Purpose and Practicality
The HIPAA Security Rule1 was designed to protect the confidentiality, integrity, and availability of a patient's protected health information (PHI) while allowing flexibility for each covered entity based on their size, complexity, technological capabilities, cost constraints, and the likelihood of potential risks to the electronic PHI (ePHI) they house. To make the ideals of PHI privacy practical, the Security Rule allows for many of its provisions to be modified (the "addressable" provisions) so each covered entity can reasonably and appropriately implement the security requirements in a way that makes sense for their business and correctly captures their capabilities. See 45 CFR § 164.306. Other requirements, which the Security Rule considers to be mandatory, are designated as "required."
Structure
There are 5 main areas of safeguards that the Security Rule requires covered entities to address:
(1) Administrative safeguards, 45 CFR § 164.308;
(2) Physical safeguards, 45 CFR § 164.310;
(3) Technical safeguards, 45 CFR § 164.312;
(4) Organizational requirements, 45 CFR § 164.314, § 164.504; and
(5) Documentation requirements, including having policies and procedures,
45 CFR § 164.316.
What should your policies and procedures include?
While it may be tempting to purchase a generic set of HIPAA Security Rule policies and procedures, understand that there is no such thing as a 'generic' set that applies perfectly to your business. You do not want to have policies that say your business is capable of performing Security Rule requirements in a particular manner when, in fact, your business does not have that ability. For policies and procedures to be effective on a day-to-day basis internally, and to protect your business from outside scrutiny, the policies and procedures must be tailored to your business. Putting more time into creating and updating these policies now can save you from a big headache (and potential HIPAA violation complaints) later.
Your business's policies and procedures should include each of the following, and must include them in a way that makes sense for your specific business:
Administrative Safeguards | |
Required | " Risk analysis " Risk management " Sanction policy " Information system activity review " Identify the security official responsible for developing and implementing the policies and procedures " Isolating health care clearinghouse functions " Response and Reporting of security incidents " Data backup plan " Disaster recovery plan " Emergency mode operation plan " Perform periodic technical and nontechnical evaluations " Use written contracts (Business Associate Agreements) or other arrangements as required by 45 CFR § 164.314(a)
|
Addressable | " Authorization and/or supervision of
workforce members who work with ePHI or the locations where ePHI
might be accessed " Workforce clearance procedure " Termination procedures " Access authorization " Access establishment and modification " Security reminders " Protection from malicious software " Login-in monitoring " Password management " Testing and revision procedures " Applications and data criticality analysis
|
Physical Safeguards | |
Required | " Workstation use " Workstation security " Disposal of ePHI and/or the hardware or electronic media on which ePHI is stored " Media re-use |
Addressable | " Contingency operations " Facility security plan " Access control and validation procedures " Maintenance records " Accountability " Data backup and storage
|
Technical Safeguards | |
Required | " Unique user identification " Emergency access procedure " Audit controls " Person or entity authentication |
Addressable | " Automatic logoff " Encryption and decryption " Mechanism to authenticate ePHI " Integrity controls in transmission " Encryption in transmission
|
Organizational Requirements | |
Required | " Use Business Associate Agreements (which
must contain particular provisions as specified in 45 CFR §
164.314(a) and 45 CFR § 164.504) or other arrangements for
special situations " Group health plans must document they will appropriately and reasonably safeguard ePHI
|
Policies and Procedures and Documentation Requirements | |
Required | " Implement reasonable and appropriate
policies and procedures " Documentation of required activities or assessments " Time limit – must retain required documentation for at least 6 years " Availability – must make documentation available to those responsible for implementing the procedures " Updates
|
Conclusion
Take the time to make sure your policies and procedures cover each standard of the HIPAA Security Rule, and that those policies are tailored to your specific business. If you don't have all of these policies in place yet, be sure to supplement your existing policies so you have a complete set and become HIPAA compliant. As a practical tip, make sure you organize these policies in a way that is easy for you to understand, and include the specific citation to each HIPAA requirement next to the correlating policy or procedure for easy reference. The Security Rule is meant to be flexible enough to make sense for your particular business. Take advantage of that and, if necessary, think of this article as a reminder to give your HIPAA policies a (perhaps much needed) makeover.
Footnote
1 HIPAA is comprised of the Security Rule and the Privacy Rule, among other related provisions. This article addresses only the Security Rule.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.