Decrypted | Insights from Virtru to Unlock New Ideas

The HIPAA Security Rule: Understanding Compliance & Risk Assessment

Written by Editorial Team | Jul 2, 2020 7:14:28 PM

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 for the purpose of improving efficiencies in the healthcare system. Nearly 30 years later, HIPAA compliance is still a top concern for healthcare providers. Maintaining HIPAA compliance not only allows providers to avoid hefty penalties and fines, but also to preserve patient privacy and ultimately provide better care outcomes. However, some healthcare providers don’t know where to start with HIPAA compliance. One of the questions we hear often is “What is the HIPAA Security Rule and how can I stay compliant?” 

So, let’s take a look at the HIPAA Security Rule and compliance requirements.

What is the HIPAA Security Rule and Why is it Important?

In 2003, The Department of Health and Human Services (HHS) developed guidelines for managing patient data. Along with the guidelines and standards, HHS implemented two decrees. These include the HIPAA Security Rule and the HIPAA Privacy Rule. 

  • The HIPAA Privacy Rule focuses on the rights of the patient and their ability to control their personal health information (PHI) by setting the standard for, among other things, who may have access to PHI. The Privacy Rule covers the physical security and confidentiality of PHI in all formats including electronic, paper, and oral. 
  • The HIPAA Security Rule only deals with the protection of electronic PHI (ePHI) that is created, received, maintained or transmitted. Covered entities (CEs) are required to implement adequate physical, technical and administrative safeguards to protect patient ePHI, for example when sharing via email or storing on the cloud. More on these safeguards below.

Covered entities include insurance providers and third-party billing partners, and health plans. Additionally, all business associates (BAs) must comply with guidelines. BAs include vendors or third-party individuals who come into contact with patient data. 

What Are the Three Standards of the HIPAA Security Rule?

A good place to start is with the three standards in the HIPAA Security Rule—administrative, technical, and physical safeguards—all of which are intended to help CAs and BEs protect patient data.

Administrative Safeguards

The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Administrative safeguards include:

  • Performing a risk analysis.
  • Employee training.
  • Security policies and procedures.
  • Business associate agreements.

Physical Safeguards

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Physical safeguards include:

  • Facility access controls to restrict access to unauthorized users.
  • Workstation use policies that determine appropropriate use of workstations, such as laptops.
  • Workstation security to restrict access to unauthorized users.
  • Device and media controls that govern how hardware and electronic media that contains ePHI enters or exits the facility.

Technical Safeguards

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include: 

  • Access Control.
  • Audit Controls.
  • Integrity Controls.
  • Transmission Security.

Because rapid access to PHI is crucial to fulfilling the mission of healthcare provider organizations, and sharing medical records via email and files is often the path of least resistance, IT teams need to be aware of how the HIPAA Security Rule pertains to email and file systems. Three of the technical safeguards listed above apply most directly to email and files: 

  • Access controls encompass privileges for employees of covered entities to access PHI to perform their job functions using information systems, applications, programs, or files.
  • Audit controls include technology and processes that support the analysis of activity in information systems that contain or use ePHI. These controls are especially relevant for determining whether data has been breached and assessing the impact.
  • Transmission security refers to technical measures to protect against unauthorized access to PHI transmitted electronically, including Integrity Controls that prevent improper modification of PHI and encryption that protects PHI from access by unauthorized third parties.

How to Improve Your Security Posture and Ensure Compliance with the HIPAA Security Rule

1. Conduct a Risk Assessment

To help maintain HIPAA compliance, schedule an internal risk assessment or risk analysis. Conduct this every year to help your organization better understand how your ePHI and PHI may be at risk. This forward-thinking approach can help you avoid data breaches, fines, and penalties.

Here are a few steps to help you start your HIPAA risk assessment: 

  1. Identify the scope by defining PHI flow in your environment. Understand how patient data flows throughout your organization. If you know where your data is housed, transmitted, stored, and used, you’ll be better positioned to then consider all risks to PHI. 
  2. Identify vulnerabilities, threats and risks. Once you’ve defined how PHI flows throughout your organization, you must then identify any vulnerabilities that exist in the system. For example, weak passwords or not having an office security policy Then, identify what threats (internal and/or external) exist for each of those vulnerabilities. For example, accidentally sending PHI to the wrong person and not being able to revoke access to it. Finally, determine the probability of each threat triggering a specific vulnerability, this is the risk. 
  3. Analyze HIPAA risk level and potential impact. The list of risks you identify ub the previous step is likely pretty lengthy. So, to identify your risk level, you should look at the likelihood of occurrence and potential impact to your business—patients included. This will help you prioritize where to focus your resources for strengthening security.
  4. Begin mitigating risks based on risk level. Start with your highest risk items and identify the required security measures to address them. As an example, you may find that employees are frequently emailing with other providers throughout the course of care and only relying on the email provider’s encryption to secure any data—notably, PHI—being shared. To address this risk, an additional layer of encryption at the object level is necessary to ensure that PHI shared via email is not compromised by unauthorized access.
  5. Document your risk analysis. Documentation of your risk analysis is crucial in the event of an audit. The HHS will want to see that you’ve done a thorough analysis and will want to see documentation of such. Additionally, they will want to see your risk management plan, and monthly progress against the plan. 

2. Implement Technical Safeguards Following Completion of a Risk Assessment

Health IT security best practices have evolved beyond traditional perimeter-based, network-level protections to embrace data-centric security approaches. Data-centric security encompasses data control, or the ability to apply persistent security policies, regardless of location, device type, or hosting model, and intelligence, which refers to the real-time visibility of contextual information that enables threat monitoring and incident response workflows. 

Data-centric security closely aligns with the HIPAA Security Rule’s technical safeguards for email and files mentioned above. Data control assures that access controls and transmission security safeguards via encryption and security policies accompany PHI wherever it’s shared. Intelligence covers audit controls via persistent visibility over who has accessed data, when, where, and how. 

But the power of data-centric security exceeds these minimum HIPAA compliance safeguards. Security that protects PHI shared via email and files across disparate healthcare environments ensures patient privacy, which helps cultivate relationships that lead to better care outcomes. 

Virtru for HIPAA Compliance 

The Virtru Data Security Platform has helped thousands of healthcare organizations with HIPAA compliance and patient confidentiality. Organizations that leverage Virtru to protect email and files avoid HIPAA noncompliance fines by keeping their PHI secure, wherever it’s shared. 

Virtru provides end-to-end encryption, granular access controls, and visibility to enable secure PHI sharing.

Learn more about how healthcare organizations can leverage Virtru’s data-centric solutions to protect patient data and maintain HIPAA compliance. Book a demo today.