In February 2024, the final version of a resource guide concerning cybersecurity and the implementation of the HIPAA Security Rule was published by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce.
It provides resources and practical guidance to help entities regulated by the HIPAA Security Rule to understand and implement the security standards found in the Rule in order to protect electronic protected health information (ePHI).
ABOUT THE HIPAA SECURITY RULE
The HIPAA Security Rule under the Health Insurance Portability and Accountability Act (HIPAA) focuses on safeguarding the confidentiality, integrity, and availability of ePHI maintained by regulated entities.
According to the guidance, ePHI must be “protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures” by regulated entities which include:
- Healthcare providers;
- Health plans;
- Healthcare clearinghouses; and
- Business Associates.
Covered healthcare providers include any “provider of medical or other health services or supplies who transmits any health information in electronic form in connection with a transaction for which [the Department of Health and Human Services] has adopted a standard.”
The six main sections of the Rule are as follows:
- Security Standards: General Rules;
- Administrative Safeguards;
- Physical Safeguards;
- Technical Safeguards;
- Organizational Safeguards; and
- Policies and Procedures and Documentation Requirements.
RISK ASSESSMENT & MANAGEMENT GUIDANCE
The resource guide provides risk assessment guidance, noting that along with risk management, this area is “foundational to a regulated entity’s compliance with the Security Rule” and safeguarding ePHI.
While noting that there is no “single methodology that will work for all regulated entities and all situations,” NIST provides the key elements of a comprehensive risk assessment process and also provides an example risk methodology.
The essential steps consist of the following:
- Preparing for the assessment by identifying where ePHI is created, received, maintained, processed, and transmitted;
- Identifying reasonably anticipated threats to ePHI;
- Identifying potential vulnerabilities and predisposing conditions that could be exploited by threats;
- Determining the likelihood that a threat will exploit a vulnerability;
- Determining the impact of a threat exploiting a vulnerability;
- Determining the level of risk by considering the likelihood and impact; and
- Documenting the risk assessment results.
As with risk assessments, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) does not prescribe any one specific risk management methodology, although the guidance states that any methodology must be one that “effectively safeguards the confidentiality, integrity, and availability of ePHI.” As above, an example methodology is provided.
Regulated entities must determine risks in accordance with organizational risk tolerance, specifically deciding what risk ratings pose unacceptable levels of risk to ePHI.
They must also implement the following in accordance with the HIPAA Security Rule:
- Standards;
- Requirement implementation specifications;
- Addressable implementation specifications.
If risks are not sufficiently addressed, regulated entities must consider implementing additional security controls. For this purpose, the guidance provides a catalog of HIPAA Security Rule standards and implementation specifications in Appendix D of the guide. They must also maintain thorough documentation of risk management activities.
IMPLEMENTATION CONSIDERATIONS
The guidance provides detailed considerations for the security measures for each standard under the HIPAA Security Rule, focusing on:
- Key activities;
- Descriptions; and
- Sample questions.
As noted above, the standards are in the following areas:
- Administrative safeguards;
- Physical safeguards;
- Technical standards;
- Organizational requirements; and
- Policies and Procedures and Documentation Requirements.
Categories: Cybersecurity, DATA PROTECTION & PRIVACY
Leave a Reply