HIPAA Security Rule

What is the HIPAA Security Rule?

NOTE: If you have a project or data storage / transfer need that involves protected data, or if you are not sure if you do, Start a Conversation with us so we can ensure you have the best resources and environment possible for your work.

--

The HIPAA Security Rule outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.

It basically says that any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

There are three parts to the HIPAA Security Rule:

1. Administrative Safeguards
2. Technical Safeguards
3. Physical Safeguards

HIPAA Administrative Safeguards

The administrative components are really important when implementing a HIPAA compliance program. You are required to:

1. Assign a privacy officer
2. Complete a risk assessment annually
3. Implement employee training
4. Review policies and procedures
5. Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI)

Companies who can help with the administrative components of a HIPAA compliance program:

• Accountable
• Compliance Helper 
• Compliancy Group

HIPAA Technical Safeguards

The technical safeguard requirements for HIPAA compliance are as follows. Be sure to see our note about the distinction between required and addressable safeguards below.

ePHI is electronic protected health information. Any time you're dealing with protected health information (PHI) you are governed by HIPAA laws.

• Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
• Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
• Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
• Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
• Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
• Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
• Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
• Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

HIPAA Physical Safeguards

The Physical Safeguards requirements for HIPAA compliance document the access control and validation of people getting to the servers where ePHI is stored. It also details the requirements for the emergency recovery requirements and re-use and disposal of media that holds ePHI.

Learn more about HIPAA and HIPAA compliance (HHS.gov)