A Quick Guide to HIPAA’s Technical Safeguards
The Health Insurance Portability and Accountability Act (HIPAA) governs the use and disclosure of Protected Health Information (PHI). HIPAA requires that a Covered Entity (CE) and a Business Associate (BA) must protect a patient’s medical information. There are three laws outlined within HIPAA regulations: The Privacy Rule, The Security Rule, and The Breach Notification Rule.
The Security Rule contains a subsection of safeguards that were enacted to regulate how HIPAA covered entities protect Electronic Protected Health Information (ePHI). Safeguards included in The Security Rule are technical safeguards, physical safeguards, and administrative safeguards. The following paragraphs will provide an overview to the technical safeguards outlined under The HIPAA Security Rule.
The HIPAA Security Rule
The Privacy Rule protects confidential data under HIPAA, while The Security Rule regulates how that data should be protected. More specifically, it outlines what tactics need to be implemented by a CE to protect the integrity of that ePHI.
There are no specific requirements for what types of technology HIPAA covered entities need to utilize to protect sensitive information. Rather, this rule leaves security modalities up to the CE’s discretion, as long as they are reasonable and appropriate.
Above all, maintaining HIPAA compliance under The Security Rule is important for healthcare providers and other CEs that handle electronic Protected Health Information (ePHI). If a healthcare organizations stores, obtains, or transmits ePHI on a network that is not secured, their data could be compromised. In fact, it is estimated that 94% of healthcare entities may experience a data breach during any given year. Furthermore, the average cost aftermath per healthcare organization is around $2.4 million.
In short, data breaches can be costly. Therefore, a covered entity must implement tactics that comply with the technical, physical, and administrative safeguards outlined under The Security Rule. Additionally, data breaches may also lead to civil penalties from governing bodies. The HHS Office for Civil Rights enforces these rules to help CEs minimize their risk of data breaches.
Technical Safeguards are…
A health plan or care provider that receives maintains, or transmits PHI needs to protect ePHI. In order to properly safeguard ePHI, implementing technical safeguards are paramount to any data security strategy.
Under HIPAA law, technical safeguards are defined as, “…the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it.” The Technical Safeguards within HIPAA regulations are the measures a CE and BA must take to securely protect health data.
Technical Safeguards Under The HIPAA Security Rule
The HIPAA Security Rule operates based off of three fundamental concepts– flexibility, scalability, and technology neutrality. These concepts allow a CE to determine what security measures are reasonable and approbate for the size of their healthcare organization.
Access controls, audit controls, data integrity, authentication, and transmission security are all Technical Safeguards that CE’s must utilize to protect ePHI. However, the ways in which a CE chooses to execute these security measures is left to their discretion. What is a technical safeguard? Examples of what Technical Safeguards are will be listed below.
…security tactics that only allow authorized personnel to view and handle ePHI. Access controls that HIPAA covered entities need to implement to keep ePHI secure include the following.
- A specific user must be assigned to track log-in attempts.
- Proper procedures must be in place for accessing ePHI during an emergency.
- Any workstations that have access to ePHI must have automatic log-offs enabled.
- Security methods to encrypt and decrypt data must be implemented.
…software, hardware, or policies that are in place to monitor and record user activity that pertains to ePHI. There are no specified audit controls listed under The Security Rule. However, any HIPAA covered entity that handles ePHI needs to regulate the confidential data stored on their servers.
…policies or procedures that are enacted to prevent ePHI from being altered or destroyed. Authenticating ePHI ensures that the original data has not been tampered with by unauthorized personnel.
…the process of identifying an individual attempting to view or access ePHI. Specific qualifications for authentication are not outlined under HIPAA. However, anyone who wishes to handle ePHI in any form must have permission to do so. Additionally, they need to be able to prove that they are who they say they are with verifiable credentials.
…methods of data security that maintain the integrity of PHI while it is created, received, or sent electronically. Modalities that healthcare organizations use to protect their sensitive information may include the following.
- ePHI must be preserved from alterations and remain undetectable.
- ePHI must be encrypted when the healthcare organization deems it appropriate.
- Decryption keys must be stored separately from the data.
The HIPAA Security Rule does not mention specific methods of protecting data. However, the most effective way to do this is through data encryption. It secures data in transit and at rest by stripping ePHI of all identifiable factors. Thus, should your organization ever experience a data breach, data that is compromised is rendered useless because it is all anonymous.
The only way to make encrypted data readable again is with a decryption key. These keys are unique to each form of PHI and should never be shared. Additionally, data security companies with a strong protection will also rotate decryption keys on a consistent basis. Therefore, a CE can take comfort in the fact that the best security practices for securing ePHI are always in place.