November 12, 2020
Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule.
Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information.
Administrative Safeguards
Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover:
- Completing an ongoing and updated security risk analysis to assess and document where your practice currently stands and identify any weaknesses
- Designating a HIPAA Compliance Officer (HCO) for your practice to implement and oversee each of the necessary policies
- Documenting policies and procedures specific to your practice operations
- Administering annual employee training
- Completing business associate agreements with each and every third party vendor your practice works with
Physical Safeguards
Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include:
- Specific policies and procedures for physical access to your practice
- Regulating who has access to areas where PHI is located
- Properly training those with access to prevent theft or loss of PHI
- Maintaining an asset log of where physical devices are located, controlling mobile device access, and more!
Technical Safeguards
It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover:
- Implementing policies for only authorized access to ePHI
- Installing all the necessary software and hardware to protect ePHI
- Ensuring PHI will be altered or disposed of properly
- Tracking user activity within your systems that contain ePHI
- Properly encrypting ePHI
- Updating IT systems when necessary, and a whole list of other technical requirements
These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data.
So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant.