This HIPAA Security Series List contains handy links to all seven HHS documents. The links lead to the pages on the official HHS website.
The HIPAA Security Series is a handy reference of guidelines for achieving compliance with the HIPAA Security Rule. The series provides seven helpful documents that cover everything from basic concepts to safeguards to risk analysis. Unfortunately, it isn’t well-linked on the web, which can make it challenging for a provider to find all seven of these important papers.
The HIPAA Security Series List
The HIPAA Security Series is a group of seven documents published by HHS. The purpose of the documents is to make it easier for health care providers to become compliant with the all-important Security Rule. The Rule itself exceeds 500 pages in length. In contrast, the Security Series documents run about 10 pages each. Series articles #1 and #7 in particular are very difficult to track down on the web. Together, the articles guide providers to compliance through the topic areas in the list below:
- HIPAA Security Series #1: Security 101 for Covered Entities
- HIPAA Security Series #2: Security Standards – Administrative Safeguards
- HIPAA Security Series #3: Security Standards – Physical Safeguards
- HIPAA Security Series #4: Security Standards – Technical Safeguards
- HIPAA Security Series #5: Security Standards – Organizational, Policies and Procedures and Documentation Requirements
- HIPAA Security Series #6: Basics of Risk Analysis and Risk Management
- HIPAA Security Series #7: Implementation for the Small Provider
HIPAA Security Series #1: Security 101 for Covered Entities
This is the first HHS document in our HIPAA Security Series List. It contains a plain-English overview of what it takes to achieve compliance with the Security Rule. It explains the purpose of the Rule and compares it to the Privacy Rule. It also gives an overview of the process of achieving compliance. The article covers who must comply with the Rule. It lays out guidelines for following each “standard” in the rule, and classifies the standards as Administrative, Physical, and Technical. It’s a good, simple, 9-page introduction to compliance. At the end is a table with a list of all the safeguards in the rule.
HIPAA Security Series #2: Security Standards – Administrative Safeguards
The second HHS article in our HIPAA Security Series list covers Administrative Safeguards. These are the standards in the Security Rule that cover high-level actions that protect Electronic Protected Health Information (EPHI). The safeguards include a security management process with risk analysis and risk management components. Other safeguards cover the assignment of a security officer, and the enactment of penalties for employees who don’t comply with the standards. There are also standards for workforce supervision, clearance, authorization, monitoring, and emergency plans. The Administrative Safeguards are the foundation of the Rule on which all technological security rests.
HIPAA Security Series #3: Security Standards – Physical Safeguards
This third entry in the list of HIPAA Security Series articles covers Physical Safeguards. These are the standards that protect buildings and equipment related to EPHI storage and transmission. The safeguards govern how to protect the physical side of EPHI from disasters and unauthorized access. For example, one standard in this article requires health care entities to enact policies that limit access to facilities and equipment containing EPHI. Another mandates security controls like picture IDs or badges. Others control the use and securement of workstations and portable media devices. There are also provisions for data backup and the tracking of all portable EPHI storage devices like hard drives, flash drives, and laptops.
HIPAA Security Series #4: Security Standards – Technical Safeguards
The fourth article on the HIPAA Security Series list concerns Technical Safeguards. These are the nuts-and-bolts (or bits-and-bytes) level standards that protect EPHI. They cover encryption, passwords, emergency access, audit controls, and authenticating PHI against corruption or intentional damage. Specifically, the standards in this guide instruct health care organizations to assign a unique name/number to each user. They mandate the installation of methods to access PHI even during emergencies. They also enforce automatic logouts and the recording and analyzing of all activity in EPHI data systems. Finally, the standards require that all protected data be encrypted during both storage and transmission.
HIPAA Security Series #5: Security Standards – Organizational, Policies and Procedures and Documentation Requirements
The HIPAA Security Series list’s fifth document outlines organizational-level action items including contracts, written policies, and documentation. It defines the Business Associate Contract (BAA) as a document that passes responsibility for EPHI protection on to the associate. It also lays out requirements for group health plans. The article details the “Policies and Procedures” standard as well. That’s a security standard that, simply put, requires all covered health care entities to have policies and procedures in place that protect EPHI. Finally, the Organizational Standards in the document detail the responsibility of each entity to maintain records of their security policies and agreements for six years.
HIPAA Security Series #6: Basics of Risk Analysis and Risk Management
Risk management/analysis is the sixth article on the HIPAA Security Series list. It covers an organization’s duty to conduct an examination of its EPHI security risks. It also details the need to create and follow a risk management plan. These two key actions form the basis of any health care entity’s HIPAA security plan. Under them, an entity must assess its vulnerabilities, threats, and risks. “Risks” are vulnerabilities plus threats. For example, weak passwords are a vulnerability. Frequent attempts to break into a system constitute a threat. Together, they combine to create an elevated risk. This sixth document in the Series gives examples of the steps to follow to create a risk analysis and risk management plan.
HIPAA Security Series #7: Implementation for the Small Provider
The final item on the list of HIPAA Security Series documents concerns private practices and other small facilities. It aims to help these smaller organizations understand how the Security Rule relates to their scale of operation. The article gives examples of scenarios to bear in mind when working toward compliance. In truth, the article does relatively little to speak specifically to the needs of small health care entities. What it does well is to condense the HIPAA compliance regulatory jungle into a compact form usable by a small organization. It does this by creating a list of questions for the Administrative, Physical, and Technical Safeguards that any small practice can follow in a step-by-step way.
This article provides handy links to all the documents in the HIPAA Security Series list. That list is a useful tool for health care workers interested in achieving HIPAA compliance. Many of the Security Series papers are searchable online, but #1 and #7 in particular are very difficult to find. Further. HHS currently has no easily discoverable page that links all these articles together in one place. The links in this article should make it easier for health care entities to achieve compliance, by improving access to these otherwise very helpful HHS resources.