The job of a long-term post-acute care (LTPAC) provider is primarily to protect the health of its residents. That job was never as important – or onerous – for providers as it was in 2020. While providers were, understandably, focused on protecting residents’ physical health, it was equally as important to protect their health information.
As technology progressed and digital versions of data and processes continued to increase, the U.S. Department of Health and Human Services (HHS) proposed regulations that would protect personal health information. First the HHS enacted the HIPAA Privacy Rule in 2000, followed by the Security Rule in 2003.
Today, with breaches occurring on a daily basis and providers still seeking to find a new, post-COVID-19 “normal” within their day-to-day operations, the privacy and security of health information is more important than ever.
As with the Privacy Rule (covered in Part I of our HIPAA series), compliance with the Security Rule requires adequate knowledge and understanding of what comprises its rules as well as the implementation of effective policies and procedures for safeguarding personal health information.
History of the HIPAA Security Rule
Both the HIPAA Security Rule and the HIPAA Privacy Rule pertain to Protected Health Information (PHI), which includes any health-related patient information such as clinical data, health conditions or billing information. However, whereas the Privacy Rule protects PHI that could be used to identify an individual, the Security Rule protects a subset of this identifiable health information. That subset is electronic Protected Health Information (ePHI), or PHI that is created, maintained, received or transmitted in electronic form. The Security Rule covers healthcare providers, health plans and healthcare clearinghouses, as well as business associates of these entities, that administer ePHI.
In 2009, the scope of the Security Rule was expanded with the adoption of the Health Information Technology for Economic and Clinical Health (HITECH) Act. At that time, widespread usage of healthcare information technologies was perceived as critical to the advancement of healthcare in the U.S. Thus, HITECH was signed into law to encourage providers to embrace new health technologies, mainly electronic health records (EHRs).
An EHR is a digital version of a patient’s or resident’s chart, which includes all health information and medical history collected along the resident’s health journey. Prior to 2009, relatively few providers had implemented EHRs, until the enaction of HITECH supplied financial incentives to do so. In order to qualify for these federal funds, providers had to adopt certified EHR technology and demonstrate “meaningful use,” or use of EHRs that resulted in the improvement of the quality of patient care.
The HITECH Act also requires that providers demonstrate compliance with the Privacy Rule and the Security Rule by conducting risk assessments. Risk analysis, however, is just one of the many compliance requirements of HIPAA’s Security Rule.
Understanding HIPAA Security General Rules
Compliance with the HIPAA Security Rule starts with certain general requirements pertaining to ePHI. In this regard, you must:
Ensure the confidentiality, integrity and availability of all ePHI
Identify and protect against reasonably anticipated threats to the security of the information
Protect against reasonably anticipated impermissible uses
Ensure employee compliance
Fulfillment of these objectives depends upon the implementation of appropriate security measures. Because providers range in sizes and capabilities, however, implementation is not one-size-fits-all. You should create a security plan based on characteristics including your size and capabilities as well as your hardware and software infrastructure, the costs of security methods and the potential risk to ePHI.
To this end, the Security Rule requires that you analyze your security needs and implement security measures that are appropriate for your organization. Furthermore, you must continually review your processes and procedures to ensure adequate protection of all ePHI that falls within your administration.
3 Safeguards for Protecting ePHI
The Security Rule defines specific tactics for the implementation of a security plan. These controls and procedures are established to meet the overall goal of protection of ePHI and fall within three main categories of safeguards.
The first step of the Security Rule’s administrative safeguard provisions is to perform a risk analysis. This is, arguably, the most important step and one which affects every one of the safeguards. Performing a risk analysis helps you to take stock of your security needs and determine security measures to implement that are appropriate for your organization.
Within your risk-analysis process you should evaluate the likelihood and impact of potential risks to ePHI and implement, document and maintain appropriate security measures against those risks. Risk analysis should be an ongoing process to make sure you are effectively minimizing risk.
Additional administrative safeguards include:
Security personnel designation such as a compliance officer responsible for managing overall compliance with HIPAA or separate security and privacy officers
Information access management in which the use of ePHI is limited to the “minimum necessary,” which means authorizing only as much access to ePHI as an employee’s role necessitates (role-based access)
Workforce management that includes adequate training to and supervision of employees who work with ePHI as well as sanctions for violations such as sending email containing PHI
Evaluation performed periodically to determine the effectiveness of your security measures and how well they meet the requirements of the Security Rule
The structures in which ePHI is housed and the devices with which it is used are common areas prone to attack and require strong safeguards, including:
Facility access and control measures that limit physical access to facilities, such as adequately locking areas where ePHI is stored and installing alarm or security systems
Workstation and device security policies and procedures that specify appropriate access to workstations and that cover the access and use of electronic media
Healthcare providers are particularly susceptible to cyberattacks. The healthcare industry is often targeted due to the significance of ePHI and the fact that personal health information is generally more valuable to cybercriminals than information like credit card numbers or bank accounts for the funding of criminal activities.
Technical safeguards include:
Access controls that allow only authorized persons to access ePHI
Audit controls for implementing hardware and software utilized in information systems that store or use ePHI
Integrity controls that ensure that ePHI has not been improperly altered or destroyed
Transmission security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network, such as firewalls and encryption
Best Practices for Complying with the Security Rule
It can be difficult to translate the Security Rule’s numerous required safeguards into practical daily activities. We’ve compiled a (non-exhaustive) list of best practices that can help you to avoid risk to the best of your capabilities and decrease your likelihood of a cyberattack and a dangerous breach of ePHI.
Ensure that all communications that include ePHI are encrypted, a way of scrambling data so that only authorized persons can understand the information
Ensure the enabling of either two-factor or multi-factor authentication, which requires users to verify their identities by providing two pieces of evidence (2FA) or multiple pieces of evidence (MFA) before gaining access to a device or to ePHI
Apply “minimum necessary” rules when accessing or transmitting ePHI (i.e., don’t send an entire health record when only certain medical details are necessary)
Apply “least necessary” reasoning when authorizing access to confidential information such that each employee is able to access only what their job requires and only access ePHI when there is a job-related need to know
If you have more than one network, make sure that your staff is logging into the secured network versus a guest network
Assign all employees their own login information and make sure it is understood that logins should never be shared and user IDs and passwords should be kept confidential
Mobile or other devices used outside your network must be connected to a secure virtual private network (VPN)
Don’t use a personal email address or a personal device or cell phone to send PHI and remember that texts are not inherently secure
Disable users immediately upon an employee’s termination
Remember to regularly clear printer drums of any information that may have been saved as they have hard codes that retain information
Conduct HIPAA training annually, at a minimum, and with all new hires to ensure your employees are aware of rules
Conduct a HIPAA network risk assessment annually to ensure compliance
The Bottom Line
Not only is compliance with the HIPAA Security Rule complicated and comprised of a vast number of requirements, there is also the potential for major fines and penalties for non-compliance. It’s crucial that you consistently have adequate security measures in place and that your employees understand your policies and procedures, including what constitutes a breach.
We understand that for many LTPAC providers maintaining HIPAA compliance is overwhelming. Richter can help.
Our professionals have both an extensive knowledge of the HIPAA Security Rule as well as proven experience in helping providers navigate the myriad of security requirements and implement effective security measures. We can help you perform a risk analysis of your network controls and current policies and procedures and help you devise a comprehensive security plan. We will also advise you in performing your annual HIPAA Network Risk Assessment.
Next in our series – Part III: Breach Notifications