I don’t really understand the SECURITY RULE, tell me more

The Security Rule (2005)

The Security Rule regulates cybersecurity and establishes guidelines for protecting electronic PHI (ePHI). The Security Rule uses the National Institute of Standards and Technology Risk Management Framework (NIST-RMF) 800-53 to set guidelines for safeguarding ePHI. The Security Rule establishes administrative, physical, and technical safeguards that entities who come into contact with PHI must implement.3

1. Administrative Safeguards

Administrative safeguards require entities to document the activities they perform for HIPAA compliance. Some of the required activities include:

  • Designating a Security Officer (Your Privacy and Security Officer can be the same person)
  • Training all staff members who come in contact with PHI
  • Completing a thorough Risk Assessment
  • Documenting Security Policies and Procedures
  • Designating a Security Officer
  • Documenting a Disaster Recovery Plan

The Administrative Safeguards are the plans that set the standards for the Physical and Security Guidelines. It’s important to take time to plan for HIPAA compliance first and then implement policies you create. This saves both time and money.

2. Physical Safeguards

Physical safeguards regulate the way entities handle physical systems and equipment that contain PHI. Devices like servers and computers must be kept in a secure location. Any office or building where these devices that contain PHI are stored should have physical security, backup power, and fire suppression systems. Tracking employees’ and vendor access to the building is also a good idea. It’s important to keep detailed access logs of personnel that enter secure onsite spaces to control, monitor, and limit who sees PHI.

If you use a Managed Service Provider or IT contractor, you must have a signed Business Associate or Business Associate Subcontractor Agreement with them.

3. Technical Safeguards

Technical safeguards outline IT-related security practices to protect ePHI. HIPAA requires entities to encrypt data in three phases: at rest, in transit, and in storage. PHI transmitted via email should be sent using email encryption to safeguard the information as it passes from sender to recipient. Only the intended recipient can open an encrypted email, so sensitive information remains safe even when you send it to the wrong person. Examples of technical safeguards include:

  • Assigning unique logins for users
  • Setting automatic timeouts in systems containing PHI
  • Using 2-factor authentication for all systems that hold ePHI
  • Installing anti-malware software on devices
  • Encrypting hard drives
  • Password protecting all devices
  • Locking desktop computers to workstations4