From a practical standpoint, the Security Rule is probably the most relevant section of HIPAA for health tech companies. The Security Rule operationalizes much of the Privacy Rule by setting standards for the security of the technology used to access, store, transmit, or process protected health information (PHI).
One of the most important things to understand about the Security Rule is that while it sets standards that must be met by CEs or health tech companies that qualify as BAs, it’s not overly prescriptive on how these standards must be met. Therefore, complying with the Security Rule is more of an exercise in reasonable risk mitigation than adhering to a checklist of specific practices and protocols.
The Security Rule outlines “required” and “addressable” specifications for administrative, technical, and physical safeguards, as well as for organizational and documentation purposes.
For example, there are four required administrative specifications:
- Risk analysis
- Risk management
- Sanction policy-
- Information system activity review.
Under this Rule companies are required to assess vulnerabilities and potential risks in their PHI-handling practices. Once established, they must implement protocols to mitigate these risks (such as sanctions against employees who violate the protocols). CEs and BAs must also have the technological capability to review employee activity while accessing PHI on the company’s various data platforms.
CEs and BAs may approach “addressable” specifications in whatever ways make the most sense for their business. For these choices it is vitally important that companies document the reasoning behind them.
Some general best practices to conform to the Security Rule’s addressable specifications include:
- Limiting PHI collection, usage, and retention to only what is essential for successful business operations.
- Aggregating data wherever possible to meet business goals and avoid HIPAA violations.
- Periodically reviewing and updating security measures and documentation in response to environmental and operational changes that affect security of PHI.
Because portions of the Security Rule are open to interpretation, many health technology companies need to know what their unique situation requires to comply with HIPAA and avoid legal fines and penalties. Reach out to Elevation today—we have the expertise to confidently help your business navigate this regulatory landscape!