The Office for Civil Rights (OCR), under the Department of Health and Human Services (HHS), is responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In 2020, OCR received 27,182 HIPAA-related complaints. Of these, some of the most common violations were related to the HIPAA Security Rule. With that in mind, how about a quick refresher on Security Rule requirements? Is your plan compliant?
The HIPAA Security Rule protects individuals’ electronic protected health information (ePHI) that is held by a covered entity or business associate. Covered entities include health care providers (e.g., doctors, hospitals, clinics, pharmacies, etc.), health care clearinghouses, which process health care transactions for other entities, and individual and group health plans. Business associates are persons or organizations, other than a member of the covered entity’s workforce, that perform services for or assist covered entities and have access to PHI and/or ePHI. While employers and plan sponsors are not covered entities, they are often responsible for ensuring the health plan’s compliance with HIPAA.
To protect the confidentiality, integrity and availability of ePHI and protect against its unauthorized use and disclosure, the HIPAA Security Rule includes three categories of safeguards:
- Administrative safeguards are the administrative actions, policies and procedures used to select, develop, implement and maintain security measures for protecting ePHI, including appropriate management of the workforce.
- Physical safeguards are the physical measures, policies and procedures that protect electronic information systems, buildings and equipment from natural and environmental hazards and unauthorized intrusion while ensuring that properly authorized access is allowed.
- Technical safeguards are primarily automated processes for protection of data and controlling access to data (e.g., user authorizations and data encryption procedures).
For each type of safeguard, the Security Rule sets broad standards for protection and provides more detailed implementation specifications. Some implementation specifications are required while others are addressable, meaning the entity must assess whether the specification is reasonable and appropriate in its environment. The HIPAA Security Rule is scalable and technology neutral. It allows for a variety of implementation solutions based on the size of the entity and the amount of ePHI it holds and allows each entity to select the software or technology solution best suited to meet its needs.
Administrative safeguard violations were among the top five issues investigated by OCR in 2020, so let’s take a high-level look at the nine standards within this safeguard:
- Security management process standard: Requires covered entities and business associates to implement policies and procedures to prevent, detect, contain and correct security violations. This process forms the foundation on which all the other standards depend.
- Workforce security standard: Requires covered entities and business associates to implement policies and procedures to ensure that members of the workforce have only the appropriate amount of access to ePHI that is needed to perform their job functions and to prevent inappropriate access.
- Information access management standard: Requires covered entities and business associates to implement access controls to authorize, establish and modify access to ePHI that are consistent with the “minimum necessary standard” requirements of the HIPAA Privacy Rule.
- Security awareness and training standard: Requires covered entities and business associates to implement security awareness and training programs for their workforces.
- Security incident procedures standard: Requires covered entities and business associates to implement policies and procedures to address security incidents, which are attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
- Contingency plan standard: Requires covered entities and business associates to establish contingency plans to be implemented during emergency situations.
- Business associate contracts and other arrangements standard: Requires covered entities to obtain assurances that business associates will appropriately safeguard information before permitting the business associate to create, receive, maintain or transmit ePHI.
- Evaluation standard: Requires covered entities and business associates to perform periodic technical and nontechnical evaluations of their security environments to demonstrate and document the continued effectiveness of their security measures and compliance with the requirements of the Security Rule.
- Assigning responsibility standard: Requires covered entities and business associates to identify an official who will be responsible for the entity’s implementation of the Security Rule and who will oversee compliance with the plan’s security policies and procedures and protection of ePHI.
Now is as good a time as any to review these HIPAA Security requirements, seek legal counsel and review vendor agreements and relationships to ensure compliance.
To learn more about the technical and physical safeguards as well as implementation standards for each safeguard, consider enrolling in the Foundation’s HIPAA Security e-learning course.
Rose Plewa, CEBS
Senior Instructional Designer, Online Learning Department at the International Foundation
The latest from Word on Benefits:
- President-Elect Trump Regulatory Outlook
- SECURE 2.0 Act: What’s Coming in 2025?
- Implementing a Practical Financial Wellness Program
- Mental Health and Substance Use Disorders: Canadian Employees Continue to Struggle as Employers Focus on Education and Prevention
- Leading with Emotional Intelligence (EQ) in the Workplace