<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Controls for Maintaining HIPAA Security Rule Compliance


The Healthcare Insurance Portability and Accountability Act (HIPAA)’s primary objective is to ensure the protection of patients’ privacy as it relates to sensitive healthcare information. As more Protected Health Information (PHI) began to be stored digitally, in turn giving rise to electronic protected health information (EPHI), the Department of Health and Human Services the mandate of HIPAA to include security measures to protect EPHI. The HIPAA security rule, together with the HIPAA privacy rule, make up a cornerstone security standard for health care information technology teams.

What is the HIPAA Security Rule

The HIPAA Security Rule is composed of five main elements: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policy, Procedure, and Documentation Requirements.

The foundation of the HIPAA Security rule, much like many standards, is a security risk assessment. Within the HIPAA Security Rule documentation, the authors directly reference the NIST Risk Management Framework and its six steps as a critical element to both complying with HIPAA and ensuring the protection of patient EPHI. Alongside a risk assessment, there are controls that align with the five elements of the Rule that a covered entity must implement. Here we will dive into a select few that we recommend as a strong foundation for maintaining HIPAA compliance.

Controls for Maintaining HIPAA Security Compliance

Risk Assessment (§ 164.308(a)(1))

As part of the Security Management Process under Administrative Safeguards, a risk assessment enables organizations of all kinds to gain a greater understanding of possible risks both common in the industry but also unique to the organization. With many enterprises adopting a risk-first approach to information security rather than checkbox compliance, a risk assessment is critical to gaining a better understanding of the organization itself.

The HIPAA Security Rule specifically cites the NIST RMF as the recommended methodology for a risk assessment under HIPAA. The value of using the RMF risk methodology is the ability it grants to walk that data easily into the NIST Cybersecurity Framework as well. While this can be a long-term undertaking for organizations, working with the RMF sets the foundation for adopting the CSF as well when the time is right.

Designated Responsibility (§ 164.308(a)(2))

Designated responsibility also falls under administrative safeguards and for any organization that is HIPAA compliant, this is probably one of the first controls that was implemented: ensuring that there is someone within the organization that is responsible for HIPAA compliance.

However, digging deeper into that element, it is critical for any organization handling sensitive data especially healthcare organizations handling EPHI to have a clear chain of responsibility as it relates to compliance and data protection. Expanding on that, having a solution like CyberStrong that enables and tracks the ownership of both assessments as a whole as well as individual controls allows for a clearer understanding of what is getting done to improve security posture as well as streamline a post-mortem following an assessment or cyber event.

Access Controls (§ 164.312(a)(1))

Access controls range from regularly ensuring that over the course of employee lifecycles system access is regularly updated and procedures are put in place to eliminate unauthorized access. While technology plays an essential role in securing an organization, too often organizations lean on it to supplement weak or potential nonexistent policies, procedures, and people-centric control actions that can have a much greater impact on the organization’s security.

In this case, ensuring that the organization makes it a practice to review employee access and limit access to the electronic information systems that store EPHI to only those who need it is critical.

Making Sure the Organization Has the Right HIPAA Security Rule Safeguards

The administrative, physical, and technical safeguards outlined in the HIPAA Security Rule are of course all essential to ensuring compliance with this regulation. Although, health information technology teams must ensure that they implement security measures that also support the unique configuration of risks faced by the organization itself. Furthermore, with the precipitous change in how the world approaches healthcare; the rise of telemedicine, increased reliance on cloud and digital technologies to keep patients safe during the COVID-19 pandemic, it is critical that information security leaders expand their view beyond checkbox compliance and focus on reducing risk.

CyberStrong has enabled healthcare organizations to ensure not just HIPAA compliance but take concrete steps to a greater, more robust cybersecurity program through unprecedented automation and the ability to crosswalk assessment data from one framework (HIPAA) to another (i.e. the NIST CSF). To learn more about how we are helping healthcare organizations maintain HIPAA compliance and increase resiliency give us a call at 1 800 NIST CSF, or click, here, to schedule a conversation.

You may also like

NIST vs. ISO –What You Need To Know
on June 24, 2022

Organizations are increasingly on the lookout for ways to strengthen their cybersecurity capabilities. Many have found solace in compliance frameworks that help guide and improve ...

Top 5 Recommendations For Your ...
on June 22, 2022

Discover, design, validate, promote, and sustain best practice cyber protection solutions to safeguard your people and processes. As the cyber attack surface expands, the Center ...

June Product Update
on June 21, 2022

It’s a celebration! 🎵♪🎵♪ ♩Automate your scores, come on (Let’s automate) Automate your scores, come on (Let’s automate) There’s a party goin’ on right here An automation to last ...

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...