The HIPAA Security Rule (2005) includes the necessary safeguards that healthcare providers need for HIPAA compliance. Since HIPAA’s enactment in 1996, the U.S. Department of Health and Human Services ( HHS) has established various additions and amendments, including the Security Rule, to ensure stronger protections and responsibilities.
RELATED: HIPAA stands for . . .
Understanding HIPAA is essential for covered entities and their business associates as they balance HIPAA compliance with effective patient care and protecting protected health information (PHI). So what does the Security Rule add to HIPAA, and how can it help healthcare providers avoid cyberattacks?
A HIPAA summary
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse.
SEE ALSO: What is HIPAA? Or is it HIPPA?
HIPAA is regulated and enforced by HHS’s Office for Civil Rights ( OCR) and consists of five sections (or titles). Most referenced is Title II, which sets the policies and procedures for safeguarding PHI and includes several later rules:
- Privacy Rule (2003): covers PHI protection as well as compliance standards
- Security Rule: establishes the standards for protecting PHI in electronic form (ePHI)
- Enforcement Rule (2006): sets HIPAA enforcement standards and how to penalize non-compliant healthcare providers
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): requires healthcare providers to report breaches to OCR and affected individuals
- Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections
So what is the Security Rule?
The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure while supporting the adoption and use of new technologies. Under the Security Rule, healthcare providers must:
- Ensure confidentiality, integrity, and availability of ePHI
- Identify and protect against reasonably anticipated threats
- Protect against reasonably anticipated impermissible uses or disclosures
- Ensure employee compliance
The rule further specifies that reasonable and appropriate administrative, physical and technical safeguards are necessary for compliance:
|Policies and procedures||Building/storage access controls||Login and password controls|
|Security management processes||Workstation/computer use||Audit controls|
|Information access management processes||Device and media controls||Encryption|
|Contingency plans||Storage and backup location/access||Storage controls|
|Employee training||Removal and disposal|
Healthcare providers must make a concerted effort to block data breaches, whether from human error, a cyberattack, or a technical failure. If not, the organization may face an OCR investigation and a possible HIPAA violation.
RELATED: What to do after you violate HIPAA
A non-compliant health provider may find itself on HHS’ Wall of Shame and subject to fines, angry patients, and a long, expensive cleanup.
Implementing the Security Rule
There is no certification for healthcare providers to demonstrate HIPAA compliance. Moreover, no one-size security solution fits every organization. Given this, it can be hard for organizations to understand which HIPAA safeguards are addressable versus required and which cybersecurity solutions create a comprehensive, layered security program.
RELATED: Understanding and implementing HIPAA rules
It is up to each organization to understand and correctly implement the requirements set by the HIPAA Privacy and Security Rules. This is why the first step to HIPAA compliance is reading and understanding HIPAA and its amendments. And the second step is putting HIPAA guidelines into practice by creating proper cybersecurity policies and procedures. In between these steps is the foundational HIPAA risk assessment, a mandatory requirement. The risk assessment helps healthcare organizations wade through HIPAA’s specifications so that they can choose the most appropriate administrative, physical, and technical safeguards.
RELATED: New version of HHS Security Risk Assessment Tool released
The final step is implementing the policies and procedures you've settled upon. But that doesn’t mean you should stop working on cybersecurity as everything must be checked, audited, and updated regularly.
How Paubox can help
One of the most important components of the Security Rule is strong email security (i.e., HIPAA compliant email). No healthcare provider wants to face a breach and, unfortunately, cyberattacks against such organizations occur at an alarming rate.
RELATED: Healthcare data breaches – a haunting reality
With Paubox Email Suite Plus healthcare providers can safely transmit PHI via email because Paubox’s patented software automatically encrypts all outgoing messages by default. Our solution is simple for employees to use since it easily integrates with platforms like Google Workspace and Microsoft 365. No need to use patient portals or third-party apps to communicate with patients. We also recently added a Zero Trust Email feature for our Plus and Premium customers, which adds an email AI-powered proof of legitimacy before delivering an email.
RELATED: Why America needs Zero Trust Email
Let Paubox secure your communication and help you remain HIPAA compliant at all times.