The HIPAA Security Rule requires healthcare providers to take steps to protect electronic protected health information (ePHI). It helps covered entities put the requirements laid out in the HIPAA Privacy Rule into practice by implementing various controls to protect sensitive information. 

Under the Security Rule, covered entities must also complete a risk assessment and document and then implement specific administrative, physical, and technical safeguards. 

Which covered entities are required to follow the Security Rule?

The Security Rule applies to any organization that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. These covered entities include: 

  • Healthcare providers
  • Health insurance companies and employer-sponsored health plans
  • Healthcare clearinghouses
  • Third-party medical service providers (Business Associates)

Who enforces the Security Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules. 

The OCR investigates complaints, conducts compliance reviews, and educates HIPAA covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches. 

How to comply with the HIPAA Security Rule

It’s important to note that HIPAA legislation doesn’t specify exact controls or tools that need to be in place for compliance. The law focuses more on what healthcare organizations should do to protect patient data rather than the specifics of how it needs to be accomplished. Different organizations have different systems, needs, and resources, and a national hospital system is likely to have much different security measures in place than a small family practice. 

That said, all healthcare providers must complete a risk assessment to identify vulnerabilities and threats to PHI and create an effective plan to protect against potential risks. That plan must include a set of administrative, physical, and technical safeguards to secure PHI.

Risk analysis 

Covered entities and business associates are required to complete a formal risk analysis before implementing any specific safeguards. This ensures the organization fully understands its specific risk factors so that management can design and implement appropriate and effective safeguards. 

Administrative safeguards

Administrative safeguards involve any administrative actions to protect ePHI. These include establishing and maintaining defined security policies and processes and training staff on data security standards and privacy best practices. Organizations also need to designate an individual who will be responsible for ensuring ongoing compliance with the Security Rule, as well as conduct periodic assessments to evaluate how well safeguards are working to protect PHI.  

Physical safeguards

Physical safeguards address physical access and storage of PHI. All PHI and electronic information systems must be protected from unauthorized access. Healthcare organizations must have a plan in place to protect PHI from natural and environmental hazards and unauthorized access, as well as have a contingency plan in place to continue operations in the event of an incident. Physical safeguards should cover both access to facilities and departments as well as access to specific workstations and devices. 

Technical safeguards

Technical safeguards concern the technologies that store and access ePHI. These can include access control and monitoring, multi-factor authentication, encryption, firewalls, device management, and endpoint security. Integrity controls also ensure PHI isn’t improperly altered or disposed of, and transmission security controls protect against unauthorized access when PHI is transmitted. 

Maintain HIPAA compliance with Secureframe

Secureframe takes the stress out of following the Security Rule and keeping PHI safe. With built-in data privacy and security training, automated control monitoring, and simplified vendor and BAA management, you can rest easy knowing you’re fully compliant with HIPAA rules. Learn more about Secureframe’s HIPAA compliance solution