by Kapua Iao
Article filed in

What is the HIPAA Security Rule?

by Kapua Iao

HIPAA requirements for PHI disclosure

The HIPAA Security Rule (2005) includes the necessary safeguards that healthcare providers need for HIPAA compliance. Since HIPAA’s enactment in 1996, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments, including the Security Rule, to ensure stronger protections and responsibilities.

RELATEDHIPAA stands for . . .

Understanding HIPAA is essential for covered entities and their business associates as they balance HIPAA compliance with effective patient care and protecting protected health information (PHI).

So what does the Security Rule add to HIPAA, and how can it help healthcare providers avoid cyberattacks?

A HIPAA summary

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse.

SEE ALSOWhat is HIPAA? Or is it HIPPA?

HIPAA is regulated and enforced by HHS’s Office for Civil Rights (OCR) and consists of five sections (or titles). Most referenced is Title II, which sets the policies and procedures for safeguarding PHI and includes several later rules:

  • Privacy Rule (2003): covers PHI protection as well as compliance standards
  • Security Rule: establishes the standards for protecting PHI in electronic form (ePHI)
  • Enforcement Rule (2006): sets HIPAA enforcement standards and how to penalize non-compliant healthcare providers
  • HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  • Breach Notification Rule (2009): requires healthcare providers to report breaches to OCR and affected individuals
  • Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections

So what is the Security Rule?

The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure while supporting the adoption and use of new technologies.

Under the Security Rule, healthcare providers must:

  • Ensure confidentiality, integrity, and availability of ePHI
  • Identify and protect against reasonably anticipated threats
  • Protect against reasonably anticipated impermissible uses or disclosures
  • Ensure employee compliance

The rule further specifies that reasonable and appropriate administrative, physical and technical safeguards are necessary for compliance:

Administrative Physical Technical
Policies and procedures Building/storage access controls Login and password controls
Security management processes Workstation/computer use Audit controls
Information access management processes Device and media controls Encryption
Contingency plans Storage and backup location/access Storage controls
Employee training Removal and disposal

Healthcare providers must make a concerted effort to block data breaches, whether from human error, a cyberattack, or a technical failure. If not, the organization may face an OCR investigation and a possible HIPAA violation.

RELATED: What to do after you violate HIPAA

A non-compliant health provider may find itself on HHS’ Wall of Shame and subject to fines, angry patients, and a long, expensive cleanup.

Implementing the Security Rule

There is no certification for healthcare providers to demonstrate HIPAA compliance. Moreover, no one-size security solution fits every organization.

Given this, it can be hard for organizations to understand which HIPAA safeguards are addressable versus required and which cybersecurity solutions create a comprehensive, layered security program.

RELATEDUnderstanding and implementing HIPAA rules

It is up to each organization to understand and correctly implement the requirements set by the HIPAA Privacy and Security Rules. This is why the first step to HIPAA compliance is reading and understanding HIPAA and its amendments.

And the second step is putting HIPAA guidelines into practice by creating proper cybersecurity policies and procedures.

In between these steps is the foundational HIPAA risk assessment, a mandatory requirement. The risk assessment helps healthcare organizations wade through HIPPA’s specifications so that they can choose the most appropriate administrative, physical, and technical safeguards.

RELATED: New version of HHS Security Risk Assessment Tool released

The final step is implementing the policies and procedures you’ve settled upon. But that doesn’t mean you should stop working on cybersecurity as everything must be checked, audited, and updated regularly.

How Paubox can help

One of the most important components of the Security Rule is strong email security (i.e., HIPAA compliant email). No healthcare provider wants to face a breach and, unfortunately, cyberattacks against such organizations occur at an alarming rate.

RELATEDHealthcare data breaches – a haunting reality

With Paubox Email Suite Plus healthcare providers can safely transmit PHI via email because Paubox’s patented software automatically encrypts all outgoing messages by default.

Our solution is simple for employees to use since it easily integrates with platforms like Google Workspace and Microsoft 365. No need to use patient portals or third-party apps to communicate with patients.

We also recently added a Zero Trust Email feature for our Plus and Premium customers, which adds an email AI-powered proof of legitimacy before delivering an email.

RELATED: Why America needs Zero Trust Email

Let Paubox secure your communication and help you remain HIPAA compliant at all times.

Try Paubox Email Suite Plus for FREE today.