Key Takeaways
Three-Pillar Protection: The HIPAA Security Rule mandates the implementation of three distinct categories of safeguards—administrative, physical, and technical—to protect the confidentiality, integrity, and security of electronic Protected Health Information (ePHI).
Risk Assessment as the Foundation: The foundational step for maintaining HIPAA compliance is to complete a thorough risk assessment. This process must be tailored to the organization’s unique needs (size, complexity, infrastructure) to identify threats and determine appropriate protective measures.
Documentation and Review is Continuous: Compliance with the Security Rule requires proper documentation of all security measures and procedures. This documentation must be periodically reviewed and updated to remain current in response to the ever-changing security environment.
The HIPAA Security Rule
Are you familiar with the HIPAA Security Rule? It requires that physicians implement proper protections to guard electronic protected health information (also known as ePHI). It ensures that the proper administrative, physical and technical safeguards are used to protect the confidentiality, integrity and security of ePHI.
The HIPAA Security Rule offers actionable steps to ensure that your organization is in line with the HIPAA Privacy Rule and addresses the safeguards that are necessary for covered entities. As such, your organization must assess the security risks involved with storing or transmitting ePHI and ensure compliance with the HIPAA security rule and proper documentation of your compliance processes.
HIPAA Requirements: Administrative Safeguards
HIPAA Administrative Safeguards are the documented procedures your organization uses to protect PHI and ePHI. This would include employee training and access protocols.
Speak to a Compliance Specialist.
HIPAA Requirements: Physical Safeguards
As you can imagine, physical safeguards refer to physical access to your organization’s equipment. Systems used to store ePHI must be protected from unauthorized access. While an electronic security system can be useful, it shouldn’t be the only safeguard your organization relies on.
HIPAA Requirements: Technical Safeguards
HIPAA Technical Safeguards refer to the technology and policies for its use that protect ePHI or control access to it. This can be a difficult part of HIPAA compliance practices to implement, but an advisor from an experienced assessment firm can help.
Assessing Risk
The first step to maintaining HIPAA compliance is understanding the threats to the security of ePHI and understanding how to implement measures to prevent these threats. A risk assessment should be completed according to your organization’s unique industry needs and examine:
- Your organization’s size, complexity, and capabilities,
- Your organization’s infrastructure, hardware, and software,
- The probability of risk to ePHI or PHI,
- The cost of critical security measures.
Additionally, to help physicians and related organizations better understand the cybersecurity risks they may face, the U.S. Department of Health and Human Services has developed a Risk Assessment Tool that can be a starting reference point.
Documenting HIPAA Compliance
Accordingly, each security compliance measure includes a requirement for documentation. Your policies may change over time, but you’ll need to ensure that documentation is updated and retained according to all requirements. You will need to review your policies periodically in response to the ever-changing security environment.
A Trusted Partner for HIPAA Compliance
Auditwerx is experienced at performing HIPAA compliance assessments. Our partners offer Big 10 firm experience, and our thorough peer-review process ensures a quality assessment every time. Learn how Auditwerx can meet your compliance needs, contact Auditwerx today.
FAQs
What is the primary objective of the HIPAA Security Rule?
The objective is to ensure that covered entities implement proper protections and safeguards to guard the confidentiality, integrity, and security of electronic Protected Health Information (ePHI).
What does "ePHI" stand for in the context of this rule?
ePHI stands for electronic Protected Health Information, which is the data that the HIPAA Security Rule is specifically designed to protect.
What are the three mandatory types of safeguards required by the HIPAA Security Rule?
The rule requires organizations to implement administrative safeguards (documented procedures, training), physical safeguards (protecting equipment from unauthorized access), and technical safeguards (technology and policies for using it).
What factors must a compliant HIPAA risk assessment examine?
A risk assessment must examine the organization’s size, complexity, capabilities, infrastructure, hardware, software, the probability of risk to ePHI, and the cost of critical security measures.
About the Author
