Which of the following is an example of administrative safeguards under the security Rule?

Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses. In terms of actual regulatory text the HIPAA Security Rule only spans approximately 8 pages, which is the good news. The bad news is the HIPAA Security Rule is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices.

Broadly speaking, the HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule. That said, creating the necessary HIPAA Security Rule documentation will likely prove significantly more "vexing" than its Privacy Rule counterpart, especially for small providers. Health information technology (HIT) resources should be available for these types of projects.

Carlos Leyva explains Attacking the HIPAA Security Rule!

Get our FREE HIPAA Breach Notification Training!

In short, small providers will almost certainly need to hire HIT consultants if they want to "reasonably and appropriately" comply with the HIPAA Security Rule. Given this reality, we simply present the general rule and the standards captured in the enumerated safeguards, with brief commentary that hopefully explains in lay terms what a particular standard means. A given standard usually has implementation specifications associated with it. We have opted not to discuss the HIPAA Security Rule specifications (only the standards) since it is our belief that any attempt at paraphrasing the specifications would only add to the confusion.

Our guiding principle with respect to this rule is "implement the necessary safeguards." We readily admit that this is much easier said than done, since the real challenge lies in defining "necessary." As discussed below in the general rule, the HIPAA Security Rule attempts to provide some "flexibility" in this regard (an apparent acknowledgement of the challenges faced by small providers), but as a practical matter does not otherwise significantly reduce the burden of implementation, in our opinion.

The provider compliance date for the security standards was April 20, 2005 (§164.318). The HIPAA Security Rule is contained in sections §164.302 through §164.318.

§ 164.302 Applicability

A Covered Entity must comply with the standards and implementation specifications contained herein.

§ 164.304 Definitions

Introductory Comment: The definitions below are a paraphrased subset of all the definitions contained in the HIPAA Security Rule. The omitted definitions, by and large, are technical terms that are useful for interpreting the implementation specifications. Since we have omitted any discussion of the specifications there is no need to define the technical terms related to them.

Access

Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative safeguards

Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity's workforce in relation to the protection of that information.

Confidentiality

Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Physical safeguards

Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards

Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.

Questions about HIPAA Compliance in this post HITECH/Omnibus Final Rule world?
Get up to speed fast with the HIPAA Survival Guide Fourth Edition and
our Omnibus Rule Ready™ HIPAA Compliance Tools.

Download our Free HIPAA Project Plan.

© 2009-2022 3Lions Publishing, Inc.

The past year has catalyzed a new era of health care, one where telehealth visits increased over 150% as we relied on online communication to keep ourselves informed and healthy. With these adoptions also comes new challenges and considerations, and in this case, more online health care data. This influx calls for us to re-examine the HIPAA Security Rule to ensure health care entities are protecting patient information. 

An Introduction to the HIPAA Security Rule 

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to improve the efficiency and effectiveness of the U.S. health care system as well as patient privacy. In the following years, several additional rules were added to ensure patients’ protected health information (PHI). Two notable rules were added to HIPAA: the Privacy Rule, to help cover the physical security of PHI, and the Security Rule, to safeguard electronic protected health information (ePHI). 

In short, the HIPAA Privacy Rule explains what data needs to be protected and who should abide, whereas the Security Rule was conceived as a national standard to protect patients and explains how to protect ePHI.

The law requires health providers, plans and other entities to uphold patient confidentiality, privacy and security, and calls for three types of safeguards: administrative, physical, and technical.

Administrative Safeguards

Covered entities are required to implement administrative safeguards, which are policies and procedures that describe how the organization intends to protect ePHI and ensure compliance of the Security Rule. Examples include preparing a data backup plan and password management processes, among other things. These standards are laid out in §164.308 of the Security Rule.

These processes include, but are not limited to implementing the following major standards:

• Security Management: This includes conducting a HIPAA risk assessment. This risk assessment can most easily be done with a compliance solution provider. A full company scan can reveal gaps, and do so more efficiently and thoroughly than a manual assessment. This precaution is mandatory. 
• Security Personnel: Appoint a privacy officer who is responsible for enforcing policies and procedures.
• Information Access Management: Restrict unnecessary access to ePHI. This intersects with physical and technical safeguards. Information access management limit who can monitor and view certain files and its copies regardless of if its residents on servers, cloud, etc.
• Workplace Training and Security Awareness: Require employees to complete an annual HIPAA training and educate themselves on their organization’s specific security procedures. You may ask why this is so important. While most assume hackers are not present within our organizations, mistakes and human error such as falling for a phishing attack are increasingly common. Arming employees with the knowledge to handle data in a secure manner and identify unusual emails or eliminating insecure habits are crucial to maintaining a strong defence.
• Contingency Plan: Ensure that processes are in place for unknown future circumstances related to ePHI. This is valuable in the case of an emergency or malicious attack. This rule (§ 164.308(a)(7)(ii)(A)) requires covered entities to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
  

Physical Safeguards

These safeguards refer to both the physical structure of an organization and its electronic equipment. 

Policies and procedures include monitoring and remediating

• Access Control: Limit access to facilities that contain computers and servers. This may include implementing procedures that physically protect equipment and facilities from unauthorized personnel. It also means that organizations should have a policy in place to log and keep track of maintenance records and reports that may impact physical security of a premise. 
• Workstation Use and Security: Safeguard workstations including any computer, as well as the information within it including controls such as screen saver lock and privacy screen protectors to prevent “eavesdropping”.
• Device and Media Controls: Implement policies for how devices containing ePHI can be removed from a facility if necessary. This rule also requires procedures to be enacted to handle the disposal of hardware that hold ePHI.

Technical Safeguards

This component includes the policies and procedures that determine how technology protects ePHI as well as who controls access to that data. Typically, due to the level of technical literacy needed to understand this regulation, it is the most difficult for entities to understand.

Technical safeguards include the following:

• Access Controls: Implement technical policies and procedures that allow only authorized persons to access ePHI. This standard also requires individuals to use a unique user identification to view ePHI, have modes in place to allow emergency access, and have technical controls to force automatic log-off after a given amount of inactivity. 
• Audit Controls: Introduce hardware, software, or procedural mechanisms to record and inspect access in information systems that contain or use ePHI. 
• Integrity Controls: Enforce policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. 
• Transmission Security: Take technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network, this includes a call for encryption.

Safeguard Your ePHI

At this time, the U.S. Department of Health and Human Services has hundreds of cases logged of entities who did not protect health information and experienced a data breach, highlighting the severity one mishap can have by impacting hundreds to tens of thousands of patients. Health care information is highly sensitive and needs the utmost protection. The three components of the HIPAA Security Rule may seem difficult to implement and enforce, but with the right partners and procedures, it is feasible. 

Compliance is never a one-and-done event. You and your organisation must take a stance to address compliance on an ongoing basis, as the risks of not doing so are far too great. Beyond the heavy fines and penalties, data breaches can also dissolve patient, customer, and client trust — an even costlier consequence. 

Article originally published on Help Net Security.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe

Which of the following is an administrative safeguard outlined in the security Rule?

What are the 3 safeguards under the security Rule?

Which of the following is an administrative safeguard outlined in the security Rule quizlet?

What are security safeguards examples?