How does HIPAA provide security?

HIPAA establishes security through the HIPAA Security Rule, which obliges healthcare providers to safeguard ePHI. They must implement administrative, physical, and technical safeguards to achieve this. 

HIPAA’s Security Rule requires companies to assess their security needs and implement adequate security measures by HIPAA’s security requirements. While it doesn’t specify exact measures for every organization, it encourages entities to tailor security measures based on the following:

• Size, complexity, and capabilities
• Technical infrastructure
• Cost considerations
• Potential risks to ePHI

Entities must also continuously review and adapt their security measures to safeguard ePHI.

Three standards of the HIPAA security rule

The HIPAA Security Rule consists of 3 key implementation standards: 

Administrative safeguards

Administrative safeguards require covered entities to conduct risk analysis, identify potential ePHI risks, and implement appropriate security measures. 

Key activities include evaluating risk likelihood and impact, documenting chosen security measures, and maintaining continuous security protections. This risk analysis process is ongoing.

Physical safeguards

Physical safeguards safeguard the physical security of areas where you store ePHI. For example, alarm and security systems and locked storage areas. Key elements include controlling facility access and securing workstations and electronic media.

Technical safeguards

Technical safeguards involve firewalls, encryption, and data backup to secure ePHI. These safeguards include access controls, audit controls, integrity controls, and transmission security. 

Access controls ensure that only authorized individuals can access ePHI, while audit controls track access to ePHI-containing systems. Integrity controls prevent unauthorized alterations, and transmission security safeguards ePHI during electronic network transmission.