Why Technical Safeguards?

Technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. They are key elements that help to maintain the safety of ePHI as the internet changes.  Consequently technical safeguards are important due to technology advancements in the health care industry. The challenge of healthcare organizations is that of protecting electronic protected health information (EPHI).   Most importantly, this includes items such as electronic health records, from various internal and external risks.

Comply with Technical Safeguards

The HIPAA Security Rule, requires for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  Consequently, this rule is based on several fundamental concepts.  These are flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.

Implementing “The Security Rule”

The Rule allows the use of security measures.  Consequently, these allows it to reasonably and appropriately  implement the standards and implementation specifications.  Because of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  There are a variety of  measures which can assist an organization to meet these standards.  A more detailed description can be found at the HIPAA Security Series published by HHS.gov.

Access Controls

Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of the Information Access Management standard under the Administrative Safeguards section of the Rule.

CMS Security Rule

New Guidance form HHS

The Department of Health and Human Services (HHS) on December 12, 2012 published a News Release on its website regarding a new initiative for providers that provides guidance on how to safely keep PHI on mobile devices.   The initiative is called, “Know the Risks, Take the Steps, Protect and Secure Health Information.”  

The recommendations place providers on notice as to what the expectations are of the HHS to protect PHI:

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Disable and do not install or use file sharing applications.
  • Install and enable a firewall.
  • Install and enable security software.
  • Keep your security software up to date.
  • Research mobile applications before downloading.
  • Maintain physical control (i.e., protect against lost devices).
  • Use adequate security to send or receive health information over public Wi-Fi networks.
  • Delete all stored health information before discarding or reusing the mobile device

Please review the security that you use for your mobile devices to assure that you are providing the protections that are expected

The Importance of “The Security Rule”

Technical safeguards are important due to technology advancements.  The take away is that Technical Safeguards protect PHI.  Most importantly covered entities and business associates who deal with electronic PHI must review their use of Technical Safeguards to be fully in compliance.  

Feel free to contact us for more guidance on this important topic.