Chapter 3: Security Standards | HIPAA Security Implementation, Version 1.0

3.1 THE SAFEGUARDS

This chapter is a brief introduction to the HIPAA Security Standards, each of which will be dealt with in great detail in the following chapters. The HIPAA Security Standards mandate 'Safeguards' be taken by cover entities in Administrative, Physical and Technical areas. A grid for each of these Safeguards is show at the end of this chapter.

HIPAA Administrative Safeguards make up 50% of the Security Rule. Most of these Safeguards require documented policies and procedures for daily operations, policies and procedures for managing the conduct of employees with Electronic Protected Health information (EPHI), and policies and procedures for managing the selection, development and use of 'security controls'.

HIPAA Physical Safeguards standards set forth the categories of policies and procedures that a covered entity (CE) must implement concerning the control of physical access to EPHI stored on hardware and electronic media.

HIPAA Technical Safeguards made up of several Security measures, they specify how to use technology to protect EPHI, and specify how to use technology to control access to EPHI

3.1.1 'Standards' vs. 'Implementation Specifications'

There are several key terms that must be understood when reviewing and applying the HIPAA Security rule. The first two of these terms are 'Standards' and 'Implementation Specifications'.

Standards explain what a Covered Entity must do . Implementation Specifications explain how to do it.

The HIPAA Security Rule requirements include 18 Standards; Administration Safeguards has 9 standards; Physical Safeguards has 4 standards; Technical Safeguards has 5 standards.

Of these 18 Security Standards; 12 of the standards have implementation specifications; 6 standards have no implementation specifications.

There are a total of 36 Implementation Specifications for these 12 standards; 14 Specifications are 'Required' and 22 Specifications are 'Addressable'.

3.1.2 'Addressable' vs. 'Required'

Here are two more key terms that must be understood when reviewing and applying the HIPAA Security rule: 'Addressable' and 'Required'.

Obviously, 'Required' mean the covered entity must comply with this standard.

However, 'Addressable' implementations can be met by alternative means, or an entity can decide the standard can be met without the implementation of an alternative, but it must be documented .

Some notable implementations that were made addressable in the final Security Rule: Automatic Logoff; Encryption of data at rest; Encryption of e-mail.

3.1.3 Addressable Options

The HIPAA Security rule required covered entities to do one of three things regarding any addressable standard:

Implement an addressable specification if reasonable and appropriate, or
Implement an alternative security measure to accomplish the purposes of the standard, or
Implement nothing if the specification is not 'reasonable and appropriate' and the standard can still be met.

3.1.4 Documentation Standards

The HIPAA Security rule mandates that covered entities maintain all documentation and policies and procedures required by the Security Rule for 6 years from the date of creation or last day in effect. This documentation must also be made available to the persons responsible for implementing related procedures.

Covered entities must also periodically review documentation to revise and update it as needed to ensure confidentiality , integrity and availability of EPHI (Bedrock Principles of Information Security).

3.1.5 Other 'Highlights' from the Security Rule

The Rule contains no specific technology recommendations. It is technologically neutral in this regard. There are no specific types of devices named or required to be in place within a covered entity's domain to protect EPHI.
The Rule defines the 'minimum standard' or the least that a covered entity must do to protect EPHI. They may choose to do more. This decision should be based upon each covered entity's risk analysis and vulnerability assessment.
The Rule requires a covered entity to do a thorough and accurate 'risk analysis', as well as to document this process. This process is also recognized as being an individual responsibility and the results of each covered entity's analysis will be unique unto itself. While the threats to EPHI should be well-know, each covered entity's own vulnerability will determine the risk involved specific to that entity.
The Rule is based on many different security guidelines, standards and information security industry 'best practices'. Many of these have been in place for a number of years within the government and certain industries like banking, but HIPAA mandates these Standards with their requirements and implementation specification upon the Healthcare industry.
All covered entity staff, including management, physicians, and those who work at home, must comply with the Security Rule. This includes telecommuters or others who connect remotely to a covered entity's information system, as well as physicians who may or may not be employees of a hospital or medical center.
A covered entity's must document Security Rule implementation decisions. This is part of the Documentation standards. It is commonly believed that if this documentation is done properly, and even if the decision is later found to be not complaint with the HIPAA Security rule, then there would be no penalties on the covered entity despite their decision leading to non-compliance.
A covered entity's must regularly train employees. HIPAA Security training should become part of a covered entity's new employee orientation program, as well as any annual skills demonstration, JCAHO preparation or other state certification process.