The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting electronic protected health information (ePHI). Specifically, covered entities and business associates must:
- Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain, or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
The Security Rule gives the following definitions:
- Confidentiality: Ensuring ePHI is not available or disclosed to unauthorized persons
- Integrity: Ensuring ePHI is not altered or destroyed in an unauthorized manner
- Availability: Ensuring ePHI is accessible and usable on demand by an authorized person
The United States Department of Health of Human Services (HHS) recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore, the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. When a covered entity and business associate are deciding which security measures to use, the Security Rule does not dictate those measures, but requires the consideration of the following:
- Size, complexity and capabilities
- Technical, hardware and software infrastructure
- The costs of security measures
- Likelihood and possible impact of potential risks to ePHI
Additional points to note:
- The Omnibus Final Rule did not rewrite the HIPAA Security Rule and any reference to a covered entity or covered entities now applies to business associates for complying with the standards.
- The Security Rule must be addressed by both the covered entity and business associate.
- Simply stating an organization cannot afford to implement the standards of the HIPAA Security Rule is not acceptable.
- This response may expose the organization to data breaches, fines and government mandated remediation plans.
Understanding the HIPAA Security Rule
Administrative Safeguards
Administrative safeguards are administrative actions, policies and procedures put in place to manage the selection, development, implementation, and maintenance of security measures. These protect electronic protected health information (ePHI) and manage the conduct of the organization’s workforce in relation to the protection of that information. The administrative safeguards comprise over half of the HIPAA security requirements. It is crucial to protect ePHI by implementing reasonable and appropriate administrative safeguards that establish the foundation for the organization’s security program. The Administrative Safeguards standards in the Security Rule, at §164.308, were developed to accomplish this purpose.
HIPAA Citation: 164.308(a)(1)(i)
HIPAA Security Rule Standard: Security Management Process
Implementation Specification: Implement policies and procedures to prevent, detect, contain, and correct security violations.
HIPAA Citation: 164.308(a)(1)(ii)(A)
HIPAA Security Rule Standard: Risk Analysis | Required
Implementation Specification: Ensures the company conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI).
HIPAA Citation: 164.308(a)(1)(ii)(B)
HIPAA Security Rule Standard: Risk Management | Required
Implementation Specification: Ensures the company implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306. Factors identified in §164.306 include:
- The size, complexity, capability of the covered entity
- The covered entity’s technical infrastructure
- The costs of security measures
- The probability and criticality of potential risks to ePHI
HIPAA Citation: 164.308(a)(1)(ii)(C)
HIPAA Security Rule Standard: Sanction Policy | Required
Implementation Specification: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
HIPAA Citation: 164.308(a)(1)(ii)(D)
HIPAA Security Rule Standard: Information System Activity Review | Required
Implementation Specification: Implement procedures to regularly review records of information system activity, such as audit logs, access logs, access reports, and security incident tracking reports.
HIPAA Citation: 164.308(a)(2)
HIPAA Security Rule Standard: Assigned Security Responsibility | Required
Implementation Specification: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
HIPAA Citation: 164.308(a)(3)(i)
HIPAA Security Rule Standard: Workforce Security | Addressable
Implementation Specification: Policies and procedures are implemented to ensure that all members of the workforce have appropriate access to ePHI, as provided under the Information Access Management standard and to prevent those who do not have appropriate access from obtaining access to ePHI. Policies and procedures should include Authorization and/or Supervision procedures, Workforce Clearance Procedure, and Termination Procedures.
HIPAA Citation: 164.308(a)(3)(ii)(A)
HIPAA Security Rule Standard: Authorization and/or Supervision | Addressable
Implementation Specification: Ensures the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
HIPAA Citation: 164.308(a)(3)(ii)(B)
HIPAA Security Rule Standard: Workforce Clearance Procedure | Addressable
Implementation Specification: Access of a workforce member (employee or computing device) to ePHI is appropriate.
HIPAA Citation: 164.308(a)(3)(ii)(C)
HIPAA Security Rule Standard: Termination Procedures | Addressable
Implementation Specification: Ensure that access to ePHI is terminated as soon as possible when a workforce member’s employment ends.
HIPAA Citation: 164.308(a)(4)(i)
HIPAA Security Rule Standard: Information Access | Management
Implementation Specification: Policies and procedures are implemented that ensure authorizing access to ePHI and are consistent with the applicable requirements of the Privacy Rule.
Policies and procedures should include: Isolating Health Care Clearinghouse Functions, Access Authorization and Access Establishment and Modification.
HIPAA Citation: 164.308(a)(4)(ii)(A)
HIPAA Security Rule Standard: Isolation Health Clearinghouse Functions | Required
Implementation Specification: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization.
HIPAA Citation: 164.308(a)(4)(ii)(B)
HIPAA Security Rule Standard:Access Authorization | Addressable
Implementation Specification: Policies and procedures are implemented for granting access to ePHI through access to workstation, transaction, program, process, or other mechanism.
HIPAA Citation: 164.308(a)(4)(ii)(C)
HIPAA Security Rule Standard: Access Establishment and Modification | Addressable
Implementation Specification: Policies and Procedures are implemented that include establishing, documenting, reviewing, and modifying a user’s right of access to a workstation, transaction, program, or process that are based upon the access authorization policies.
HIPAA Citation: 164.308(a)(5)(i)
HIPAA Security Rule Standard: Security Awareness Training
Implementation Specification: Implement a security awareness and training program for all members of the workforce (including management). Component of the Security Awareness and Training program should include Security Reminders, Protection Malicious Software, Log-in Monitoring, and Password Management.
HIPAA Citation: 164.308(a)(5)(ii)(A)
HIPAA Security Rule Standard: Security Reminders | Addressable
Implementation Specification: Periodic security updates.
HIPAA Citation: 164.308(a)(5)(ii)(B)
HIPAA Security Rule Standard: Protection from Malicious Software | Addressable
Implementation Specification: Implement procedures for guarding against, detecting, and reporting malicious software.
HIPAA Citation: 164.308(a)(5)(ii)(C)
HIPAA Security Rule Standard: Log-in Monitoring | Addressable
Implementation Specification: Implement procedures for monitoring log-in attempts and reporting discrepancies.
HIPAA Citation: 164.308(a)(5)(ii)(D)
HIPAA Security Rule Standard: Password Management | Addressable
Implementation Specification: Implement procedures for creating, changing, and safeguarding passwords.
HIPAA Citation: 164.308(a)(6)(i)
HIPAA Security Rule Standard: Security Incident Procedures | Required
Implementation Specification: Implement policies and procedures to address security incidents. Policies and procedures should include response reporting.
HIPAA Citation: 164.308(a)(6)(ii)
HIPAA Security Rule Standard: Response and Reporting | Required
Implementation Specification: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; document security incident and their outcomes.
HIPAA Citation: 164.308(a)(7)(i)
HIPAA Security Rule Standard: Contingency Plan | Required
Implementation Specification: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
HIPAA Citation: 164.308(a)(7)(ii)(A)
HIPAA Security Rule Standard: Data Backup Plan | Required
Implementation Specification: Implement procedures to create and maintain retrievable exact copies of ePHI.
HIPAA Citation: 164.308(a)(7)(ii)(B)
HIPAA Security Rule Standard: Disaster-Recovery Plan | Required
Implementation Specification: Establish and implement procedures to restore any loss of data.
HIPAA Citation: 164.308(a)(7)(ii)(C)
HIPAA Security Rule Standard: Emergency Mode Operation Plan | Required
Implementation Specification: Establish and implement procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
HIPAA Citation: 164.308(a)(7)(ii)(D)
HIPAA Security Rule Standard: Testing and Revision Procedures | Addressable
Implementation Specification: Implement procedures for periodic testing and revision of contingency plans.
HIPAA Citation: 164.308(a)(7)(ii)(E)
HIPAA Security Rule Standard: Applications and Data Criticality Analysis | Addressable
Implementation Specification: Assess the relative criticality of specific applications and data in support of other contingency plan components.
HIPAA Citation: 164.308(a)(8)
HIPAA Security Rule Standard: Evaluation
Implementation Specification: Perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of ePHI that establishes the extent to which an entity’s security policies and procedures meet the requirement.
HIPAA Citation: 164.308(b)(1)
HIPAA Security Rule Standard: Business Associate Contracts and Other Arrangements | Required
Implementation Specification: A covered entity , in accordance with 164.306 [The Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314 [the Organization Requirements] that the business associate will appropriately safeguard the information.
HIPAA Citation: 164.308(b)(4)
HIPAA Security Rule Standard: Written Contract or Other Arrangement | Required
Implementation Specification: Document the satisfactory assurances required by paragraph (b)(1) [the Business Associates Contracts and Other Arrangements] of this section through a written or other arrangements with the business associate that meets the applicable requirements of 164.314(a) [the Organizational Requirements]
Physical Safeguards
Physical safeguards are physical measures, policies and procedures put in place to protect organization’s electronic information systems and related buildings and equipment from natural and environmental hazard, as well as unauthorized intrusion.
Physical safeguards are the mechanisms required to protect electronic systems and equipment, as well as the data they hold from threats, environmental hazards and unauthorized intrusion. Physical Safeguards include restricting access to ePHI and retaining computer backups.
HIPAA Citation: 164.310(a)(1)
HIPAA Security Rule Standard: Facility Access Controls
Implementation Specification: Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
HIPAA Citation: 164.310(a)(2)(i)
HIPAA Security Rule Standard: Contingency Operations | Addressable
Implementation Specification: Implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
HIPAA Citation: 164.310(a)(2)(ii)
HIPAA Security Rule Standard: Facility Security Plan | Addressable
Implementation Specification: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
HIPAA Citation: 164.310(a)(2)(iii)
HIPAA Security Rule Standard: Access Control and Validation Procedures | Addressable
Implementation Specification: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
HIPAA Citation: 164.310(a)(2)(iv)
HIPAA Security Rule Standard: Maintenance Records | Addressable
Implementation Specification: Implement policies and procedures to document repairs and modification to the physical components of a facility that are related to security.
HIPAA Citation: 164.310(b)
HIPAA Security Rule Standard: Workstation Use
Implementation Specification: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surrounding of a specific workstation or class of workstation that can access electronic protected health information.
HIPAA Citation: 164.310(c)
HIPAA Security Rule Standard: Workstation Security
Implementation Specification: Implement physical safeguards for all workstations that access ePHI, restrict access to authorized users.
HIPAA Citation: 164.310(d)(1)
HIPAA Security Rule Standard: Device and Media Controls
Implementation Specification: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.
HIPAA Citation: 164.310(d)(2)(i)
HIPAA Security Rule Standard: Disposal | Required
Implementation Specification: Implement policies and procedures to address final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
HIPAA Citation: 164.310(d)(2)(ii)
HIPAA Security Rule Standard: Media Reuse | Required
Implementation Specification: Implement procedures for the removal of ePHI from electronic media before the media are made available for re-use.
HIPAA Citation: 164.310(d)(2)(iii)
HIPAA Security Rule Standard: Accountability | Addressable
Implementation Specification: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
HIPAA Citation: 164.310(d)(2)(iv)
HIPAA Security Rule Standard: Data Backup and Storage | Addressable
Implementation Specification: Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
Technical Safeguards
Technical safeguards are the technology and the policy and procedures put in place to protect ePHI and control access to it. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted.
HIPAA Citation: 164.312(a)(1)
HIPAA Security Rule Standard: Access Control
Implementation Specification: Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in 146.308 (a)(4) [Information Access Management].
HIPAA Citation: 164.312(a)(2)(i)
HIPAA Security Rule Standard: Unique User Identification | Required
Implementation Specification: Assign a unique name and/or number for identifying and tracking user identity.
HIPAA Citation: 164.312(a)(2)(ii)
HIPAA Security Rule Standard: Emergency Access Procedure | Required
Implementation Specification: Establish procedures for obtaining necessary electronic protected health information during an emergency.
HIPAA Citation: 164.312(a)(2)(iii)
HIPAA Security Rule Standard: Automatic Logoff | Addressable
Implementation Specification: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
HIPAA Citation: 164.312(a)(2)(iv)
HIPAA Security Rule Standard: Encryption and Decryption | Addressable
Implementation Specification: Implement procedures that specify a mechanism to encrypt and decrypt ePHI.
HIPAA Citation: 164.312(b)
HIPAA Security Rule Standard: Audit Controls
Implementation Specification: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
HIPAA Citation: 164.312(c)(1)
HIPAA Security Rule Standard: Integrity | Addressable
Implementation Specification: Implement policies and procedures to protect ePHI from improper alteration or destruction.
HIPAA Citation: 164.312(c)(2)
HIPAA Security Rule Standard: Mechanism to Authenticate Electronic Protected Health Information | Addressable
Implementation Specification: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
HIPAA Citation: 164.312(d)
HIPAA Security Rule Standard: Person or Entity Authentication
Implementation Specification: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
HIPAA Citation: 164.312(e)(1)
HIPAA Security Rule Standard: Transmission Security
Implementation Specification: Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
HIPAA Citation: 164.312(e)(2)(i)
HIPAA Security Rule Standard: Integrity Controls | Addressable
Implementation Specification: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
HIPAA Citation: 164.312(e)(2)(ii)
HIPAA Security Rule Standard: Encryption | Addressable
Implementation Specification: Implement a mechanism to encrypt ePHI whenever deemed appropriate.
Organizational Requirements
Organizational Requirements contain four standards (plus additional Implementation Specifications) contained at 45 CFR § 164.314 and § 164.316 that must be implemented to achieve compliance.
The four standards covered in the Organizational Requirements are Business Associate Contracts or Other Arrangements, Requirements for Group Health Plans, Policies and Procedures and Documentation. Compliance is required for all aspects of the Organizational Requirements that do apply to the organization.
When a covered entity and its business associate are both government entities, an “other arrangement” like a memorandum of understanding is sufficient, providing it has the provisions outlined as required by HIPAA. The termination provisions may be omitted if that is inconsistent with the statutory obligations of the parties.
HIPAA Citation: 164.314(a)(1)
HIPAA Security Rule Standard: Business associate contracts or other arrangements
Implementation Specification: A covered entity is not in compliance with the standards in § 164.502(e) if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful – (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary.”
HIPAA Citation: 164.314(a)(2)(i)
HIPAA Security Rule Standard: Business Associate Contracts | Required
Implementation Specification: A business associate contract must provide that the business associate will: “Implement safeguards that protect the confidentiality, integrity, and availability of the electronic protected health…” AND “Report to the covered entity any security incident of which it becomes aware; Authorize termination of the contract, if the covered entity determines that the business associate has violated a material term of the contract.”
HIPAA Citation: 164.314(a)(2)(ii)
HIPAA Security Rule Standard: Other Arrangement | Required
Implementation Specification: The Other Arrangements implementation specifications provide that when a covered entity and its business associate are both government entities, the covered entity may comply with the standard in either of two alternative ways.
HIPAA Citation: 164.314(b)(1)
HIPAA Security Rule Standard: Requirements for Group Health Plans | Required
Implementation Specification: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and68safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
HIPAA Citation: 164.314(b)(2)
HIPAA Security Rule Standard: Implementation Specifications
Implementation Specification: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to:
- (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
- (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
- (iv) Report to the group health plan any security incident of which it becomes aware.
HIPAA Citation: 164.316(a)
HIPAA Security Rule Standard: Policies and Procedures
Implementation Specification: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(I), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard. Implementation specification or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
HIPAA Citation: 164.316(b)(1)
HIPAA Security Rule Standard: Documentation
Implementation Specification: Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
HIPAA Citation: 164.316(b)(1)(i)
HIPAA Security Rule Standard: Time Limit | Required
Implementation Specification: Retain the documentation required by paragraph (b) (1) of this section for 6 years for the date of its creation or the date when it last was in effect, whichever is later.
HIPAA Citation: 164.316(b)(1)(ii)
HIPAA Security Rule Standard: Availability | Required
Implementation Specification: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
HIPAA Citation: 164.316(b)(1)(iii)
HIPAA Security Rule Standard: Updates | Required
Implementation Specification: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the ePHI.