The Health Insurance Portability and Accountability Act’s Security Rule includes requirements for the protection of electronic health data in the form of administrative, technical, and physical safeguards.
HIPAA requires covered entities and their business associates to ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. CEs must maintain an ‘auditable’ trail of PHI activity, with access to any PHI carefully recorded and controlled. Therefore, in the event of a data breach, there exists a clear record of who accessed PHI and for what purpose, resulting in increased transparency and accountability n the healthcare industry.
Furthermore, the Security Rules tries CEs to ensure that they protect against “reasonably anticipated threats” to the security of PHI. Healthcare data can be sold for significant sums on the black market due to its potential use in identity theft and fraud. Therefore, hackers and other cybercriminals have increasingly targeted healthcare organisations in an attempt to gain access to patient data. HIPAA requires healthcare organisations to take responsibility for the data they hold and mitigate the risks that an unauthorised individual can harvest the data for nefarious uses.
HIPAA’s Security Rule classes safeguards in one of two categories; “addressable” and “required”. Required safeguards must be implemented by CEs to ensure they are fully compliant with the regulations. CEs should implement addressable safeguards unless it is unreasonable to do so, in which case an organisation may implement an appropriate alternative, or not implement the safeguard at all. An organisation which does not implement the addressable safeguards should document their reason for doing so should a regulatory authority ever conduct an audit of their organisation.
The safeguards outlined by the Security Rule are summarised as thus:
Implement a means of access control
Introduced activity logs and audit controls
Introduce a mechanism to authenticate ePHI
Implement tools for encryption and decryption
Facilitate automatic log-off of PCs and devices
Policies for the use/positioning of workstations
Policies and procedures for mobile devices
Facility access controls must be implemented
Inventory of hardware
Conducting risk assessments
Introducing a risk management policy
Developing a contingency plan
Restricting third-party access
Training employees to be secure
Testing of contingency plan
Reporting security incidents
The Security Rule was introduced in 2003 to update the legislation in response to the rapid technological changes that had occurred in the nine years since HIPAA’s introduction. Its language is deliberately vague such that it is robust to future advances in security system technology.
For example, while encryption is one of the best security methods available to healthcare organisations at the moment, HIPAA does not include it as a ‘required’ technical safeguard. Therefore, when more advanced technology is developed, the legislation is flexible enough to require businesses to adopt the improved technology without the actual text of HIPAA needing to be updated.
It is important to note that while HIPAA’s Security Rule was designed to address the issues facing electronic PHI, it still applies to physical forms of PHI such as paper files or CDs. CEs must ensure that the appropriate protections are in place to protect these data from being misused, even if it something as simple as keeping the files in a locked cabinet in a secure room.