HIPAA Security Rule [What It Is & Necessary Safeguards]
The HIPAA security rule is vital in protecting ePHI. To understand this rule, you need to know the necessary safeguards and how to apply them to your organization.
What is the HIPAA security rule? The HIPAA Security Rule created regulations to protect someone’s personal health information when used by a covered entity. This includes creating administrative, physical and technical safeguards at an organization to protect this information.
What is the HIPAA Security Rule?
The HIPAA compliance framework is divided into three rules, each of which speaks to the responsibilities of healthcare providers (Covered Entities) and their partners (Business Associates):
- The Privacy Rule defines personal and private patient information (Personal Health Information, or PHI), how it can or cannot be used and how businesses must protect that data and maintain the privacy of the patient.
- The Security Rule outlines the security measures that healthcare providers must provide to protect patient data.
- The Breach Notification Rule specifies when and how a CE or BA must notify affected patients and the public more broadly in case of a security breach.
Who Are the HIPAA Covered Entities and Business Associates?
When discussing compliance, you’ll see reference to several different parties:
- The Covered Entity (CE): Covered entities are primary healthcare organizations, and include groups like hospitals, clinics, insurance payers, and Integrated Delivery Networks (IDNs).
- The Business Associate (BA): Business associates are companies that help CEs perform their work, usually by taking over some business or administrative function. BAs can range from technology providers (Managed Service Providers, Cloud Service Providers, data processing companies, etc.) or administrative groups. Essentially, a BA will handle PHI on behalf of CEs.
Note that a Covered Entity can serve as a Business Associate for another Covered Entity even as they perform CE functions.
What are HIPAA Security Rule Safeguards?
The Security Rule is typically the most relevant for healthcare companies, as it dictates the measures that these companies must maintain. More specifically, the Security Rule breaks measures down into three categories of CE responsibility:
- Administrative safeguards. These safeguards refer to the policies, procedures, and plans that an organization must have in place to ensure the safety and protection of all patient data. Responsibilities in this area include security management, personnel management, workforce training, and evaluations. In short, an organization must enact policies and training procedures so that their people and their operations remain compliant.
- Physical safeguards. Physical safeguards refer to the actual, physical access to data and how it is protected. Measures here cover access to a data center or other work facilities, workstation encryption, mobile device protection, and hard drives or other detachable media that need to be transported or disposed of.
- Technical safeguards. Covers HIPAA encryption, access control, authentication, data integrity, and other protection measures. Technical safeguards need to be in place while data is stored, in transit, or in use at a workstation.
Note that the Security Rule doesn’t specify the exact kind of technology your organization must use to stay compliant. Instead, measures must meet the challenges of security as they exist at the time of implementation.
These safeguards will essentially protect ePHI if you remain in compliance and stay on top of the latest measures.
What Is HIPAA Risk Assessment and How Does it Impact Security Compliance?
HIPAA compliance requirements state that CEs and their BAs implement risk assessment as part of their security operations. In fact, risk assessment is outlined in the Privacy Rule as an absolute that healthcare providers and other CEs must perform as part of their compliance.
What is a risk assessment? A risk assessment is an operation where an organization assesses the potential risks of their current and future security implementations. This assessment helps them understand their vulnerabilities and areas of improvement.
In terms of compliance, a risk assessment can also tell the organization and experts whether or not they comply with requirements.
According to the Department of Health and Human Services, a HIPAA risk assessment should include:
- Documentation of PHI and its location, transmission, and storage.
- Assessment of current security measures.
- Determination of reasonably anticipated threats and the risk of a HIPAA breach of PHI, and any impact associated with those breaches.
- Calculating risk levels for combinations of threats and vulnerabilities across multiple security safeguards.
- Reporting, documenting, and recording all assessments, changes and security measure implementations.
This assessment applies to small organizations and enterprise-level corporations. The rules refer to the safety of data, not the size of the company. Because of this, HIPAA security and compliance can be incredibly difficult for large businesses and intimidating for new SMBs entering the industry.
What are the Penalties for HIPAA Non-Compliance?
Risk assessment and compliance are important because the penalties for non-compliance can quickly devastate a healthcare organization.
Violations of regulations fall within four tiers:
- Tier 1: CE or BA was unaware of the violation and couldn’t have reasonably prevented it.
- Tier 2: The CE or BA should have been aware of the violation and was not, but nonetheless couldn’t have reasonably prevented it.
- Tier 3: The CE or BA is guilty of willful neglect of regulations but has made attempts to rectify the situation.
- Tier 4: The CE or BA is guilty of willful neglect and has made no attempt to correct the violation.
Penalties tend to get more severe the higher the tier. In tier 1, penalties can be as low as $100 per violation. Conversely, penalties for a neglectful violation with no attempt to correct can collect fees at a minimum of $50,000 per violation.
It bears repeating that penalties are per violation. While there are annual caps on damages depending on the types of violations, it isn’t unheard of for a CE in willful neglect of rules to suffer millions of dollars in penalties within a single data breach event.
How Does Accellion Help Businesses with HIPAA Security Compliance?
For businesses relying on cloud or SaaS providers, ensuring technical integrity and functionality is one of the most integral parts of compliance.
Note that when you work with any third-party software vendor, they should be openly knowledgeable in compliance and managing data in the healthcare industry. If they are going to store PHI or manage ePHI transmissions in any way for your organization, they must be an authorized Business Associate and you must enter into a Business Associate Agreement (BAA) with them to stay compliant.
The Accellion Kiteworks® platform is a HIPAA-compliant software vendor that can support your healthcare business across all important aspects of PHI security:
- Compliance: This includes providing one-click reporting for audits, administrative safeguards, and data backups. You’ll also get physical safeguards certified under SOC 2 audits over AWS and Microsoft Azure platforms, or the option of deploying on your own premises or IaaS resources.
- Visibility: Document trails are critical for compliance, and the Kiteworks platform gives you the capabilities to track document access, user authentication and authorization, and layers of reporting for incident responses, risk assessment and file sharing. Your doctors, employees and patients can collaborate without compromising PHI.
- Security: Kiteworks platform technology supports enterprise-grade, HIPAA compliant measures like AES-256 encryption, TLS-1.2 and S/MIME HIPAA email encryption, and password management with multi-factor authentication.
Trust Accellion with Your HIPAA Compliance Needs
With the Kiteworks platform, you’re getting communications, email, content firewall, encryption, and more than meets requirements across the board. Take the burden of IT management off your plate and work with a partner that supports your business so you can focus on healthcare and patients.