Who must adhere to the Security Rule?

The Security Rule applies to health plans, health care clearinghouses, and to any health care provider (covered entities) who transmits health information in electronic form in connection with a transaction for which HHS has adopted standards under HIPAA.

Business associates must also comply with the Security Rule.

What are the basic obligations under the Security Rule?

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce.

Risk Analysis and Management

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule. 

A risk analysis process includes, but is not limited to, the following activities:

• Evaluate the likelihood and impact of potential risks to e-PHI;
• Implement appropriate security measures to address the risks identified in the risk analysis;
• Document the chosen security measures and, where required, the rationale for adopting those measures; and
• Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Administrative Safeguards

• Security Management Process. A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. 

• Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

• Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).

• Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures,¹⁸ and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

• Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Physical Safeguards

• Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

• Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.²² A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical Safeguards

• Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

• Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.

• Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.

• Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Organizational Requirements

• Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI. 

• Business Associate Contracts. HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.

Policies and Procedures and Documentation Requirements

• A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.

• Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).

Required and Addressable Implementation Specifications

The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements.  Each one of these sections has multiple “standards” that must be followed by the covered entity.  Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”. 

A “required” implementation specification must be implemented by the covered entity.

An “addressable” implementation specification is more flexible, but it is not optional.  A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

Covered entities must document the assessment and decision made regarding each specification.

If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

References

45 CFR §164.306

U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

NIST SP 800-66

Summary of the HIPAA Security Rule