Patient confidentiality is one of the most important aspects between a healthcare provider and a patient. Confidentiality strengthens the trust of a patient-physician relationship and ensures the quality of care and patient autonomy. Prior to the implementation of HIPAA, the healthcare industry lacked a set standard or requirements regarding the protection of health information. Simultaneously, the industry was moving towards implementing technology to process clinical and administrative tasks. The increased implementation of technology within the industry has allowed for a more efficient and accessible system. However, it has also increased the risk of potential breaches in privacy.

Why was the Security Rule created?

In order to help combat potential security risks, the HIPAA Security Rule was created under the Health Insurance Portability and Accountability Act of 1996. This law required the U.S. Department of Health and Human Services (HHS) to devise regulations to help protect the privacy and security of patients’ health information. The Security Rule specifically, was created to protect information and set a standard on how Electronic Protected Health Information (e-PHI) is held and transmitted. The Security Rule addresses technical and non-technical safeguards surrounding e-PHI and how organizations known as “covered entities” put these safeguards into place.

What information is protected under the Security Rule?

The Security Rule is intended to protect a subset of “individually identifiable health information” covered by the Privacy Rule that is also created, received, maintained, and transmitted through electronic means. Individually identifiable health information includes but is not limited to; name, address, date of birth, social security number, individual’s past, present or future physical or mental health or condition, etc. If the health information is “de-identified”, meaning the individual’s identity cannot be revealed, the information is no longer required to be protected under the Security Rule.

What does the Security Rule entail?

The Security Rule describes the administrative, physical, and technical safeguards that should be put in place to protect patient in.

Administrative safeguards include;

1. Security Management Processes This includes risk analysis, risk management, sanction policy and information system activity review. The purpose of this standard is to ensure that there are policies and procedures for prevention, detection, and correction of security violations.
2. Assigned Security Responsibility Requires an assigned security official accountable for development and implements of policies and procedures.
3. Workforce Security Ensures that only the members of the workforce that require e-PHI to do their job have access to it and are identified within the organization.
4. Information Access Management Implements policies and procedures to make certain risk of inappropriate disclosure, alteration, or destruction of e-PHI is reduced.
5. Security Awareness and Training All members of the health system must be adequately trained on rules and regulations.
6. Security Incident Procedures Security incidents must be addressed in policies and procedures.
7. Contingency Plan This requires the entity to establish a plan in response to emergency situations such as fires, vandalism, system failure, etc.
8. Evaluation Periodic evaluation of the implementation of the security rule within the entity must be performed.
9. Business Associate Contracts and Other Arrangements Allows for the transmissions and maintenance of e-PHI to a business associate of the entity given that the business associate fulfills satisfactory assurances.

Physical Safeguards

1. Facility Access Controls Limits the physical access of the facility where electronic information systems are present without creating barriers to individuals properly authorized.
2. Workstation Use Puts policies and procedures into place to ensure appropriate usage of electronic computing devices.
3. Workstation Security Physical safeguards must be put into place to protect against unauthorized access
4. Device and Media Controls Any receipt or removal of hardware containing e-PHI must be properly handled.

Technical Safeguards

1. Access Controls Implements technical policies and procedures for systems containing e-PHI to allow access to only granted individuals or programs.
2. Audit Controls e-PHI usage must be recorded and reviewed through the usage of hardware, software, and/or procedural mechanisms
3. Integrity Requires the covered entity to set forth rules and regulations to protect e-PHI from unauthorized changes or destruction
4. Person or Entity Authentication This safeguard verifies that the person or entity asking for access to e-PHI is the one claimed.
5. Transmission Security Transmission of e-PHI over electronic communication networks must be protected with technical safeguards to prevent unofficial access.

Who is Required to implement the Security Rule?

The Security Rule only applies to “covered entities” as defined by the HSS. Covered entities include health plans, healthcare clearinghouses, and healthcare providers. Other entities are covered under Security Rule but are held to the same expectations.

What are the ramifications for not implementing the Security Rule?

Noncompliance to the Security rule can result in civil money penalties and/or criminal penalties. Civil money penalties are imposed by the HHS and can range from $100 to up to $25,000 per year for multiple violations. Criminal penalties range from $50,000 to $250,000 and may be subject to imprisonment for 1-10 years based on violation and intent. Willful neglect and violations carry greater penalties and punishments.

How to assess Security risk?

The Office of the National Coordinator for Health Information Technology (ONC) and the HHS has developed tools that reveal potential risks within a covered entities’ system. To ensure your entity is compliant with the Security Rule you may check out the Security Risk Assessment Tool here.

How to ensure compliance to the Security Rule?

It is important that all members handling Personal Health Information within a covered entity are adequately trained and compliant to the rules and regulations of HIPAA.

To learn more about Healthcare Compliance, the Accreditation Council for Medical Affairs offers a 90-minute attestation on HIPAA Privacy, HIPAA Security, Fraud and Abuse, PhRMA code, and Advamed Code of Ethics.

References

Journal, H. (2018, March 08). Why is HIPAA Important to Patients? Retrieved August 05, 2020, from https://www.hipaajournal.com/why-is-hipaa-important-patients/

N. (2007, February 02). HIPAA Privacy Rule and Its Impacts on Research. Retrieved August 06, 2020, from https://privacyruleandresearch.nih.gov/pr_06.asp

Nass, S. (1970, January 01). The Value and Importance of Health Information Privacy. Retrieved August 07, 2020, from https://www.ncbi.nlm.nih.gov/books/NBK9579/ Secretary, H., & (OCR), O. (2017, May 12). The Security Rule. Retrieved August 07, 2020, from https://www.hhs.gov/hipaa/for-professionals/security/index.html

Patient confidentiality is one of the most important aspects between a healthcare provider and a patient. Confidentiality strengthens the trust of a patient-physician relationship and ensures the quality of care and patient autonomy. Prior to the implementation of HIPAA, the healthcare industry lacked a set standard or requirements regarding the protection of health information. Simultaneously, the industry was moving towards implementing technology to process clinical and administrative tasks. The increased implementation of technology within the industry has allowed for a more efficient and accessible system. However, it has also increased the risk of potential breaches in privacy.

Why was the Security Rule created?

In order to help combat potential security risks, the HIPAA Security Rule was created under the Health Insurance Portability and Accountability Act of 1996. This law required the U.S. Department of Health and Human Services (HHS) to devise regulations to help protect the privacy and security of patients’ health information. The Security Rule specifically, was created to protect information and set a standard on how Electronic Protected Health Information (e-PHI) is held and transmitted. The Security Rule addresses technical and non-technical safeguards surrounding e-PHI and how organizations known as “covered entities” put these safeguards into place.

What information is protected under the Security Rule?

The Security Rule is intended to protect a subset of “individually identifiable health information” covered by the Privacy Rule that is also created, received, maintained, and transmitted through electronic means. Individually identifiable health information includes but is not limited to; name, address, date of birth, social security number, individual’s past, present or future physical or mental health or condition, etc. If the health information is “de-identified”, meaning the individual’s identity cannot be revealed, the information is no longer required to be protected under the Security Rule.

What does the Security Rule entail?

The Security Rule describes the administrative, physical, and technical safeguards that should be put in place to protect patient in.

Administrative safeguards include;

1. Security Management Processes This includes risk analysis, risk management, sanction policy and information system activity review. The purpose of this standard is to ensure that there are policies and procedures for prevention, detection, and correction of security violations.
2. Assigned Security Responsibility Requires an assigned security official accountable for development and implements of policies and procedures.
3. Workforce Security Ensures that only the members of the workforce that require e-PHI to do their job have access to it and are identified within the organization.
4. Information Access Management Implements policies and procedures to make certain risk of inappropriate disclosure, alteration, or destruction of e-PHI is reduced.
5. Security Awareness and Training All members of the health system must be adequately trained on rules and regulations.
6. Security Incident Procedures Security incidents must be addressed in policies and procedures.
7. Contingency Plan This requires the entity to establish a plan in response to emergency situations such as fires, vandalism, system failure, etc.
8. Evaluation Periodic evaluation of the implementation of the security rule within the entity must be performed.
9. Business Associate Contracts and Other Arrangements Allows for the transmissions and maintenance of e-PHI to a business associate of the entity given that the business associate fulfills satisfactory assurances.

Physical Safeguards

1. Facility Access Controls Limits the physical access of the facility where electronic information systems are present without creating barriers to individuals properly authorized.
2. Workstation Use Puts policies and procedures into place to ensure appropriate usage of electronic computing devices.
3. Workstation Security Physical safeguards must be put into place to protect against unauthorized access
4. Device and Media Controls Any receipt or removal of hardware containing e-PHI must be properly handled.

Technical Safeguards

1. Access Controls Implements technical policies and procedures for systems containing e-PHI to allow access to only granted individuals or programs.
2. Audit Controls e-PHI usage must be recorded and reviewed through the usage of hardware, software, and/or procedural mechanisms
3. Integrity Requires the covered entity to set forth rules and regulations to protect e-PHI from unauthorized changes or destruction
4. Person or Entity Authentication This safeguard verifies that the person or entity asking for access to e-PHI is the one claimed.
5. Transmission Security Transmission of e-PHI over electronic communication networks must be protected with technical safeguards to prevent unofficial access.

Who is Required to implement the Security Rule?

The Security Rule only applies to “covered entities” as defined by the HSS. Covered entities include health plans, healthcare clearinghouses, and healthcare providers. Other entities are covered under Security Rule but are held to the same expectations.

What are the ramifications for not implementing the Security Rule?

Noncompliance to the Security rule can result in civil money penalties and/or criminal penalties. Civil money penalties are imposed by the HHS and can range from $100 to up to $25,000 per year for multiple violations. Criminal penalties range from $50,000 to $250,000 and may be subject to imprisonment for 1-10 years based on violation and intent. Willful neglect and violations carry greater penalties and punishments.

How to assess Security risk?

The Office of the National Coordinator for Health Information Technology (ONC) and the HHS has developed tools that reveal potential risks within a covered entities’ system. To ensure your entity is compliant with the Security Rule you may check out the Security Risk Assessment Tool here.

How to ensure compliance to the Security Rule?

It is important that all members handling Personal Health Information within a covered entity are adequately trained and compliant to the rules and regulations of HIPAA.

To learn more about Healthcare Compliance, the Accreditation Council for Medical Affairs offers a 90-minute attestation on HIPAA Privacy, HIPAA Security, Fraud and Abuse, PhRMA code, and Advamed Code of Ethics.

References

Journal, H. (2018, March 08). Why is HIPAA Important to Patients? Retrieved August 05, 2020, from https://www.hipaajournal.com/why-is-hipaa-important-patients/

N. (2007, February 02). HIPAA Privacy Rule and Its Impacts on Research. Retrieved August 06, 2020, from https://privacyruleandresearch.nih.gov/pr_06.asp

Nass, S. (1970, January 01). The Value and Importance of Health Information Privacy. Retrieved August 07, 2020, from https://www.ncbi.nlm.nih.gov/books/NBK9579/ Secretary, H., & (OCR), O. (2017, May 12). The Security Rule. Retrieved August 07, 2020, from https://www.hhs.gov/hipaa/for-professionals/security/index.html