What Is the HIPAA Security Rule?
HIPAA’s enactment led to the publishing of two sets of standards — the Standards for Privacy of Individually Identifiable Health Information, more commonly known as the Privacy Rule, and the Security Standards for the Protection of Electronic Protected Health Information, known as the Security Rule.
The HIPAA Privacy Rule sets national standards for protecting health information, and the Security Rule addresses how organizations must meet these protection requirements, specifically regarding electronic protected health information (e-PHI). This includes instating both technical and non-technical security measures.
Failing to follow the requirements in the HIPAA Security Rule can lead to costly fines and security breaches that compromise patients’ personal information. Therefore, all relevant organizations that handle e-PHI, including covered entities and business associates, must adhere to HIPAA requirements by establishing necessary cybersecurity protocols.
What Is The NIST CSF Framework?
The NIST Framework for Improving Critical Infrastructure Cybersecurity, shortened simply to Cybersecurity Framework, is a set of guidelines private sector companies across industries can use to enhance their cybersecurity practices. This is a voluntary framework, meaning it isn’t designed as a legal standard that would lead to fines or penalties for non-compliance.
The HIPAA Security Rule is the official standard health organizations must follow, but the NIST CSF can help them meet these requirements, according to the U.S. Department of Health & Human Services. The CSF includes five functions along with specific categories encompassed in each function. The functions call organizations to identify, protect, detect, respond to and recover from cybersecurity risks.
The Importance of a HIPAA Risk Assessment
The HIPAA Security Rule requires that covered entities and business associates periodically assess their security policies and procedures to determine whether they are adhering to the Security Rule’s requirements. Failing to conduct a HIPAA security risk assessment (SRA), also referred to as a security risk analysis, is itself a violation of HIPAA requirements. Additionally, skipping an SRA can leave you unaware of vulnerabilities and potential breaches in HIPAA compliance in your current practices.
You can’t be sure your current policies and practices are in line with HIPAA’s requirements unless you undergo a detailed assessment. This is not an area where you want to rely on a general impression that you’re doing well.
Many HIPAA violations are categorized under the third or fourth of four penalty tiers, which involve “willful neglect” of HIPAA rules. Because it’s been so many years since HIPAA was enacted, and since the Security Rule was last updated in 2013, organizations should be aware of their obligations to safeguard PHI.
The most minor or unavoidable offenses warrant a fine of at least $100 per violation but can be up to $50,000 per violation depending on the magnitude of the problem. When an issue results from willful neglect, organizations can be fined a minimum of $10,000 or up to $50,000 per violation depending on whether there was an attempt to correct the violation.
Some organizations have been fined millions of dollars for their HIPAA violations. In 2018, Anthem, Inc. agreed to pay the OCR $16 million in a record-high settlement for a HIPAA violation.
Since conducting an SRA is a fundamental requirement of the HIPAA Security Rule, failing to conduct an SRA is a form of willful neglect that could warrant severe fines. More importantly, failing to protect your patients’ PHI can lead to a breach in trust that damages your organization’s reputation and makes it difficult for you to rebuild a relationship with the patients whose information you compromised.