Article

HIPAA Security Rule

ComplianceSecurity
Time to read: 10 minutes

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was established to provide federal protections for United States citizens’ individual health data. It is designed to safeguard electronic Protected Health Information (ePHI) created, received, maintained, or transmitted by covered entities.

The regulation requires entities to enforce administrative, physical, and technical protections to maintain the accessibility, privacy, and accuracy ePHI. According to the HIPAA security rule:

  1. Confidentiality means that ePHI is not made available or disclosed to unauthorized persons.
  2. Integrity refers to the protection of ePHI from unauthorized alteration or destruction.
  3. Availability ensures that ePHI is accessible and usable on demand by an authorized person.

To adhere to the HIPAA Security Rule, covered entities must assess their security risks and implement measures to mitigate these risks, thereby protecting patients’ sensitive health information from breaches and unauthorized disclosures.

Quick reference for key HIPAA terms

  1. Protected Health Information (PHI)
    Information contained in medical records or other health-related documentation capable of identifying an individual and that was generated, utilized, or revealed while delivering a healthcare service, including diagnosis or treatment.
  2. Electronic Protected Health Information (ePHI)
    ePHI is any protected health information created, stored, transmitted, or received electronically. The HIPAA Security Rule specifically focuses on protecting ePHI.
  3. Covered entities
    Covered entities consist of individuals or organizations that electronically transmit health information (e.g., health plans, health care clearinghouses, and health care providers).
  4. Business associates
    Business associates are individuals or organizations engaged in specific tasks or operations involving the handling or revealing of PHI for or offering services to a covered entity (e.g., billing firms, external consultants, IT service providers, and vendors of electronic health records).

A brief history of the HIPAA Security Rule

Several agencies offer tools and resources to facilitate compliance with the HIPAA Security Rule, such as the HIPAA Security Risk Assessment Tool and Guidance on Risk Analysis. Using these tools is an important step for covered entities and business associates to enable compliance with HIPAA regulations.

HIPAA Security Risk Assessment Tool

The HIPAA Security Risk Assessment (SRA) Tool is a downloadable resource created by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to help covered entities and business associates understand and implement the requirements of the HIPAA Security Rule. The SRA Tool is designed to be user-friendly and accessible to small and medium-sized healthcare providers.

Key features of the HIPAA SRA Tool:

  1. Step-by-step guided assessment—guides users through each aspect of a security risk assessment, covering administrative, physical, and technical safeguards as well as the identification of potential threats and vulnerabilities.
  2. Customizable questionnaire—allows organizations to tailor the assessment to their unique requirements and consider their size, complexity, and capabilities.
  3. Educational resources—provides explanations, examples, and references to relevant sections of the HIPAA Security Rule to help users better understand the requirements.
  4. Risk calculation and documentation—helps calculate potential risks and vulnerabilities to ePHI and assists in documenting the measures that are in place or need to be implemented to mitigate these risks.
  5. Report generation—generated a report that outlines the organization’s compliance efforts with the HIPAA Security Rule that can be used for internal purposes or provided during audits.

Guidance on Risk Analysis

The U.S. Department of Health and Human Services releases regular advisories on the HIPAA Security Rule’s stipulations. These guidance documents are designed to help entities recognize and apply the most suitable and effective safeguards to ensure the security, privacy, and integrity of electronic protected health information. These resources are subject to annual revisions to remain current and relevant.

HIPAA Security Rule summary

The HIPAA Security Rule is focused on ePHI. A core element of it is the requirement for covered entities to perform a risk analysis and implement security measures sufficient to reduce these risks to a reasonable and appropriate level.

Unlike other rules, the HIPAA Security Rule is flexible and allows an organization to tailor its compliance approach according to its size, structure, and operations, and the nature of its ePHI.

This means there is no single mandatory way to achieve compliance, but the safeguards specified must be applied effectively, and there are two requirements.

  1. Organizational requirements: Policies, procedures, and documentation requirements for covered entities and business associates to guarantee the proper protection of PHI, such as contracts or other arrangements between organizations that share ePHI
  2. Policies and documentation requirements: Requirements for retaining records of documented policies and procedures pertinent to the HIPAA Security Rule for a period of six years from the date of their creation or from the date they were last applicable, whichever comes later

Who must comply with the HIPAA Security Rule?

The HIPAA Security Rule is applicable to covered entities, such as health plans, healthcare clearinghouses, and healthcare providers that electronically transfer health information that includes ePHI. It also applies to business associates, which can be either individuals or organizations that conduct tasks or services for covered entities and require the handling or revealing of ePHI.

What information is protected by the HIPAA Security Rule?

The HIPAA Security Rule protects identifiable health information that is transmitted or maintained electronically. This includes information that relates to:

  1. Health status information—details concerning an individual’s physical or mental health condition
  2. Healthcare provision data—information about the care, treatment, services, or diagnostics provided to an individual
  3. Payment information—data related to financial transactions or billing for healthcare services
  4. Identifiers in ePHI—information that contains one or more personal identifiers that could be used to recognize an individual or their health information, such as:
  5. Account numbers
  6. Addresses (i.e., geographic subdivisions smaller than a state)
  7. Unique identifying numbers, characteristics, or codes assigned to an individual
  8. Biometric identifiers (e.g., finger and voice prints)
  9. Certificate or license numbers
  10. Dates (except year) directly related to an individual
  11. Device identifiers and serial numbers
  12. Email addresses
  13. Full-face photographic images and any comparable images
  14. Health plan beneficiary numbers
  15. Internet Protocol (IP) address numbers
  16. Medical record numbers
  17. Names
  18. Phone numbers
  19. Social Security Numbers
  20. Vehicle identifiers and serial numbers, including license plate numbers
  21. Web Uniform Resource Locators (URLs)

What types of safeguards are required under the HIPAA Security Rule?

The HIPAA Security Rule details three types of safeguards that address different aspects of ePHI protection and is designed to work in tandem to create a comprehensive security framework.

1. Administrative safeguards
Administrative safeguards are strategies and protocols established to demonstrate an organization’s adherence to the regulation. These safeguards include creating, executing, and upholding security measures to safeguard ePHI and regulate the behavior of the workforce regarding ePHI data security. These protections include:

  1. Designation of security officials—assigns security responsibility to personnel or teams tasked with formulating and applying required security guidelines and protocols
  2. Employee education and management—provide staff training on the proper management of ePHI and the organization’s security practices and policies
  3. Periodic review—continuous evaluation of the effectiveness of security policies and procedures to ensure they sufficiently protect ePHI
  4. Risk analysis and mitigation—conduct comprehensive evaluations of potential threats to the security, privacy, and accessibility of ePHI

2. Physical safeguards
Physical safeguards consist of actions, rules, and practices designed to protect an organization’s electronic information systems, along with the premises and devices that house them, from natural disasters, environmental threats, and unauthorized access. These protections include:

  1. Controlled facility access—restrict physical access to electronic information systems and their environments to those with explicit authorization
  2. Security for workstations and devices—define appropriate usage and access to workstations, devices, and electronic media, including the secure transfer, elimination, disposal, and recycling of electronic media to safeguard ePHI

3.Technical Safeguards
Technical safeguards cover the digital systems that store and process ePHI and manage its accessibility. These protections include:

  1. Access control policies—restrict ePHI access to individuals or systems with explicit authorization
  2. Data integrity measures—verify that ePHI remains unchanged and undamaged by unauthorized actions
  3. Monitoring controls—log and scrutinize activities in digital systems that use or transmit ePHI
  4. Protection during transmission—prevent unauthorized entities from accessing ePHI while it is being transferred across electronic networks

What are the penalties for non-compliance with the HIPAA Security Rule?

Civil monetary penalties

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing civil penalties for violations of the HIPAA Security Rule. HIPAA outlines specific aggravating and mitigating circumstances that authorities must evaluate when setting the penalty amount. These factors include:

  1. Scope of individuals impacted
  2. Nature of harm caused by the violation, including physical, financial, or reputational damage or interference with a patient’s access to healthcare
  3. Entity’s record of adherence or failure to comply in the past
  4. Economic status of the entity
  5. Potential impact of a civil fine on the entity’s capability to continue offering healthcare services
  6. Overall size of the entity

Tier one civil violations
For violations where the entity was unaware and could not have realistically known of the breach, penalties range from $137 to $34,464 per violation, with an annual maximum of $34,464 for repeat violations.

Tier two civil violations
For violations due to reasonable cause and not willful neglect, penalties range from $1,379 to $68,928 per violation, with an annual maximum of $137,886 for repeat violations.

Tier three civil violations
For violations due to willful neglect that are corrected within a timely manner (typically within 30 days), penalties range from $13,785 to $68,928 per violation, with an annual maximum of $344,638 for repeat violations.

Tier four civil violations
For violations of willful neglect that are not corrected within a timely manner, penalties are $68,928 per violation, with an annual maximum of $2,067,813.

In addition, state attorneys general can issue fines up to a maximum of $25,000 per violation category per year.

Criminal penalties

The Department of Justice is responsible for criminal violations of the HIPAA Security Rule.

Tier one
Deliberately obtaining and disclosing PHI without authorization results in a monetary fine of $50,000 and up to one year in jail.

Tier two
Obtaining PHI under false pretenses results in a monetary fine of $100,000 and up to five years in jail.

Tier three
Obtaining PHI for personal gain or with malicious intent results in a monetary fine of $250,000 and up to 10 years in jail.

HIPAA: Essential protection for health records

The HIPAA Security Rule is essential for protecting individuals’ sensitive health records. The requirements and safeguards set forth in the HIPAA Security Rule provide a framework that not only protects ePHI but also optimizes security controls for healthcare organizations and maintains the trust of patients.

Unleash the power of unified identity security.

Centralized control. Enterprise scale.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief