DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article provides an overview of the requirements of the HIPAA Security Rule.
What is the HIPAA Security Rule?
The HIPAA Security Rule is a series of HIPAA regulations that require covered entities and business associates to protect the confidentiality, integrity, and availability of protected health information that is created, maintained, received, or transmitted in electronic form. This PHI is referred to as electronic protected health information, or ePHI. The terms confidentiality, integrity, and availability have the following definitions:
Confidentiality ensures that no unauthorized access or disclosure is made to ePHI;
Integrity ensures that no unauthorized modifications, additions, or deletions are made to ePHI; and
Availability ensures that ePHI is accessible when needed, and that it is in usable form.
What are the General Requirements of the HIPAA Security Rule?
In addition to requiring protection of the confidentiality, integrity, and availability of ePHI, the Security Rule requires covered entities and business associates to:
Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the HIPAA Privacy Rule.
Train the workforce on security rule concepts, by providing periodic security updates and reminders; procedures for guarding against, detecting, and reporting malicious software; and procedures for creating, changing, and safeguarding passwords.
What are the HIPAA Security Rule Safeguards?
The Security Rule includes administrative, physical, and technical safeguards. These safeguards set forth standards to protect the confidentiality, integrity, and availability of ePHI.
What are Administrative Safeguards?
The HIPAA Security Rule defines administrative safeguards as “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information.” Administrative safeguards also include such measures “to manage the conduct of the covered entity’s [or business associate’s] workforce in relation to the protection of that information.”
Administrative safeguard measures include the security management process standard (which, among other things, requires the performance of a security risk assessment, and risk management).
Other standards include the workforce security standard; the information access management standard; the security official standard (which requires designation of a security official); the security awareness and training standard; the security incident procedures standard (which requires CEs and BAs to develop policies and procedures for detecting and responding to security incidents); the contingency plan standard (requiring organizations to develop contingency plans, including data backup plans, disaster recovery plans, and emergency mode operation plans); and the evaluation standard (requiring organizations to perform a periodic technical and nontechnical evaluation, in response to environmental or operational changes affecting the security of ePHI).
Another administrative safeguard measure is the "business associate contract" standard. This standard requires covered entities and business associates to enter into business associate agreements, and business associates and business associate subcontractors to enter into business associate agreements.
What are Physical Safeguards?
The Security Rule defines physical safeguards as “Physical measures, policies, and procedures to protect a covered entity’s [or business associate’s] electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Physical safeguards protect the physical security of offices, home offices, remote worksites, and other locations where ePHI may be stored or maintained. Physical safeguard standards include facility access and control measures; workstation use and security measures; and device and media controls.
What are Technical Safeguards?
The Security Rule defines technical safeguards as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguard standards include access and audit controls; integrity controls; person or entity authentication controls; and transmission security controls.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article