HIPAA Security Rule

HIPAA Help: What Are the 3 Standards of the HIPAA Security Rule?

Between August 2020 and July 2021, there were 706 healthcare data breaches. This involved exposure to over 500 records and healthcare data for 44,368,781 people. That represents an average of 58.8 breaches of about 3.70 million records a month.

All healthcare providers, health plans, or healthcare clearinghouses, should feel alarmed. The COVID-19 pandemic has created many obstacles to HIPAA Security Rule compliance. Data collection and exchange via fax machines have caused bottlenecks for disease tracking.

This has led to inconsistent reporting of data points. The US Digital Service is now engaged in enhancing data exchange. Also, President Biden issued an Executive Order to advance public health and data analytics.

Do you need help ensuring that your facility is compliant with the HIPAA Security Rule? Keep reading to learn more about the rule and what you need to know.

What Is the HIPAA Security Rule?

Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The Patient Protection and Affordable Care Act (ACA) was passed in 2010. Amendments involving Medicare and Medicaid also affect information technology (IT) in healthcare.

These laws impact patient portals, electronic health records (EHRs), and other mobile technology. The goal is to improve patient safety, efficiency, and quality of care. Anyone who uses these systems including healthcare professionals, patients, and families is affected.

All covered entities (healthcare providers, health plans, and health care clearinghouses) must meet compliance. The standard defines the safe storage of electronically protected health information (ePHI).

The regulations include a series of legal requirements and standards. All covered entities must put in place the Required Specifications. These include Administrative, Physical, and Technology safeguards.

Covered entities need to determine if Addressable Specifications are appropriate and reasonable. If so, they should install those safeguards.

If you decide the specifications aren’t reasonable or appropriate, document the rationale. Then document and put in place alternate standards to address the risk.

Showing that you meet the Required Rules is easy because you either do or do not. For Addressable Specifications, make sure you explain how your measures adhere to the objectives.

1. Administrative Safeguards of HIPAA

Administrative safeguards include specific policies and procedures focused on ePHI protection. The standard requires applicable entities to develop, install, and maintain these security measures.

All administrative safeguards should also include contingency plans. These address possible emergencies that risk the ePHI’s confidentiality and integrity.

ePHI Risk Assessment

Entities must conduct a cybersecurity risk assessment related to the protection of ePHI. Each stakeholder has different compliance needs. Some use highly secured cloud computing while others need cutting-edge payment encryption.

HIPAA rules are flexible to meet the different security risks. Thus, it’s key to begin by assessing your risk areas before creating the compliance plan. This also applies to facilities using certified EHR technology.

You may use a third-party firm to conduct an initial and then ongoing risk assessment. They can help detect overlooked risks. This ensures that you stay compliant as your practice or business grows and changes.

Employee Training

Covered entities must provide initial and ongoing employee training on HIPAA Security compliance. The employer is to offer this education at no charge to all workers who interact with PHI. Having a well-trained staff provides a big layer of protection against security breaches.

Assign Specific Responsibilities

Each employee who works with PHI should know what their specific role is. Depending on the size of your company, you may wish to name a HIPAA compliance officer. Smaller entities may create other security procedures to address ePHI protection.

2. Physical HIPAA Security Safeguards

All covered entities must create restricted physical access to structures and IT equipment. The IT systems containing ePHI are required to establish protection against unauthorized access. You can’t rely on certified electronic health records technology (CEHRT) for compliance.

Physical barriers include authorization codes or biometrics such as fingerprints to enter doors. Multi-factor authorization to access software and networks is another protective measure. Consider using screen protectors and barriers to prevent unauthorized viewing of data.

3. Technical Safeguards of HIPAA

IT safeguards include policies and procedures for using the selected cybersecurity technology. It must provide high levels of protection for ePHI.

IT security addresses all interactions with cloud servers, on-site architecture, and user interfaces. If employees use different workstations, create individual login profiles and emphasize logout rules. Remote workers must meet specific protocols to keep ePHI off personal devices.

Routine firewalls and other basic security technology often aren’t enough. They may not provide the level of cyber protection needed. Consider investing in high-level cybersecurity solutions to meet HIPAA Security standards.

Cyberthreats are changing almost daily and thus, your defense system must adapt. This is one reason HIPAA and the Health and Human Services (HHS) don’t specify which products to use. It’s important to document ongoing assessments and changes made to enhance security.

HIPAA Security Rule For Third-Party Vendors and Partners

Even if you’re facility has met every criterion for the Security Standard, you may still face risk. If you work with a third-party vendor or partner, you’re responsible for ensuring they are compliant. Request documentation from the companies you work with describing their security plan.

Do You Want Help with Ensuring HIPAA Security Rule Compliance?

This article gave an overview of the three HIPAA Security Rule required specifications. The HIPAA Security Suite® by Acentec keeps medical facilities and business associates compliant. They provide risk assessments, security compliance, staff training, and HIPAA certification.

For one flat-rate fee, we’ll manage all your IT services. Our software solutions filter and sanitize emails before delivery to customers.

Acentec provides the highest level of cybersecurity protection. This includes spam scoring, virus scanning, real-time intent analysis, reputation checks, and more. We also keep policy and procedure manuals compliant with the HITECT Act.

Schedule a consultation today to get started.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top