HIPAA Building Blocks: The Security Rule

November 12, 2020
Security-Rule-Blog

Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule.

Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information.

Administrative Safeguards 

Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover: 

Physical Safeguards 

Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include: 

  • Specific policies and procedures for physical access to your practice 
  • Regulating who has access to areas where PHI is located 
  • Properly training those with access to prevent theft or loss of PHI
  • Maintaining an asset log of where physical devices are located, controlling mobile device access, and more! 

Technical Safeguards 

It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover: 

These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data.

So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant.