Security Rule.
- Perform a complete risk assessment on existing infrastructure
- Safeguard machines with anti-virus protection, firewalls, access control, VPNs, SSL certificates, and related technologies
- Establish a daily backup system
- Develop disaster recovery and business continuity plans
- Adopt security policies and procedures for all of your operations, to include confidentiality statements, individually identifying information of system users, passwords, automatic logoff, acceptable use, email internet usage, authentication of workstations, monitoring and documenting unauthorized access, audit trails of users, sanctions for misuse or disclosure and termination checklists.
- Review physical security and address risks as necessary harden as necessary
- Write and provide job descriptions for Privacy Officer and Security Officer roles required by HIPAA
- Review and update administrative policies annually (at a minimum)
Not sure where to get started? Read the latest guide to Architecting for HIPAA compliance in the Cloud.
What Is A HIPAA Compliant Cloud?
Due to the recent growth of public cloud platforms and SaaS solutions, regulated industries, including the healthcare industry, have begun looking to cloud services and public cloud platforms as a means of managing applications and simplifying business operations.
Cloud computing allows an organization to quickly and efficiently deploy services, scale applications and workloads, and pay for resources as they are used. Many cloud service providers offer a set of HIPAA supported services, allowing you to build and manage a HIPAA security program, without having to rely on on-premise servers or data center experts. Still, your team must ensure that all HIPAA safeguards are in-place and that you meet your responsibilities under the cloud shared responsibility model.
Ultimately it is the responsibility of your team to ensure that HIPAA safeguards are properly configured across cloud services. For example, your team must encrypt data volumes, close ports to the public, and configure backup processes. While cloud platforms provide many of these options, it is up to your team to configure and verify that these HIPAA security safeguards are in place.
Dash and the HIPAA Security Rule
The above is just a taste of what to expect when it comes to complying with HIPAA. If the requirements put in place by HIPAA and enforced by HHS seem intimidating — that’s because they are supposed to be. Their effectiveness depends on them being that way.
Trying to tackle HIPAA this massive responsibility on your own can be excruciatingly difficult — that’s where Dash can help. Featuring an in-house team of compliance and cloud experts, Dash provides HIPAA cloud solutions, enabling organizations to comfortably configure and manage HIPAA in Amazon Web Services — the market-leading cloud platform.
For any more questions surrounding the HIPAA Security Rule, head on over to Dash ComplyOps, and request a demo. Dash deploys to your cloud environment, and assists teams by provides compliance management solutions including administrative policies, cloud security controls, and policy enforcement, in order to make it easily maintain compliance. just to name a few.