There is a lot of confusion surrounding the HIPAA Security Rule. As a result, I’m often asked for a list of administrative, technical and physical safeguards that can be used as a checklist. I’ve also crossed paths with healthcare IT professionals searching for a bolt-on solution to cover their needs.
No such checklist or add-on exists.
Actually, I should rephrase that: Neither one should exist. But some companies may peddle checklists and bolt-on security solutions to anyone willing to pay for them. If you should come across such offers, here is my advice: Run the other way.
The HIPAA Security Rule sets out detailed regulations for IT compliance, but it stops short of providing guidance regarding how to implement the Rule. That’s bad news for IT professionals and healthcare data system administrators looking for a simple checklist approach for bringing their networks into compliance. But complying with HIPAA’s Security Rule may not be as hard as it seems.
The first step is to establish a culture of security by understanding the intent of the Rule. As long as IT professionals learn how to follow that, rather than looking for concrete examples of compliance, then HIPAA doesn’t have to be an insurmountable problem. In fact, taking the time to understand the meaning and intent of the Rule first — before decisions about security controls are made — will do more to protect healthcare systems than merely attempting to replicate instances of successful implementation. Understanding the Rule means making decisions about security controls with confidence — no matter what they are or where they occur.
The goal of the Security Rule is to ensure that healthcare providers have the proper structures in place — physical, administrative and technical — to prevent patients’ private data from escaping the networks that hold it. While the Rule isn’t specific about how to secure that private data, it is specific about four standards that should inform every IT-compliance decision when it comes to security — because these standards are the foundation of the Rule and help establish its intent:
- Maintain Control over Data AccessData access can take many forms, but the Security Rule is primarily concerned with how access to electronic protected health information (ePHI) is restricted only to those employees who need it to do their jobs. In this case, the specific expectation of HIPAA is that a company develops and implements a set of rules that enables authorized users to access the minimum amount of information needed to perform their duties.Granting IT rights and privileges to authorized users based on a documented framework of controls is one clear way to adhere to the essence of this piece of the Security Rule. While the Rule is fairly general in terms of how this framework should be developed, it is quite specific about what kinds of access rights should be included. These are outlined in section 164.308(a)(4) of the Information Access Management standard under the Administrative Safeguards section of the Rule.
- Monitor Equipment Containing Health InformationThe need to carefully control and monitor all equipment containing health information is another clear mandate of the Security Rule. But this standard can get murky fast; it depends on a good deal of user data hygiene. A good administrator can protect hardware, but nothing can protect a company from that employee who unknowingly leaves protected health information on, say, an unprotected photocopier hard drive.When it comes to hardware, the Rule addresses technology decisions and offers guidance on the factors that a covered entity must consider when selecting security. This is outlined in section 45 CFR 164.306(b), the Security Standards: General Rules, Flexibility of Approach.But what about policies to prevent a company from falling prey to the carelessness described in the above photocopier example? The CIO is responsible for those too, and the answer is good data training. While HIPAA doesn’t provide specifics on what kinds of scenarios to avoid, it does outline the required risk analysis and risk management processes that should be put in place to prevent them. Section 164.308(a)(1)(ii)(A) & (B) of the Rule will help managers make informed decisions regarding which security measures to implement.
- Preserve Data IntegrityEnsuring that the data stored within your EHR system has not been changed or erased in an unauthorized manner is one of the primary goals of the Security Rule. The purpose of this standard is to establish and implement policies and procedures for protecting ePHI from being compromised — regardless of the source.While the Rule recognizes that “The integrity of data can be compromised by both technical and non-technical sources,” it specifically points out that “data can also be altered or destroyed without human intervention, such as by electronic media errors or failures.” Once again, the Rule does not identify those potential failures, but it does give the administrator a way to determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed in an unauthorized manner.The process of identifying security measures that will reduce the risks to data is outlined in section 164.312(c)(2).
- Maintain Audit ControlsThe Security Rule mandates that organizations document the scope, frequency and processes of any audits of their data security. The intent of the Rule here is to mandate that organizations determine reasonable and appropriate audit controls for information systems that contain or use ePHI.
As long as the Security Rule is in place, no checklist can make your practice secure. Instead, true security starts by establishing an organizational culture. Paying close attention to the essence of HIPAA’s Security Rule can go a long way in creating a culture of security and setting up an organization for true compliance.