9 Q&As That Explain HIPAA Security Rule Safeguards


The Security Rule defines administrative safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
The Security Rule defines technical safeguards as “the technology and the policies and procedures for its use that protect electronic protected health information and control access to it.”

Healthcare security is a hydra. Just when you thought you’d taken care of one security crisis, another arises to take a bite. How is a healthcare organization to defend itself against so many threats? The Health Insurance Portability and Accountability Act (HIPAA) Security Rule already has the answer: safeguards.

The Security Rule’s safeguard standards help healthcare organizations anticipate and protect themselves from the many-faced threats to their data. This blog will answer nine questions about HIPAA Security Rule safeguards to help you stay safe and secure.

Q: What is the purpose of safeguards under the HIPAA Security Rule?

A: Safeguards protect patients’ electronic protected health information (ePHI) from unauthorized access, use, disclosure, alteration, or destruction. Safeguards are the foundation of your security program. Without them, any efforts to protect patient data will collapse.

Q: Are any of the standards addressable?

A: Yes. Many of the safeguard standards are addressable. Remember, addressable doesn’t mean optional. It means you can meet the standard in a way that best suits your organization. In fact, the Security Rule is flexible in many ways. It allows you to use the methods that meet security standards and work for your organization.

Q: What are the three types of safeguards?

A: The HIPAA Security Rule requires administrative, physical, and technical safeguards.

Q: What are HIPAA administrative safeguards?

A: Administrative safeguards comprise half of all the Security Rule’s requirements. They control policies and procedures, manage security measures, and regulate the workforce’s actions. The goal is to make sure nobody has improper access to ePHI. Administrative safeguards are the starting point of your security program. There are nine administrative safeguard standards you must meet:

  1. Security Management Process. Do you have a risk analysis and risk management process?
  2. Assigned Security Responsibility. Who will be your security officer?
  3. Workforce Security. How will you manage employee authorization, clearance, and termination?
  4. Information Access Management. How will you restrict access to your ePHI?
  5. Security Awareness and Training. Did you know nearly 58% of healthcare security incidents involve insiders?
  6. Security Incident Procedures. How will you identify, report, mitigate, and document security incidents?
  7. Contingency Plan. Do you have an emergency response plan?
  8. Evaluation. Does your security program support the changing needs of your organization?
  9. Business Associate Contracts and Other Arrangements. Do you have written assurance that your vendors who handle ePHI will safeguard it?

Q: What are HIPAA physical safeguards?

A: Physical safeguards protect your information systems, buildings, and equipment from various hazards. Hazards include natural disasters and unauthorized intrusion. Furthermore, you must safeguard external points of access to ePHI, such as employees’ homes. There are four physical safeguard standards:

  1. Facility Access Controls. How will you ensure only authorized people can access your facility and equipment?
  2. Workstation Use. Do you have policies about how employees should use their workstations?
  3. Workstation Security. How will you protect your workstations from unauthorized users?
  4. Device and Media Controls. How do you account for, dispose of, reuse, backup, and store devices and media containing ePHI?

READ MORE: How to Safely Manage Your Mobile Media

Q: What are HIPAA technical safeguards?

A: The healthcare industry is adopting new technology at a rapid rate. Therefore, the technical safeguards found in the Security Rule are as vital as ever. You can decide which technologies are reasonable and appropriate for your organization, as long as you maintain the five technical safeguard standards. Without these safeguards, your systems and ePHI will be at risk from hackers and thieves.

  1. Access Control. Do you use unique user identification, automatic logoff, encryption, and other controls?
  2. Audit Controls. Do you examine your information systems that handle ePHI for potential security issues?
  3. Integrity. How do you protect ePHI from improper alteration or destruction?
  4. Person or Entity Authentication. Do you use passwords, keycards, fingerprints, or other employee identification?
  5. Transmission Security. How do you guard ePHI as it travels over electronic communications networks?

Q: What is the HIPAA “double lock rule”?

A: There’s some confusion about how you must secure your sensitive data. Some people think HIPAA requires what’s known as the “double lock rule.” They believe you must keep two layers of protection on your PHI, such as locking a filing cabinet and keeping it in a locked room. However, the double lock “rule” is not a HIPAA rule.

Again, HIPAA is flexible. There isn’t a single method for maintaining the confidentiality, integrity, and availability of ePHI. Instead, you should use security measures that best suit your organization. A double-locking method may be useful for some organizations, but it’s not required.

Graphic of a cellphone with credit card, driver's license, and other personal data

Q: Do I need technical safeguards for mobile devices?

A: Yes! Unsecured mobile devices can threaten your ePHI and hinder patient care. According to Verizon’s Mobile Security Index 2019, “79% of healthcare organizations said that the risks associated with mobile devices are serious and growing.”

Last year, 25% of healthcare organizations were compromised due to poor mobile device security. Many of these organizations described the breach as “major with lasting repercussions.” The two biggest causes of compromise were employees’ personal devices and mistakes. However, very few of these organizations had measures in place to spot and correct these security issues.

Last year, 25% of #healthcare companies were compromised due to a #mobile device. According to Verizon’s Mobile Security Index, “the risks associated with mobile devices are serious and growing.” What are you doing to secure your devices? @VZEnterprise #security #breach #HIPAA pic.twitter.com/bazs1QKVWH

— HIPAAtrek (@hipaatrek) April 15, 2019

One way to secure your organization’s devices is to use Unified Endpoint Management (UEM). UEM can manage and secure many different servers and devices from a single console. This makes it easier for IT administrators to configure and monitor the various types of devices at an organization.

Q: When should I implement HIPAA safeguards?

A: Now! However, you can’t put safeguards in place if you don’t first know what you already have and what you lack. Therefore, you must check your current security controls by conducting a security risk analysis. From there, you will develop a risk management plan. Furthermore, make sure you have policies and procedures that describe how you will implement and maintain your administrative, physical, and technical safeguards.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Need a Nudge in the Right Direction?

A robust HIPAA security program will help your organization detect and defend itself against the hydra of security threats. We designed a compliance management solution with security and simplicity in mind. From our cloud-based platform, you can create custom security reminders to aid in staff training.

Additionally, when you encounter a security incident, you can easily log the details of the incident in HIPAAtrek. This helps you keep track of your mitigation efforts and makes you audit-ready.

Contact us to learn more or request a personalized demo today.

P.S. Stick around! Next week’s post will answer common questions about privacy safeguards.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »