HIPAA Security Rule

Overview

The HIPAA Security Rule (45 CFR Part 160 and Part 164, Subpart C) establishes national standards for securing electronic protected health information (ePHI). The Security Rule operationalizes the protections of the Privacy Rule by addressing the technical and non-technical safeguards organizations must implement to protect ePHI.

Who Must Comply

Covered Entities

• Health plans


• Healthcare clearinghouses


• Healthcare providers who transmit health information electronically

Business Associates

• Persons or entities that create, receive, maintain, or transmit ePHI on behalf of a covered entity


• Must implement required and addressable Security Rule specifications

Electronic Protected Health Information (ePHI)

ePHI is individually identifiable health information that is:

• Transmitted electronically


• Maintained in electronic media


• Includes data at rest and in transit

Security Rule Framework

General Requirements

1. Confidentiality: Ensure that ePHI is not available or disclosed to unauthorized persons


2. Integrity: Protect ePHI from improper alteration or destruction


3. Availability: Ensure that ePHI is accessible and usable on demand by authorized persons


4. Flexibility: Allows covered entities to implement security measures appropriate to their size and complexity

Implementation Specifications

• Required: Must be implemented


• Addressable: Must be implemented OR document why it's not reasonable and appropriate, and implement an equivalent alternative

Administrative Safeguards

1. Security Management Process (Required)

• Risk Analysis (Required): Conduct accurate and thorough assessment of potential risks to ePHI


• Risk Management (Required): Implement security measures to reduce risks to reasonable and appropriate levels


• Sanction Policy (Required): Apply sanctions against workforce members who violate security policies


• Information System Activity Review (Required): Regularly review records of information system activity

2. Assigned Security Responsibility (Required)

• Designate a Security Official responsible for developing and implementing security policies and procedures

3. Workforce Security (Required)

• Authorization/Supervision (Addressable): Implement procedures for authorization and supervision of workforce members who work with ePHI


• Workforce Clearance Procedure (Addressable): Determine that workforce member access to ePHI is appropriate


• Termination Procedures (Addressable): Implement procedures for terminating access to ePHI when employment ends

4. Information Access Management (Required)

• Isolating Healthcare Clearinghouse Function (Required): If clearinghouse function, implement policies to protect ePHI


• Access Authorization (Addressable): Implement policies and procedures for granting access to ePHI


• Access Establishment and Modification (Addressable): Implement policies for establishing, documenting, reviewing, and modifying user access rights

5. Security Awareness and Training (Required)

• Security Reminders (Addressable): Periodic security updates


• Protection from Malicious Software (Addressable): Procedures for guarding against, detecting, and reporting malicious software


• Log-in Monitoring (Addressable): Procedures for monitoring log-in attempts and reporting discrepancies


• Password Management (Addressable): Procedures for creating, changing, and safeguarding passwords

6. Security Incident Procedures (Required)

• Response and Reporting (Required): Identify and respond to suspected or known security incidents; mitigate harmful effects; document incidents and outcomes

7. Contingency Plan (Required)

• Data Backup Plan (Required): Establish procedures to create and maintain exact copies of ePHI


• Disaster Recovery Plan (Required): Establish procedures to restore lost data


• Emergency Mode Operation Plan (Required): Establish procedures to enable continuation of critical business processes while operating in emergency mode


• Testing and Revision Procedure (Addressable): Implement procedures for periodic testing and revision of contingency plans


• Applications and Data Criticality Analysis (Addressable): Assess relative criticality of specific applications and data in support of other contingency plan components

8. Evaluation (Required)

• Perform periodic technical and non-technical evaluation of security safeguards effectiveness

9. Business Associate Contracts and Other Arrangements (Required)

• Obtain satisfactory assurances that business associates will appropriately safeguard ePHI

Physical Safeguards

1. Facility Access Controls (Required)

• Contingency Operations (Addressable): Establish procedures to allow facility access in support of data restoration under disaster recovery and emergency mode operations


• Facility Security Plan (Addressable): Implement policies to safeguard facility and equipment from unauthorized physical access, tampering, and theft


• Access Control and Validation Procedures (Addressable): Implement procedures to control and validate access to facilities based on role or function


• Maintenance Records (Addressable): Implement policies to document repairs and modifications to physical components of facility related to security

2. Workstation Use (Required)

• Implement policies specifying proper functions to be performed, manner of performance, and physical attributes of surroundings of workstations that access ePHI

3. Workstation Security (Required)

• Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users

4. Device and Media Controls (Required)

• Disposal (Required): Implement policies for final disposition of ePHI and hardware/electronic media containing ePHI


• Media Re-use (Required): Implement procedures for removal of ePHI before re-use of electronic media


• Accountability (Addressable): Maintain record of movements of hardware and electronic media and person responsible


• Data Backup and Storage (Addressable): Create retrievable exact copy of ePHI before movement of equipment

Technical Safeguards

1. Access Control (Required)

• Unique User Identification (Required): Assign unique identifier for tracking user identity


• Emergency Access Procedure (Required): Establish procedures for obtaining ePHI during emergency


• Automatic Logoff (Addressable): Implement electronic procedure that terminates session after predetermined time of inactivity


• Encryption and Decryption (Addressable): Implement mechanism to encrypt and decrypt ePHI

2. Audit Controls (Required)

• Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems containing or using ePHI

3. Integrity (Required)

• Mechanism to Authenticate ePHI (Addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in unauthorized manner

4. Person or Entity Authentication (Required)

• Implement procedures to verify that person or entity seeking access to ePHI is the one claimed

5. Transmission Security (Required)

• Integrity Controls (Addressable): Implement security measures to ensure electronically transmitted ePHI is not improperly modified without detection


• Encryption (Addressable): Implement mechanism to encrypt ePHI whenever deemed appropriate

Massachusetts-Specific Considerations

201 CMR 17.00 Requirements

Massachusetts entities handling ePHI must also comply with 201 CMR 17.00, which requires:

• Encryption of ePHI: Mandatory encryption of data in transit over public networks and on portable devices


• Written Information Security Program (WISP): More prescriptive than HIPAA


• Vendor contracts: Specific contractual requirements for service providers

When HIPAA Security Rule and 201 CMR 17.00 conflict, the more stringent requirement applies.

Penalties and Enforcement

Civil Penalties (HHS Office for Civil Rights)

• Tier 1: $100–$50,000 per violation (unknowing)


• Tier 2: $1,000–$50,000 per violation (reasonable cause)


• Tier 3: $10,000–$50,000 per violation (willful neglect, corrected)


• Tier 4: $50,000 per violation (willful neglect, not corrected)


• Annual maximum: $1.5 million per identical violation type

Criminal Penalties (Department of Justice)

• Up to $50,000 and 1 year in prison (unknowing)


• Up to $100,000 and 5 years in prison (false pretenses)


• Up to $250,000 and 10 years in prison (intent to sell/transfer/use)

Compliance Steps

1. Conduct Security Risk Analysis

- Identify all ePHI and systems containing ePHI
- Assess threats and vulnerabilities
- Determine likelihood and impact of threats
- Document current security measures
- Identify gaps and develop remediation plan

1. Implement Administrative Safeguards

- Designate Security Official
- Develop security policies and procedures
- Implement workforce security procedures
- Establish security awareness training program
- Create security incident response procedures
- Develop contingency plans (backup, disaster recovery, emergency mode)

1. Implement Physical Safeguards

- Control facility access
- Establish workstation use and security policies
- Implement device and media controls
- Establish disposal procedures

1. Implement Technical Safeguards

- Implement unique user identification
- Deploy access controls
- Enable audit controls and logging
- Implement authentication mechanisms
- Encrypt ePHI in transit and at rest (where appropriate)

1. Execute Business Associate Agreements

- Identify all business associates
- Execute BAAs requiring Security Rule compliance
- Monitor business associate compliance

1. Document Everything

- Risk analysis and risk management decisions
- Security policies and procedures
- Training records
- Incident reports
- System activity logs
- Business associate agreements

1. Ongoing Compliance

- Conduct annual security risk analysis
- Regular security training
- Periodic evaluation of safeguards
- Update policies and procedures as needed
- Monitor and audit systems
- Review and test contingency plans

Official Resources

• HHS HIPAA Security Rule


• 45 CFR Part 164, Subpart C (eCFR)


• NIST HIPAA Security Guidance


• OCR Security Rule Guidance


• Security Risk Assessment Tool