Understanding the HIPAA Security Rule and Tailoring Policies to Fit Your Business

Purpose and Practicality

The HIPAA Security Rule[1] was designed to protect the confidentiality, integrity, and availability of a patient’s protected health information (PHI) while allowing flexibility for each covered entity based on their size, complexity, technological capabilities, cost constraints, and the likelihood of potential risks to the electronic PHI (ePHI) they house. To make the ideals of PHI privacy practical, the Security Rule allows for many of its provisions to be modified (the “addressable” provisions) so each covered entity can reasonably and appropriately implement the security requirements in a way that makes sense for their business and correctly captures their capabilities. See 45 CFR § 164.306. Other requirements, which the Security Rule considers to be mandatory, are designated as “required.”


There are 5 main areas of safeguards that the Security Rule requires covered entities to address:

(1)  Administrative safeguards, 45 CFR § 164.308;

(2)  Physical safeguards, 45 CFR § 164.310;

(3)  Technical safeguards, 45 CFR § 164.312;

(4)  Organizational requirements, 45 CFR § 164.314, § 164.504; and

(5)  Documentation requirements, including having policies and procedures,

45 CFR § 164.316.

What should your policies and procedures include?

While it may be tempting to purchase a generic set of HIPAA Security Rule policies and procedures, understand that there is no such thing as a ‘generic’ set that applies perfectly to your business. You do not want to have policies that say your business is capable of performing Security Rule requirements in a particular manner when, in fact, your business does not have that ability. For policies and procedures to be effective on a day-to-day basis internally, and to protect your business from outside scrutiny, the policies and procedures must be tailored to your business. Putting more time into creating and updating these policies now can save you from a big headache (and potential HIPAA violation complaints) later.

Your business’s policies and procedures should include each of the following, and must include them in a way that makes sense for your specific business:

Administrative Safeguards
Required ·         Risk analysis

·         Risk management

·         Sanction policy

·         Information system activity review

·         Identify the security official responsible for developing and implementing the policies and procedures

·         Isolating health care clearinghouse functions

·         Response and Reporting of security incidents

·         Data backup plan

·         Disaster recovery plan

·         Emergency mode operation plan

·         Perform periodic technical and nontechnical evaluations

·         Use written contracts (Business Associate Agreements) or other arrangements as required by 45 CFR § 164.314(a)


Addressable ·         Authorization and/or supervision of workforce members who work with ePHI or the locations where ePHI might be accessed

·         Workforce clearance procedure

·         Termination procedures

·         Access authorization

·         Access establishment and modification

·         Security reminders

·         Protection from malicious software

·         Login-in monitoring

·         Password management

·         Testing and revision procedures

·         Applications and data criticality analysis


Physical Safeguards
Required ·         Workstation use

·         Workstation security

·         Disposal of ePHI and/or the hardware or electronic media on which ePHI is stored

·         Media re-use

Addressable ·         Contingency operations

·         Facility security plan

·         Access control and validation procedures

·         Maintenance records

·         Accountability

·         Data backup and storage


Technical Safeguards
Required ·         Unique user identification

·         Emergency access procedure

·         Audit controls

·         Person or entity authentication

Addressable ·         Automatic logoff

·         Encryption and decryption

·         Mechanism to authenticate ePHI

·         Integrity controls in transmission

·         Encryption in transmission


Organizational Requirements
Required ·         Use Business Associate Agreements (which must contain particular provisions as specified in 45 CFR § 164.314(a) and 45 CFR § 164.504) or other arrangements for special situations

·         Group health plans must document they will appropriately and reasonably safeguard ePHI


Policies and Procedures and Documentation Requirements
Required ·         Implement reasonable and appropriate policies and procedures

·         Documentation of required activities or assessments

·         Time limit – must retain required documentation for at least 6 years

·         Availability – must make documentation available to those responsible for implementing the procedures

·         Updates




Take the time to make sure your policies and procedures cover each standard of the HIPAA Security Rule, and that those policies are tailored to your specific business. If you don’t have all of these policies in place yet, be sure to supplement your existing policies so you have a complete set and become HIPAA compliant. As a practical tip, make sure you organize these policies in a way that is easy for you to understand, and include the specific citation to each HIPAA requirement next to the correlating policy or procedure for easy reference. The Security Rule is meant to be flexible enough to make sense for your particular business. Take advantage of that and, if necessary, think of this article as a reminder to give your HIPAA policies a (perhaps much needed) makeover.

About the Author:

Erica Erman is an Associate in Dickinson Wright’s Health Care Practice Group. Her practice areas include healthcare, behavioral healthcare, appellate, and general litigation law. Prior to joining Dickinson Wright, Erica graduated cum laude from the James E. Rogers College of Law at the University of Arizona, and served as a Judicial Law Clerk to the Honorable Robert M. Brutinel of the Arizona Supreme Court. Erica can be reached at 602-889-5342 or eerman@dickinson-wright.com and you can visit her bio here.

[1] HIPAA is comprised of the Security Rule and the Privacy Rule, among other related provisions. This article addresses only the Security Rule.