The different types of safeguards can support each other to build a strong security management program. In this blog post, we take a closer look at each category of security controls to better understand their functions when developing HIPAA documentation and training materials.
What are Safeguards?
The HHS uses the term safeguards to refer to security measures that minimize the risk of attack on the resources you use to handle PHI (protected health information). If you access, store, transmit, save, send, create, view, process, print or connect to an application that handles PHI, then at least one type of security control needs to be in place. More often than not, several different types of security controls work together to adequately protect a single resource.
HIPAA Administrative Safeguards
Administrative safeguards are often overlooked by otherwise well-intentioned healthcare providers and entities. The implementation of administrative safeguards is the responsibility of human staff members. Since this type of task is not as easy to automate, there is a risk it will be neglected.
The HHS has identified the following administrative controls as necessary for HIPAA compliance:
- Risk Management Process
- Assigned Security Responsibility
- Workstation Security
- Policies and Procedures
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts
It is important to ensure that staff members are properly trained to understand these controls. Setting up technical or physical controls without actively implementing associated administrative controls will result in gaps in your compliance program.
HIPAA Technical Safeguard
Technical safeguards include mechanisms that can be configured to automatically help secure your data.
The HHS has identified the following technical controls as necessary for HIPAA compliance:
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
Configuring a network authentication system so that all staff passwords must include upper and lowercase letters is an example of implementing a technical safeguard. Other common technical controls include firewall settings, role-based group policy settings, the algorithm you choose to encrypt data and the notification service that sends an email when your website identifies a failed login attempt.
HIPAA Physical Safeguards
Physical safeguards are exactly what they sound like: the security controls in place to guard the physical aspects of securing PHI in facilities and on devices. Physical safeguards may seem “low tech” but they are every bit as important as the technical and security safeguards. These safeguards are designed to prevent unauthorized users from walking off with your server or plugging a USB cable directly into your wi-fi router.
The HHS has identified the following physical controls as necessary for HIPAA compliance:
- Facility Access
- Workstation Use
- Workstation Security
- Device and Media Controls
If members of your staff access PHI from workstations located in high traffic areas, you might decide to install screen barriers and use locking cables to tether the computer to the wall. When you are responsible for handling paper PHI, it should be stored in a locked desk or file cabinet inside a locked room with a key available only to authorized staff members. Security cameras can be installed at facility entrances, exits and in areas where PHI is stored.
- Administrative, technical, and physical safeguards are all critical to maintain the security of the confidential information held by your business.
- Failing to maintain adequate security in these areas could lead to fines by the OCR!