The security rule was one of four provisions of the HIPAA law passed in 1996. The final compliance date for all covered entities was April 20, 2006. Unlike the privacy rule provision of HIPAA, the security rule applies only to protected health information in electronic form (ePHI). The security rule is independent of the EHR incentive programs, and currently applies to all healthcare providers, health plans, and business associates that store, transmit or use ePHI.
The security rule is designed to impel covered entities to properly manage ePHI according to the CIA triad:
- Confidentiality–preventing unauthorized access
- Integrity–preventing unauthorized destruction or alteration
- Availability–assuring access for authorized users
Security Rule Requirements
The security rule requires covered entities to adhere to a set of standards that are divided into three categories of safeguards (administrative, physical, and technical). Administrative safeguards are defined as:
administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. (1)
Sanction policies/procedures, security training, and disaster recovery plans are examples of administrative safeguards.
Physical safeguards are defined as:
physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. (1)
They cover all the ways that systems containing ePHI can be protected from tampering or loss and include measures such as door locks, maintenance records, workstation security policies, and sprinkler systems.
Technical safeguards are defined as:
the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. (1)
Examples of technical safeguards include encryption, audit trails, unique user ID, and policies/procedures for data verification such as digital signatures.
Recognizing that organizations covered by the security rule differ by size and available resources, covered entities are allowed to determine which standards apply to their situation. Accordingly, implementation specifications are divided into two groups: required (standards all covered entities must implement) and addressable (covered entities determine if the standard applies to them). If an organization determines that an addressable specification is not appropriate, it must document how that determination was made and include that information as part of its security documentation.
Security Rule Compliance
The implementation specifications for safeguards are detailed. Attaining compliance requires reviewing each standard to determine if the associated implementation specification applies. Decisions and actions regarding both required and addressable specifications must be thoroughly documented. CMS provides suggestions for small practices that are wrestling with security rule compliance.
The security rule became effective for covered entities, regardless of size, in April 2006. The security rule is not tied to EHR incentives. If you use, store or access ePHI, it applies to you.
The final post in this series will look at the HIPAA requirements for EHR incentive attestation.