Summary of The HIPAA Security Rule

HIPAA Security Rule

The HIPAA Security Rule (HSR) establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce

Generally speaking, the HIPAA Security Rule requires 3 pillar safeguards: 1) administrative, 2) physical, and 3) technical. As well as an inherent requirement to document the entire process. Below are various considerations for each of the HSR safeguards, keep in mind this list is in no way definitive.

Administrative Safeguards

  • Security Management Process
  • Assigned Security Personnel
  • Information Access Management
  • Workforce Training Management
  • Workforce Security
  • Contingency Plan Evaluation

Physical Safeguards

  • Facility Access and Control
  • Workstation and Device Security
  • Workstation Use
  • Device and Media Control

Technical Safeguards

  • Access Control
  • Audit Control
  • Integrity Controls
  • Transmission Security
  • Personal or Entity Authentication

There are a number of resources currently out there to help organizations get a handle on the requirements of the HIPAA Security Rule and implement those requirements, which we have listed below.

  • HIPAA Security Risk Assessment Tool – The collaboration between The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR), the tool is aimed towards helping small and medium-sized health care organizations navigate risk assessment.
  • NIST HSR Toolkit – The official toolkit from The National Institute of Standards and Technology is a assessment survey that educates organizations around HSR implementation, assessment and compliance through a comprehensive guide.