Which of the following is not an administrative safeguard outlined in the Security Rule

Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses. In terms of actual regulatory text the HIPAA Security Rule only spans approximately 8 pages, which is the good news. The bad news is the HIPAA Security Rule is highly technical in nature. For all intents and purposes this rule is the codification of certain information technology standards and best practices.

Broadly speaking, the HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the HIPAA Privacy Rule. That said, creating the necessary HIPAA Security Rule documentation will likely prove significantly more "vexing" than its Privacy Rule counterpart, especially for small providers. Health information technology (HIT) resources should be available for these types of projects.

Carlos Leyva explains Attacking the HIPAA Security Rule!

Get our FREE HIPAA Breach Notification Training!

In short, small providers will almost certainly need to hire HIT consultants if they want to "reasonably and appropriately" comply with the HIPAA Security Rule. Given this reality, we simply present the general rule and the standards captured in the enumerated safeguards, with brief commentary that hopefully explains in lay terms what a particular standard means. A given standard usually has implementation specifications associated with it. We have opted not to discuss the HIPAA Security Rule specifications (only the standards) since it is our belief that any attempt at paraphrasing the specifications would only add to the confusion.

Our guiding principle with respect to this rule is "implement the necessary safeguards." We readily admit that this is much easier said than done, since the real challenge lies in defining "necessary." As discussed below in the general rule, the HIPAA Security Rule attempts to provide some "flexibility" in this regard (an apparent acknowledgement of the challenges faced by small providers), but as a practical matter does not otherwise significantly reduce the burden of implementation, in our opinion.

The provider compliance date for the security standards was April 20, 2005 (§164.318). The HIPAA Security Rule is contained in sections §164.302 through §164.318.

§ 164.302 Applicability

A Covered Entity must comply with the standards and implementation specifications contained herein.

§ 164.304 Definitions

Introductory Comment: The definitions below are a paraphrased subset of all the definitions contained in the HIPAA Security Rule. The omitted definitions, by and large, are technical terms that are useful for interpreting the implementation specifications. Since we have omitted any discussion of the specifications there is no need to define the technical terms related to them.

Access

Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative safeguards

Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity's workforce in relation to the protection of that information.

Confidentiality

Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Physical safeguards

Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards

Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.

Questions about HIPAA Compliance in this post HITECH/Omnibus Final Rule world?
Get up to speed fast with the HIPAA Survival Guide Fourth Edition and
our Omnibus Rule Ready™ HIPAA Compliance Tools.

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

© 2009-2022 3Lions Publishing, Inc.

HIPAA Administrative Safeguards 

The HIPAA Security Rule is a set of regulations intended to protect the security of electronic Protected Health Information (ePHI) in order to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards. In this three part series, we'll take time to examine each of these safeguards. The bulk of the Security Rule is focused on administrative safeguards.  In this post, we will look at a detailed look at the different types of administrative safeguards the  HHS requires in order to comply with HIPAA.

Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not.

The HHS intentionally wrote flexible implementation into the Security Rule. At times, they built clear and specific guidelines to follow for implementation, but with other safeguards, they left the details of executing that piece in the hands of the Privacy Officer at each organization. The two types of standards underneath the Security Rule are “Addressable Standards” and “Required Standards.”

These standards include:

Security Management Process

• Risk Analysis (R): A process of determining certain security risks and assessing the probability of occurrence and magnitude of the risks.
• Risk Management (R): The practice to find sufficient security measures to reduce risks and vulnerabilities to reasonable and appropriate levels.
• Sanction Policy (R): Requires covered entities to apply appropriate sanctions against employees who fail to comply with the security policies and procedures of the covered entity.
• Information System Activity Review (R): A covered entity must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The act should be customized to meet the covered entity’s risk management strategy and take into account the capabilities of all information systems with EPHI.

Assigned Security Responsibility (R)

The purpose of Assigned Security Responsibility is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. There are no separate implementation specifications for this standard. The standard requires that covered entities select a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule. It’s important to note that a covered entity can make one person both the Security Officer and Privacy Officer. Also, other individuals in the covered entity may be assigned specific security responsibilities, but one should be selected as the main person responsible. 

Workforce Security

• Authorization and/or Supervision (A): Implementation of procedures for the authorization and/or supervision of employees who work with electronic protected health information or in locations where it might be accessed. Authorization is the process of determining whether a particular user (or a computer system) has the permissions to carry out a certain activity, such as reading a file or running a program.
• Workforce Clearance Procedure (A): To establish the procedures necessary to verify that an employee does in fact have the appropriate access for their job function. The covered entity must determine that the access of an employee to electronic protected health information is appropriate.
• Termination Procedures (A): Termination procedures must be implemented to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges--regardless of whether the employee leaves the organization voluntarily or involuntarily, procedures to terminate access must be in place. This is to be done immediately after the employee is no longer employed with the cover entity. The same process that’s implemented for termination should also be used to change access levels if an employee’s job description changes to require more or less access to EPHI.

Information Access Management 

• Isolating Healthcare Clearinghouse Function (R): If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. This only applies in the situation where a health care clearinghouse is part of a larger organization.
• Access Authorization (A): A covered entity must: adopt policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. A covered entity’s policies and procedures must clearly identify who has authority to grant access privileges. It must also state the process for granting access. Then, the covered entity must consider how access is established and modified.
• Access Establishment and Modification (A): A covered entity must implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. So, a covered entity must implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes.

Security Awareness and Training 

• Security Reminders (A): The covered entity must implement periodic security updates for when: For new or updated policies and procedures; New or upgraded software or hardware; New security technology; or even changes in the Security Rule.
• Protection from Malicious Software (A): One important security measure that employees may need to be reminded of is security software that is used to protect against malicious software. So the covered entity must implement procedures in guarding against, detecting, and reporting malicious software. Under the Security Awareness and Training standard, the employed workers must also be trained regarding its role in protecting against malicious software, and system protection capabilities.
• Log-in Monitoring (A): Makes it so that any inappropriate or attempted log-in is tracked when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log-in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log-in attempts.
• Password Management (A): Covered entities must have procedures for creating, changing, and safeguarding passwords. Also, covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles (i.e. every 60-90 days).

Security Incident Procedures 

• Response and Reporting (R): The covered entities must identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Contingency Plan 

• Data Backup Plan (R): Covered entities must establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Data Backup plans are an important safeguard for all covered entities and a required implementation specification.
• Disaster Recovery Plan (R): Requires covered entities to establish and implement as needed procedures to restore any loss of data. Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI.
• Emergency Mode Operation Plan (R): Enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
• Testing and Revision Procedure (A): Periodic testing and revision of contingency plans. This applies to all implementation specifications under the Contingency Plan standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
• Applications and Data Criticality Analysis (A): Assess the relative criticality of specific applications and data in support of other contingency plan components. This requires covered entities to identify their software applications (data applications that transmit, maintain or store EPHI) and determine how important each is to patient care or business needs, in order to prioritize data backup, disaster recovery and/or emergency operations plans.

Evaluation (R)

Covered entities must implement ongoing monitoring and evaluation plans. Covered entities must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments.

Business Associate Contracts and Other Arrangements 

Written Contract or Other Arrangements (R): Have Business Associate Agreement (BAA) Contracts and Other Arrangements signed that meets the applicable requirements of the Organizational Requirements. The agreed contracts are used to confirm that both parties will be HIPAA compliant in their use of any PII or PHI--both physical and digital/electronic.

‍

What are the administrative safeguards outlined in the security Rule?

What are the three types of safeguards for the security rule?

What are examples of administrative safeguards?

What is not covered by the security rule?