The Security Rule (2005)

The Security Rule regulates cybersecurity and establishes guidelines for protecting electronic PHI (ePHI). The Security Rule uses the National Institute of Standards and Technology Risk Management Framework (NIST-RMF) 800-53 to set guidelines for safeguarding ePHI. The Security Rule establishes administrative, physical, and technical safeguards that entities who come into contact with PHI must implement.3

1. Administrative Safeguards

Administrative safeguards require entities to document the activities they perform for HIPAA compliance. Some of the required activities include:
  • Designating a Security Officer (Your Privacy and Security Officer can be the same person)
  • Training all staff members who come in contact with PHI
  • Completing a thorough Risk Assessment
  • Documenting Security Policies and Procedures
  • Designating a Security Officer
  • Documenting a Disaster Recovery Plan
The Administrative Safeguards are the plans that set the standards for the Physical and Security Guidelines. It’s important to take time to plan for HIPAA compliance first and then implement policies you create. This saves both time and money.

2. Physical Safeguards

Physical safeguards regulate the way entities handle physical systems and equipment that contain PHI. Devices like servers and computers must be kept in a secure location. Any office or building where these devices that contain PHI are stored should have physical security, backup power, and fire suppression systems. Tracking employees’ and vendor access to the building is also a good idea. It’s important to keep detailed access logs of personnel that enter secure onsite spaces to control, monitor, and limit who sees PHI. If you use a Managed Service Provider or IT contractor, you must have a signed Business Associate or Business Associate Subcontractor Agreement with them.

3. Technical Safeguards

Technical safeguards outline IT-related security practices to protect ePHI. HIPAA requires entities to encrypt data in three phases: at rest, in transit, and in storage. PHI transmitted via email should be sent using email encryption to safeguard the information as it passes from sender to recipient. Only the intended recipient can open an encrypted email, so sensitive information remains safe even when you send it to the wrong person. Examples of technical safeguards include:
  • Assigning unique logins for users
  • Setting automatic timeouts in systems containing PHI
  • Using 2-factor authentication for all systems that hold ePHI
  • Installing anti-malware software on devices
  • Encrypting hard drives
  • Password protecting all devices
  • Locking desktop computers to workstations4

Covered Entities

  • Est. 700,000
  • Health care providers who bill electronically
  • Health plans that pay providers
    • Medicare, Medicaid
    • Private Health Plans
    • Self-Insured Businesses

Business Associates 

  • Est. 2-3 million
  • Companies that support Covered Entities
  • Come in contact with ePHI or the systems that have it
Federal HIPAA Enforcements (Penalties)
  • 2014 +215 = $14 million
  • 2016 + 2017 = $42 million
  • 2018 + 2019 = $41 million

HIPAA Guidance & Enforcement

  • Business Associate Liability Fact Sheet (link) - BA's MUST
    • Comply with the Security Rule - All 40+ requirements
    • Protect PHI, not disclose it, report breaches to Covered Entities
    • Manage Subcontractors to ensure their HIPAA compliance
  • Tennessee Imaging Practice $ 3 million Penalty (link)
    • Failed to conduct an accurate and thorough assessment of their risks
    • Failed to sign a business Associate Agreement with its IT support vendor and 3rd party data center
  • March 2020 - 1 doctor medical practice - $ 100,000 (link)
    • Failed to conduct an accurate and thorough assessment of their risk

Office of Civil Rights (OCR) has under went budget cuts for 2020. Say's it will make up budget cuts with enforcement. (link)

This is a statement heard by many, and it is a MYTH. FACT: ePHI is everywhere. It is in every document, e-mail, scanned image, photograph, electronic fax, even voice messages that can identify a patient and includes information about their treatment, diagnosis or payment. What is PHI?  Protected Health information (PHI)
  • Identifiable (18 different identifiers)
  • Plus treatment and/or diagnostic information
Electronic Protected Health information (ePHI)
  • PHI in electronic form 
  • Words, images, voice files
  • On any media
  • HIPAA - Heath Insurance Portability & Accountability Act - 1996
  • HITECH Act - 2009
  • Privacy Rule - spoken, written, and electronic patient info
  • Security Rule - framework for protecting electronic patient data
  • Breach Notification Rule - patient notification & govt. reporting
  • HIPAA Omnibus Final Rule - changed all 3 rules in 2013
Compliance is anything that someone makes you do.
  • Cybersecurity is not compliance
  • Cybersecurity is Protecting Data
  • Compliance is doing it in accordance with rules, and creating the written evidence necessary o survice an audit, investigation, or lawsuit.