The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for the protection and security of patients' health information. HIPAA applies to covered entities (e.g., doctors, psychologists, surgery centers, addiction treatment centers, etc.) and their business associates (e.g., billing companies, EMR vendors, cloud services, etc.) who access, use, create, store, or transmit protected health information (PHI) including electronic PHI (ePHI) on behalf of a covered entity.
At large, HIPAA requires both covered entities and business associates to develop, implement, administer, oversee, enforce and update written policies and procedures and plans that incorporate reasonably appropriate administrative, technical, and physical safeguards. Together, these safeguards are designed to help protect the confidentiality, integrity, and availability of PHI and ePHI. This post provides a general explanation on what these safeguards are along with some examples of each for HIPAA compliance.
What are HIPAA Administrative Safeguards?
Administrative safeguards are the “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.” 45 C.F.R Section 164.304.
The term “workforce” means and includes employees, volunteers, trainees, and other persons, whether they are paid or unpaid, who are performing work for and under the direct control of the covered entity or business associate as applicable. See 45 C.F.R. Section 160.103
Some examples of HIPAA administrative safeguards include:
Designating a security and/or privacy officer who will be responsible for overseeing the implementation and enforcement of the organization’s HIPAA policies and procedures.
Conducting a thorough risk analysis to identify and address potential threats and vulnerabilities to the confidentiality, integrity and availability of PHI and ePHI.
Securing a written business associate agreement that covers the covered entity and business associate’s respective rights and obligations on the access, use, and disclosure of PHI and ePHI, as well as a framework for reporting and handling breaches.
Providing security and awareness training to workforce members who handle PHI and ePHI on security and privacy requirements and best practices.
Establishing and enforcing sanctions against workforce members who violate the organization’s HIPAA policies and procedures.
Implementing procedures for reviewing information system activity, such as audit logs, access reports, and incident tracking.
Having a written a contingency plan that governs how to handle emergencies or disasters that may impact the ability to retrieve exact copies of ePHI, such as a data backup plan, disaster recovery plan, and emergency mode operation plan.
Having an incident response plan that covers reporting and responding to security breaches or security incidents involving PHI and ePHI.
Maintaining documentation of all HIPAA policies, procedures, practices, activities, and events for at least 6 years.
Implementing, administering, reviewing and updating HIPAA policies and procedures periodically or as needed based on changes in an organization, technology, or environment that affect the security and privacy of PHI and ePHI.
See 45 C.F.R. Section 164.308
The scope and type of an organization’s HIPAA administrative safeguards will vary by the organization’s size, complexity, and capabilities, its technical infrastructure, hardware, and software capabilities, the nature and volume of PHI and ePHI handled, and the potential risks and vulnerabilities to the security of the PHI and ePHI.
What are HIPAA Physical Safeguards?
Physical safeguards “are physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” 45 C.F.R. Section 164.304.
Physical safeguards also extend to any offsite workforce members who work from home or from other physical locations.
Some examples of HIPAA physical safeguards include:
Having written acceptable use policies for workstations (e.g., desktop computers, laptops, external drives and mobile devices) for both onsite and offsite workforce members.
Locking doors, windows, cabinets, and drawers that contain PHI and devices that store or transmit ePHI.
Issuing identification badges to workforce members and visitors.
Providing only authorized workforce members with keys or system codes to areas and systems where PHI and ePHI is stored.
Using security cameras, alarms, guards, or other surveillance systems to monitor and deter intruders or unauthorized personnel.
Maintaining records of any repairs or modifications to physical security systems, such as walls, doors, locks and hardware.
Securely shredding, wiping, deleting or destroying PHI and ePHI when it is no longer needed or required by law.
Having a data backup and storage process that enables retrieving an exact copy of ePHI before the equipment on which ePHI is stored is moved.
See 45 C.F.R. Section 164.310
As with the HIPAA administrative safeguard standards, the scope and type of physical safeguards will vary by organization depending on the size, location, and nature of its operations.
What are HIPAA Technical Safeguards?
Technical safeguards are “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” 45 C.F.R. Section 164.304 These safeguards focus on securing electronic systems where ePHI is stored and processed. To determine what technical safeguards are appropriate and reasonable, covered entities and business associates must conduct a risk analysis to identify potential threats and vulnerabilities.
Some examples of HIPAA technical safeguards include:
Assigning a unique name or number to identify and track user identity.
Assigning role or function-based levels of authorized access to workforce members.
Implementing user authenticating mechanisms for workforce members with access to ePHI.
Using secure protocols such as HTTPS or SSL/TLS.
Using firewalls, antivirus software, and other tools designed to prevent unauthorized access or malware attacks.
Encrypting and decrypting ePHI in transit and at rest.
Terminating electronic sessions after a preset time of inactivity.
Implementing audit controls and logs to record and monitor the activity of information systems that contain ePHI.
See 45 C.F.R. Section 164.312
As with the HIPAA administrative and physical safeguards, the scope and type of technical safeguards will vary by an organization’s resources, such as the size, complexity, and capabilities of the organization, as well as the nature and volume of ePHI that is created, received, maintained, or transmitted.
Collectively, the HIPAA administrative, physical and technical safeguards provide organizations with a robust line of defense against potential threats to patient information. By implementing these safeguards, covered entities and their business associates are better suited to ensure the confidentiality, integrity, and availability of the PHI and ePHI they create, receive, maintain, or transmit, and in accordance with their respective obligations for HIPAA compliance.
The information provided in this post is for general informational purposes and not intended as legal advice or legal opinion for any individual matter. Keep in mind that legal developments or changes to law may occur in the future and, as such, the information contained in this post may not be the most up-to-date legal information. Do consult your own attorney for any legal advice you may require. If you do not have an attorney and would like to explore a potential engagement, please reach out to Venus Caruso using the contact submission form or by using the contact information provided in her bio.