Brief Guide to HIPAA IT Compliance

The concluding stage of the Health Information Technology for Economic and Clinical Health (HITECH) Act set to take effect in 2018, the healthcare and medical industries are increasingly open to customized technologies to increase the quality of healthcare[1]. However, this brings into question how the Health Insurance Portability and Accountability (HIPAA) Act applies to evolving technologies.

Under HIPAA, covered entities are required to implement information security procedures into their practice to in an effort to protect patient confidentiality. For information technology, there are two main rules to follow to maintain HIPAA compliance: The Privacy Rule and The Security Rule

The Privacy Rule vs. The Security Rule

Most healthcare providers are familiar with HIPAA’s Privacy Rules. The rules establish the national standards used to define protections of patient medical records and other health information[2]. These rules also address the limitations of use and disclosure of patient information, outlining the requirements for authorization and third-party handling.

The Privacy Rules focus on the relationship between the healthcare provider and the patient, and the Security Rules are directly applicable to information technologies. The Security Rules establish the national standards for the protection of patient electronic health information (ePHI) that is created, received, used, or maintained by a covered entity[3]. The rules created three safeguards with implementation specifications to ensure the protection of health information: technical, administrative, and physical.

The Three Safeguards of the Security Rule

The majority of the safeguard standards highlight best practices and implementation theories for unique scenarios. While not all of these standards are requirements, HIPAA performs audits to ensure that the proper specifications are in place for their context.

Technical Safeguards

The technical safeguards are consistently challenged by the evolving use of information technologies and digital integration. As a result, the technical safeguards allow covered entities to decide how to apply their standards. This offers developers more flexibility in customizing technologies that meet the needs of the entity, so long as the General Requirements from the Code of Federal Regulations (CFR) 164.312 are met[4]:

  • Controls Over Access – Covered entities must implement technical policies and procedures that allow only authorized personnel to access ePHI. This includes the ability or means necessary to read, write, modify, or exchange information.
  • Audit Controls – Covered entities must implement hardware, software, and procedural mechanisms to record and manage access and other activities within information systems that use or host ePHI.
  • Integrity Controls – Covered entities must enforce policies and procedures, and employ electronic measures that ensure ePHI is not improperly altered or destroyed.
  • Transmission Security – Covered entities must implement technical security measures that protect against unauthorized access to ePHI being transmitted through a digital network.

Administrative Safeguards

The administrative safeguard is the most comprehensive of the three as it specifies personnel conduct and procedures:[5]:

  • Assigned Security Responsibility – The covered entity must identify the security official who is responsible for the analysis and implementation of security risks to ePHI.
  • Personnel Security – The covered entity must have policies and procedures in place to ensure that all personnel have appropriate levels of access to ePHI.
  • Information Access Management – This standard provides limitations to the Personnel Security standard, stating that access to ePHI is given where needed.
  • Workforce Training and Management – There must be appropriate authorization and supervision of personnel who use ePHI.
  • Evaluation – Covered entities must perform periodic assessments of its security policies and procedures to those set by the Security Rule.

Physical Safeguards

Where the technical safeguards are focused on internal protections, the physical safeguards provide tangible measures and procedures to add protection to a covered entity’s ePHI system, equipment, and facilities. There are two important standards set by the physical safeguards that all covered entities should keep in mind[6]:

  • Facility Access and Control – Covered entities are responsible for enforcing limited physical access to facilities while ensuring access to authorized personnel.
  • Workstation and Device Security – Covered entities must have policies and procedures that specify the proper use of workstations and electronic media.

The Security Rules by HIPAA Act provide safeguards that set standards for the protection of ePHI that is created, received, used, or stored by a covered entity. The Security Rules do offer entities a degree of flexibility in how to apply these standards, but it’s important to keep in mind that these standards are not exhaustive. Meaning as the scope of information technology evolves, so does the degree of flexibility.

Tiempo Development offers HIPAA compliant customized software solutions with a full-suite of solutions for software, applications, and databases. Created by HIPAA certified pre-built teams that are ready to start developing immediately. To learn more about Tiempo Development’s work in developing high-quality solutions, read our case studies here.

[1] Marianne M. “HITECH Act Stage 3: Security Concerns”. Govinfo Security.

[2]“The Privacy Rule”. U.S. Department of Health & Human Services.

[3] “The Security Rule”. U.S. Department of Health & Huma Services.

[4] “Security Standards: Technical Safeguards”. HIPAA Security Series.

[5] “Security Standards: Administrative Safeguards”. HIPAA Security Series.

[6] “Security Standards: Physical Safeguards”. HIPAA Security Series.