The HIPAA Security Rule Establishes National Standards to Protect Individuals’
ePHI That Is Created, Received, Used or Maintained By A Covered Entity.

HIPAA Security Rule Overview

The HIPAA Security Rule, also known as the Final Rule on Security Standards, took effect in April 2003 with a compliance achievement date in April 2005. The Security Rule specifically addresses Electronic Protected Health Information (e-PHI) and requires implementing administrative, physical, and technical safeguards.

Who is required to achieve compliance with the HIPAA Security Rule? In order to protect privacy and security of protected health information, these safeguards apply to the Covered Entities that come into contact with sensitive patient information, which includes creating, storing, transferring, and processing patient health information. Covered Entities are individuals, agencies, and organizations that must comply with HIPAA encryption requirements. These entities include doctors, pharmacies, health insurance companies, and billing services. Additionally, Business Associates (any vendor that also comes into contact with patient data) must also comply with HIPAA standards.

Choose a safeguard below to learn more:

HIPAA Hosting Solutions

Administrative Safeguards – 45 CFR 164.308

Administrative safeguards are policies and procedures that clearly identify how an entity will comply with the Security Rule. These policies and procedures establish the management, implementation, and maintenance of security measures designed to protect e-PHI. Additionally, administrative safeguards should include a contingency plan that identifies and addresses procedures and policies in the event of an emergency or security breach.

Chapter 164.308(a)(1)(i) – Standard: Security management process

Identify and analyze potential risks to e-PHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Chapter 164.308(a)(1)(ii) – Implementation specification. Implement:

  1. Risk analysis (required)
  2. Risk management (required)
  3. Sanction policy (required)
  4. Information system activity review (required)

 

Chapter 164.308(a)(2) – Standard: Assigned security responsibility

Designate a HIPAA compliance security official who is responsible for developing and implementing the data center’s security policies and procedures.
Chapter 164.308(a)(3)(i) – Standard: Workforce security

Implement HIPAA-compliant policies and procedures for authorizing access to e-PHI for all those permitted within the workforce and prevent those within the workforce who are not permitted to access e-PHI.
Chapter 164.308(a)(3)(ii) – Implementation specification. Implement:

  1. Authorization and/or supervision (addressable)
  2. Workforce clearance procedure (addressable)
  3. Termination procedures (addressable)

 

Chapter 164.308(a)(4)(i) – Standard: Information access management

Implement HIPAA-compliant policies and procedures for authorizing access to e-PHI only when such access is appropriate, based on the user or recipient’s role (role-based access).
Chapter 164.308(a)(4)(ii) – Implementation specification. Implement:

  1. Isolating health care clearinghouse functions (required)
  2. Access authorization (addressable)
  3. Access establishment and modification (addressable)

 

Chapter 164.308(a)(5)(i) – Standard: Security awareness and training

Provide for appropriate authorization and supervision of workforce members who work with e-PHI and train all workforce members regarding security policies and procedures.
Chapter 164.308(a)(5)(ii) – Implementation specification. Implement:

  1. Security reminders (addressable)
  2. Protection from malicious software (addressable)
  3. Log-in monitoring (addressable)
  4. Password management (addressable)

 

Chapter 164.308(a)(6)(i) – Standard: Security incident procedures

Identify and respond to suspected or known security incidents, mitigate these risks, and document the incidents and their outcomes.
Chapter 164.308(a)(6)(ii) – Implementation specification. Implement: Response and Reporting (required)
Chapter 164.308(a)(7)(i) – Standard: Contingency plan

Establish (and implement as needed) policies and procedures for responding to emergency situations that cause damage to systems containing e-PHI.
Chapter 164.308(a)(7)(ii) – Implementation specification:

  1. Data backup (required)
  2. Disaster recovery (required)
  3. Emergency mode operation plan (required)
  4. Testing and revision procedures (addressable)
  5. Applications and data criticality analysis (addressable)

 

Chapter 164.308(a)(8) – Standard: Evaluation

Perform a periodic assessment of how well the data center’s security policies and procedures meet the requirements of the Security Rule.
Chapter 164.308(b)(1) – Standard: Business associate contracts and other arrangements

A covered entity or business associate may permit a business associate to create, receive, maintain, or transmit e-PHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances in the form of a written contract or other agreement.
Chapter 164.308(b)(4) – Implementation specification. Implement: Written contract or other arrangement (required)

This document was derived from the 45 CFR 164.308. Although it does not address every provision of these federal regulations, it may still be used as a starting point for your understanding of the HIPAA Security Rule. Due to the evolving nature of the legal environment surrounding the security of PHI, please refer to U.S. Government Printing Office for the most accurate and up-to-date version of this text.


Physical Safeguards – 45 CFR 164.310

The physical safeguards outlined in the HIPAA Security Rule are designed to control physical access to and protect a Covered Entity’s electronic information system. The physical policies and procedures limit authorized access to related buildings, equipment (including hardware and software), and electronic media.

Chapter 164.310(a)(1) – Standard: Facility access controls

Limit physical access to the data center facilities while ensuring that authorized access is allowed.

 

Chapter 164.310(a)(2) – Implementation specification. Implement:

  1. Contingency operations (addressable)
  2. Facility security plan (addressable)
  3. Access control and validation procedures (addressable)
  4. Maintenance records (addressable)

 

Chapter 164.310(b) – Standard: Workstation use

Implement policies and procedures to specify proper use of, and access to, workstations and electronic media.
Chapter 164.310(c) – Standard: Workstation security

Implement physical safeguards for all workstations that access e-PHI, to restrict access to authorized users.
Chapter 164.310(d)(1) – Standard: Device and media controls

The data center must also have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Chapter 164.310(d)(2) – Implementation specifications. Implement:

  1. Disposal (required)
  2. Media re-use (required)
  3. Accountability (addressable)
  4. Data backup and storage (addressable)

 

This document was derived from the 45 CFR 164.310. Although it does not address every provision of these federal regulations, it may still be used as a starting point for your understanding of the HIPAA Security Rule. Due to the evolving nature of the legal environment surrounding the security of PHI, please refer to U.S. Government Printing Office for the most accurate and up-to-date version of this text. http://www.gpo.gov/fdsys/search/searchresults.action?st=45+CFR+164.310


Technical Safeguards – 45 CFR 164.312

Technical safeguards are established to control computer, network, and information systems in order to protect communications containing e-PHI. These technical policies also designate persons who have access to the hardware and software programs. Additionally, the technical safeguards implement security measures to guard against unauthorized access or manipulation of e-PHI being transmitted or processed over an electronic network.

Chapter 164.312(a)(1) – Standard: Access control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information (e-PHI) to allow access only to those persons or software programs that have been granted access rights as specified in the Administrative Safeguards for the HIPAA Security Rule.
Chapter 164.312(a)(2) – Implementation specifications. Implement:

  1. Assign a unique user name and/or number to identify & track a user’s identity (required)
  2. Establish procedures for obtaining necessary e-PHI during an emergency (required)
  3. Provide methods for terminating electronic access to critical data after a predetermined time of inactivity (addressable)
  4. Implement mechanisms for encryption & decryption of e-PHI (addressable)

 

Chapter 164.312(b) – Standard: Audit controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI.
Chapter 164.312(c)(1) – Standard: Integrity

Implement policies and procedures to protect e-PHI from alteration or destruction in an unauthorized manner.
Chapter 164.312(c)(2) – Implementation specification. Implement:

Establish mechanisms to authenticate those seeking access to e-PHI (addressable).
Chapter 164.312(d) – Standard: Person or entity authentication

Implement procedures to verify that a person or entity seeking access to e-PHI is the one claimed.
Chapter 164.312(e)(1) – Standard: Transmission security

Implement technical security measures to guard against unauthorized access or manipulation to e-PHI that is being transmitted over an electronic communications network.
Chapter 164.312(e)(2) – Implementation specifications. Implement

  1. Implement security measures to ensure that electronically transmitted e-PHI is not modified without detection until disposed of (addressable)
  2. Establish a mechanism to encrypt e-PHI whenever it is deemed appropriate (addressable)

 

This document was derived from the 45 CFR 164.312. Although it does not address every provision of these federal regulations, it may still be used as a starting point for your understanding of the HIPAA Security Rule. Due to the evolving nature of the legal environment surrounding the security of PHI, please refer to U.S. Government Printing Office for the most accurate and up-to-date version of this text.

The HIPAA Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Visit the Health and Human Services website for the combined Administrative Simplification Regulations.

For more information on HIPAA Security Rule compliance and about our HIPAA Compliant Hosting Services, contact OnRamp today!


HIPAA Security Rule vs. HIPAA Privacy Rule

What is the difference between the Security Rule and the Privacy Rule? The Privacy Rule focuses on individuals’ rights to control the use of their own personal information. Therefore, Privacy Rule covers all formats of protected health information including electronic, paper, and oral communication. The Security Rule applies specifically to the safeguards surrounding electronic storage and maintenance of protected information. Thus, the Security Rule is a subset of the Privacy Rule that addresses the electronic portion of protected patient data. These two rules work together to help ensure that patients’ privacy and records are protected from unauthorized access.