What are Technical Safeguards of HIPAA's Security Rule?
The threat and risk of Health Insurance Portability and Accountability Act (HIPAA) violations and the breach of protected health information (PHI) remains a problem for covered entities and business associates. Although HIPAA may appear complicated and difficult, its real purpose is to assist you in reducing the risks to your company and the information you store or transmit. One type of security safeguard that must be implemented is known as a technical safeguard detailed within the HIPAA Security Rule. Technical safeguards specify the security measures that organizations must implement to secure electronic PHI (ePHI). Reviewing the HIPAA technical safeguard for PHI is essential for healthcare organizations to ensure compliance with the regulations and appropriately protect PHI. In this post, we’re going to dive into the details of what the technical safeguards of HIPAA's Security Rule entail.
What is HIPAA's Security Rule?
The HIPAA Security Rule contains rules created to protect the security of ePHI, any PHI that is created, stored, transmitted, or received in an electronic format. Under the HIPAA Security Rule, covered entities must also implement security safeguards to protect the confidentiality, integrity, and availability of ePHI. This is achieved by implementing three kinds of safeguards: technical, physical, and administrative safeguards.
What is the purpose of technical security safeguards?
A covered entity must implement technical policies and procedures for computing systems that maintain PHI data to limit access to only authorized individuals with access rights. In other words, the purpose of HIPAA technical security safeguards is to protect ePHI and control access to it. A covered entity must also decide which security safeguards and specific technologies are reasonable and appropriate security procedures for its organization to keep electronic data safe.
What Are Technical Safeguards?
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it” § 164.304. This can often be the most challenging regulation to understand and apply. There are certain technical safeguards that are "addressable" within HIPAA, much like with other HIPAA regulations. This simply means that healthcare organizations should utilize these security measures and apply them to their technologies and organization components in a reasonable and appropriate manner. It’s important to remember that addressable safeguards are still mandatory, however, they can be modified by the organization. HIPAA technical safeguards include:
- Access control
- Audit controls
- Integrity controls
- Person or entity authentication
- Transmission security
Carefully regulating access to ePHI is the first technical safeguard. This important Security Rule mandate includes several specifications, some of which are strictly required and others that are addressable. The required aspects under access control are:
- Unique User Identification: Assign each employee a unique name and/or number to track their activity and identify them in all virtual movements.
- Emergency Access Procedure: Establish and implement necessary procedures for retrieving ePHI in the event of an emergency.
- Authentication: Implement procedures to verify that a person or entity requesting access to ePHI is the one claimed.
The addressable aspects under access control are:
- Automatic Log-off: Install auto log-off software for workstations to end an online session after a predetermined time of inactivity to prevent unauthorized access.
- Encryption and Decryption: Implement systems that automatically encrypt and decrypt ePHI.
Second, audit control refers to the use of systems by covered entities to record and monitor all activity related to ePHI. The required aspect under audit control is:
- Audit Control: Implement hardware, software, and/or procedural safeguards that record and examine activity in information systems that use or contain ePHI.
The importance of this is that it will now be possible to identify who accessed what information, plus when, and why if ePHI is put at risk. This helps achieve the general goal of the Security Rule and its technical safeguards, which is to improve ePHI security.
Integrity is the next technical safeguard regulation, and it involves ensuring that ePHI and other health data are not destroyed or altered in any way. Healthcare organizations may develop concerns about patient safety or treatment quality when ePHI is altered or destroyed. The addressable aspect under integrity controls is:
- Mechanism to Authenticate ePHI: Implement electronic measures to confirm that ePHI has not been altered or destroyed in an unauthorized manner.
The integrity standard was created so that organizations implement policies and procedures to avoid the destruction of ePHI in any form whether by human or electronic error.
Person or Entity Authentication
Contrary to the other technical precautions, the person or entity authorization is completely addressable by the needs of the covered entity and without any implementation specifications. You may notice that person or entity authentication relates to access control, however it primarily has to do with requiring users to provide identification before having access to ePHI. This can be accomplished by using special passwords, pins, smart cards, fingerprints, face or voice recognition, or other methods. The exact needs that apply to each organization will determine how they decide to adhere to this safeguard.
The final technical safeguard requirement, transmission security, aims to prevent unauthorized access to ePHI while it is being transmitted electronically. For example, to ensure that no ePHI is vulnerable to attack or misuse while sending ePHI through email, there are specific measures that must be taken. The Security Rule permits the transmission of ePHI through electronic networks if its integrity is protected, and it is appropriately encrypted. The addressable aspects under transmission security are:
- Encryption: Implement a system to encrypt ePHI when considered necessary.
- Integrity Controls: Implement security measures to prevent electronically transmitted ePHI from being improperly altered without detection until discarded.
Enroll in HIPAA Training
For more information on the HIPAA Security Rule and technical safeguards, the Department of Health and Human Services (HHS) website provides an overview of HIPAA security requirements in more detail, or you can sign up for our HIPAA for health care workers online course, designed to educate health care workers on the complete HIPAA law.