Institutional Review Board

Complying with the HIPAA [PHI Data] Security Rule

The HIPAA Security Rule (45 CFR 164 Sections 302-318) requires organizations (Covered Entities and Business Associates) to identify and implement the most effective and appropriate Administrative, Physical, and Technical safeguards to secure electronic protected health information (e-PHI). All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. In contrast, the HIPAA Privacy Rule sets the standards for who may have access to PHI, and applies to all forms of patients' protected health information, whether electronic, written, or oral.

Virginia Tech researchers proposing to use PHI, to ensure compliance with the Security Rule, should do the following prior to receiving PHI from Covered Entities: assess current information security, risks, and gaps; develop an implementation plan to address PHI data security, including reading the Security Rule, reviewing the addressable implementation specifications, implement solutions, and determining security measures; implement solutions; document the analysis, decisions and the rationale for the decisions; and, reassess periodically.

This webpage provides an overview of the 3 primary safeguards that researchers must implement to ensure the security of PHI under the HIPAA Security Rule.

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards

Administrative Safeguards

Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI. The administrative components are really important when implementing a HIPAA compliance program, you are required to assign a privacy officer, complete a risk assessment annually, implement employee training, review policies and procedures, and Business Associate Agreements (BAAs) must be in place for researchers who handle protected health information (PHI). The 9 standards associated with Administrative Safeguards are provided below, along with actions that must be implemented by the Business Associate/researcher.

A. Security Management Process

  1. Risk Analysis: Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated. .
  2. Risk Management: Implement sufficient measures to reduce these risks to an appropriate level. .
  3. Sanction Policy: Implement sanction policies for employees who fail to comply. .
  4. Information Systems Activity Reviews: Regularly review system activity, logs, audit trails, etc.

B. Assigned Security Responsibility

  1. Officers: Designate HIPAA Security and Privacy Officers.

C. Workforce Security

  1. Employee Oversight: Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee's access to PHI ends with termination of employment.

D. Information Access Management

  1. Multiple Organizations: Ensure that PHI is not accessed by parent or partner/collaborating organizations or subcontractors that are not authorized for access.
  2. ePHI Access: Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.

E. Security Awareness and Training

  1. Security Reminders: Periodically send updates and reminders about security and privacy policies to employees.
  2. Protection Against Malware: Have procedures for guarding against, detecting, and reporting malicious software.
  3. Login Monitoring: Institute monitoring of logins to systems and reporting of discrepancies.
  4. Password Management: Ensure that there are procedures for creating, changing, and protecting passwords.

F. Security Incident Procedures

  1. Response and Reporting: Identify, document, and respond to security incidents.

G. Contingency Plan

  1. Contingency Plans: Ensure that there are accessible backups of ePHI and that there are procedures for restore any lost data.
  2. Contingency Plans Updates and Analysis: Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
  3. Emergency Mode: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.

H. Evaluations

  1. Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.

I. Business Associate Contracts and Other Arrangements

  1. Have special contracts with research partners/collaborators who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.

Additional information on Administrative Safeguards can be found here.

Additional information on Organizational, Policies and Procedures and Documentation Requirements can be found here.

Additional information on Risk Analysis and Risk Management can be found here and here.

Physical Safeguards

Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI. In contrast, Administrative Safeguards focus on policy and procedures, while Technical Safeguards focus on data protection. The 4 standards associated with Physical Safeguards are provided below, along with actions that must be implemented by the Business Associate/researcher.

A. Facility Access Controls

  1. Contingency Operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (at Virginia Tech this is the Continuity of Operations Plan [COOP]).
  2. Facility Security Plan:: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation Procedures: Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  4. Maintenance Records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).

B. Workstation Use

  1. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

C. Workstation Security

  1. Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

D. Device and Media Controls

  1. Disposal: Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
  2. Media Re-Use: Implement procedures for removal of ePHI from electronic media (e.g. hard drives, memory sticks) before the media are made available for re-use.
  3. Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  4. Data Backup and Storage: Create a (secure) retrievable, exact copy of ePHI, when needed, before movement of equipment.

Additional information on Physical Safeguards can be found here.

Technical Safeguards

Technical Safeguards focus on the technology that protects PHI and controls access to it. The 5 standards associated with Physical Safeguards are provided below, along with actions that must be implemented by the Business Associate/researcher.

A. Access Control

  1. Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
  2. Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
  3. Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI.

B. Audit Controls

  1. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

C. Integrity

  1. Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

D. Authentication

  1. Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.

E. Transmission Security

  1. Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
  2. Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate.

Additional information on Technical Safeguards can be found here.

Virginia Tech Contact Information for Additional Assistance/Guidance on HIPAA Compliance

For additional information and guidance on research compliance with HIPAA rules, and safeguard control implementation, contact:

Dr. Gary Sherman
Virginia Tech Office of Research Integrity and Compliance
irb@vt.edu
540-231-3732
Jump To The Top Of The Page