HIPAA Security Rule Part 2: General Data Security Rules for Electronic Protected Health Information

In part 1 of the HIPAA Security Rule blog series, we introduced you to healthcare data security basics, or in other words, what the HIPAA Security Rule is, what the primary objectives are, and what kind of information is protected by the HIPAA Security Rule. Below, and as part 2 of this series, we are going to dive into the general rules of the HIPAA Security Rule to help you start to understand exactly what you’ll need to do to meet healthcare data security requirements.

General Rules of the HIPAA Security Rule

The overarching rule of the HIPAA Security Rule is that covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to protect electronic protected health information (e-PHI). And while the Security Rule does not apply to PHI transmitted orally or in writing, it does mean that covered entities must:

  1. Ensure the confidentiality (e-PHI is not available or disclosed to unauthorized persons), integrity (e-PHI is not altered or destroyed in an unauthorized manner), and availability (for an authorized person, e-PHI is accessible and usable on demand) of all e-PHI they create, receive, maintain, or transmit.
  2. Protect — and possibly identify — against anticipated security threats that compromise the integrity of the information.
  3. Protect against reasonably anticipated, impermissible uses, or disclosures.
  4. Ensure that the covered entity’s workforce is compliant.

Required Data Security Measures in the HIPAA Security Rule

Because the U.S. Department of Health and Human Services (HHS) recognizes the varying sizes of healthcare entities (all the way from single providers to multi-state health plans) and resources, they have left the Security Rule flexible and scalable. That means when an entity decides on which data security measures to use, “the Rule does not dictate those measures.” However, the Security Rule does require that covered entities consider the following data security measures:

  • Its own size, complexity, and capabilities.
  • Their technical, hardware, and software infrastructure.
  • How much security measures will cost.
  • The likelihood and possible impact of potential risks to e-PHI.

The Security Rule does require that covered entities comply with all Security Rule “Standards,” — some of which are considered “required” while others are “addressable” (not considered optional, but they allow entities to decide if an implementation specification is ideal for them or if an alternative would be more appropriate). Even with that in mind, here’s a quick breakdown of what covered entities are required to do to maintain healthcare data security and protect e-PHI data:

  1. Review and modify the chosen security measures to continue protecting e-PHI in the ever-changing electronic environment.
  2. Perform ongoing risk analyses, as part of the security management process, to evaluate and remedy risks to e-PHI. This also includes, but is not limited to documenting, evaluating, and maintaining information and data security measures that protect and prevent risks to e-PHI.
  3. Create administrative safeguards to identify and analyze potential risks to e-PHI, as well as to reduce risks and vulnerabilities. This includes duties such as designating a security official in charge of developing and implementing data and information security policies and procedures, overseeing periodic assessments of data security policies, safeguarding authorized access policies and procedures, and training all employees and members about data security policies and procedures, as well as penalties for violating them.
  4. Create physical safeguards that limit physical access to healthcare facilities (while still ensuring authorized access); appropriately address workstation, device, and electronic media security; and protect e-PHI during the transfer, removal, disposal, and re-use of electronic media.
  5. Create technical safeguards that not only allow authorized users to access e-PHI but that protect the integrity of the data while it’s in or being transmitted over an electronic network (this ensures that e-PHI isn’t improperly altered or destroyed). These data safeguards involve implementing hardware, software, and/or procedural mechanisms that can record and examine access, activity, and information for audits.
  6. Follow organizational requirements, including covered entity responsibility to protect e-PHI and business associate contracts.
  7. Follow and maintain documentation requirements and updates.  

Please note that this is just a summary of the HIPAA Security Rule. Each detail is not addressed and updates may be available. Learn more at “Summary of the HIPAA Security Rule” from the U.S. Department of Health and Human Services.

How to Protect Healthcare Data

With a goldmine of private information in their networks, hospitals and healthcare facilities are primary targets for hackers and malware — just look at what Orangeworm has been up to. And while the HIPAA Security Rule exists to protect patients’ electronic information, figuring out how to follow it — on budget — can be a bit more challenging. Along with other specifications, you’ll need trustworthy storage and backup data solutions to keep your company in compliance with HIPAA (including how EHR data is stored, transmitted, and disposed), but also to maintain your reputation in the industry. The good news is, our certified IT company specializes in healthcare IT services, all of which are specifically aimed at streamlining your IT operational costs, giving you access to the latest technology, meeting HIPAA rules, protecting your data, and providing outstanding customer support. Take a look at our website to review some of the services that have helped our healthcare clients, or give us a call for a free network assessment.