Guide to the HIPAA Security Rule

5 min read Michael Carroll on Jan 16, 2020

Technology has changed the way people do business, receive health care treatment, and store data. While it certainly helps to improve the quality of life for patients, technology also makes it easier for unauthorized persons to access protected health information (PHI). PHI consists of

that can be used to identify, contact, or locate an individual patient. If PHI is breached, this
can put patients, their families, and their personal lives at risk. To protect them, the U.S. government passed the HIPAA Security Rule to guide how organizations can best secure information.

What is the HIPAA Security Rule?

The HIPAA Security Rule requires companies and individuals that handle PHI to protect data with a series of physical, technical, and administrative safeguards. There is often some confusion between what counts as a recommendation versus a mandatory requirement. Here are four general rules to keep in mind:

  1. Covered entities are responsible for ensuring that the workforce remains compliant.
  2. Covered entities must offer protection against the impermissible disclosures and uses of PHI that can be reasonably anticipated.
  3. Covered entities must see to the integrity, confidentiality, and availability of all the electronic PHI data that they handle and transmit.
  4. Covered entities must have mechanisms in place to offer protection against reasonably anticipated threats to the integrity or security of PHI.

Generally speaking, any organization that handles PHI becomes a covered entity. These tend to include health plan providers, health care providers, and health care clearinghouses. As of 2009, business associates and partners that handle specific processes on behalf of covered entities are also affected by this rule.

For instance, a health insurance company may hire out their contact center services to another company. This customer service company does not provide health care, does not offer plans, and is not a health care clearinghouse. Even so, to assist customers, that company receives access to their personal data. Because of this, they must ensure that PHI does not get into the wrong hands.

Three Standards of the HIPAA Security Rule

There are three different types of compliance that organizations need to keep in mind when designing data protection mechanisms and policies. These are administrative, physical, and

. Each type has various components that come together to ensure security.

Administrative Safeguards

Cybercrime has compelled many organizations to look externally for threats. However, the real vulnerabilities often occur internally due to human error or negligence. No physical or technical safeguards will remain effective without first addressing the human elements of compliance.

  • Evaluation: Before an organization can address any perceived weaknesses, it must first conduct a thorough risk analysis. Professionals should examine not just the existing policies but how well they are implemented and followed. Ongoing evaluations further help to ensure that organizations, their associates, and their employees do not become complacent about compliance.
  • Information Access Management: The general rule for handling personal data is that the only people who should are those who need to know. Systems that limit access based on sign-in credentials can be effective at managing this step.
  • Security Management: Security guards can help ensure unauthorized persons do not gain access to specific areas of a building. Security companies may issue physical ID cards or manually operate certain doors. Information security personnel then safeguard the electronic data by identifying potential risks and developing policies to counter them.
  • Workforce Training: The only way to improve compliance among workers is through effective training. For effective training, organizations may need to invest in engaging solutions, such as hands-on workshops, lectures, and one-on-one counseling.

Physical Safeguards

Physical safeguards address the vulnerabilities that arise in workspaces. These may become apparent whether the company stores physical files or has gone 100% digital.

  • Device Security: Using passwords and encryption to secure on-site workstations, laptops, smartphones, tablets, and other devices play an indispensable role in protecting PHI. The more mobile a device is, the more important this becomes. Mobile devices are more likely to get lost. They are also more likely to use wireless connections, which are far easier to hack than direct plug-ins.
  • Access Control: Identification cards, pins, passwords, keys, and biometrics are just some of the ways organizations physically keep unauthorized persons away from data. Unauthorized persons may include not only outsiders but also staff members who have no legitimate reason or no adequate clearance to access certain information.

Technical Safeguards

Technical safeguards focus more intensely on securing the technology that powers devices. It also addresses how people gain remote access to data.

  • Access Control: Covered entities must have procedures in place to ensure only authorized persons can gain access to data. Employees should log out of software and lock workstations when not in use. To improve compliance in this area, the HHS recommends auto log-off.
  • Authentication: One way to maintain access control is through the use of authentication services. These come in the form of passwords matched to specific usernames or user IDs. Authentication is also important when patients seek access to their information to ensure unauthorized people do not gain access. Asking for ID or verifying personal data can help to prevent this.
  • Audit Controls: Authentication allows companies to track the activities of specific sessions under certain usernames better. This control makes it easier to identify who accesses particular files or even the session activities of a particular user. Ideally, someone monitors the information recorded, and the system can generate easy-to-understand reports in order to audit the success or failure of a company’s safeguards.
  • Integrity Controls: Integrity speaks to the accuracy of data. An unfortunate risk of storing data and electronic updates is that it can get corrupted or a malicious party may make deliberate unauthorized changes. Storing unalterable information off-site for at least six years is an excellent way for organizations to ensure they have an accurate backup of all original information.
  • Transmission Security: Data is most at risk when on the move between parties. Encryption and message codes are two of the most effective ways to eliminate the risk of interception during transmission. One small caveat to keep in mind is that both the sending and receiving parties need access to the same encryption and decryption software for this to work. If you send patient data digitally,
is key to protecting your patients' personal information.

How to Ensure HIPAA Compliance

At PubNub, we understand that websites and applications pose a vulnerability risk when not correctly built and maintained. This is why we focus on partnering with covered entities to develop APIs that are HIPAA compliant.

We achieve this while still meeting the needs of those organizations and their clients. Contact us today for more information about how you can bring the digital age into your organization without putting data at risk.