What are the HIPAA Security and Privacy Rules?

HIPAA Security Rule

The HIPAA Security Rule comprises three pillars of safeguards that encompass the necessary controls and procedures prescribed in HIPAA.

These pillars are:

• Technical Safeguards
• Physical Safeguards
• Administrative Safeguards

Technical Safeguards are the technical security configurations, controls, and infrastructure in place that identify, protect, detect, respond, and recover from incidents that could affect the confidentiality, integrity, or availability of ePHI (electronic PHI). An example of a Technical Safeguard is end-to-end encryption of ePHI in transit.

Physical Safeguards are the physical security controls, infrastructure, and measures in place to protect and detect unauthorized physical access of PHI or ePHI. One example of a Physical Safeguard is Role-Based Access Control or “RBAC”, which you must enforce in the data centers that store ePHI. You must implement RBAC for systems and employees accessing ePHI. The role must include ePHI access as a requirement for the role.

Administrative Safeguards are the administrative security policies, procedures, and workflows that are compulsory for the assurance of confidentiality, integrity, and availability of ePHI. An example of an administrative safeguard is a Business Continuity and Disaster Recovery Plan.

HIPAA Privacy Rule

The HIPAA Privacy Rule lays out the rules related to the use, disclosure, and procedural or operational safeguards of PHI. The Privacy Rule also defines the patient’s or PHI subject’s rights under HIPAA.
Some of the requirements laid out in the Privacy Rule include the following:

• Having a privacy policy that covers the use, disclosure, rights of the PHI data subjects, access to PHI, and denial of access to PHI.
• You need a publicly available “Notice of Privacy Practices” that clearly describes topics like what your company does with PHI and how you protect it.
• Business associates must also appoint a compliance or privacy officer that will be responsible for HIPAA compliance in the organization and any complaints received.
• Of course, there is much more to both the Security and Privacy rules in the details and fine print, but this overview gives you a sense of what you’ll need to do.

Who needs to be compliant under HIPAA regulations?

HIPAA compliance primarily applies to organizations that fall under the term “covered entity.” Organizations that fall under the category of a covered entity by HIPAA standards include the healthcare providers, health plans, and healthcare clearinghouses.

So how does this apply to your business then, if it isn’t actually in the healthcare industry?

HIPAA also requires “business associates” to meet the requirements of the Security Rule and Privacy Rule of HIPAA. A business associate may also have additional contractual obligations relating to HIPAA Compliance as laid out in a Business Associate Agreement or “BAA.” Healthcare Providers consist of doctors, clinics, hospitals, continuing care facilities (nursing homes), and any specialists practicing medicine that an insurer would cover the cost.

Health Plans consist of health insurance companies, HMOs, private-sector group health plans, and public sector group health plans.

Healthcare Clearinghouses are service providers that process insurance claims and check for errors, acting as an intermediary between an insurer and a provider. These entities handle ePHI in many forms; therefore, they belong to the category of covered entities. Business Associates are a third-party to a covered entity that provides some service, but is not a part of the core workforce of the covered entity. This can include vendors, software providers, or other services that a covered entity might need to obtain.

What are some examples of a business associate?

• A third-party accounting firm that provides its services to a healthcare provider and accesses PHI (claims) to perform their role.
• A third-party SaaS vendor that a healthcare provider uses its software to process ePHI. This could be in any way, such as a CRM that has personal contact information (even if it does not contain medical records).
• A consultant requiring access to PHI during their engagement, for any purpose.

What are the consequences of non-compliance under HIPAA?

• For covered entities, HIPAA violations depend on the degree of malintent or negligence. Penalties can range from fines to incarceration for extreme cases like identity theft or fraud.
• For business associates, depending on the circumstances, they can be liable for any violations that they are responsible for under HIPAA.

Back Blogs