Summary of the HIPAA Security Rule

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information:

establishes national standards for the protection of certain health information

HHS, the Office for Civil Rights (OCR):

has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

The Administrative Simplification provisions of (HIPAA, Title II) required the Secretary of HHS to publish

national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.

Compliance Schedule:

All covered entities, except "small health plans," must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.

Security Rule assure:

the confidentiality, integrity, and availability of e-PHI create, receive, maintain or transmit;

The HIPAA Privacy Rule protects:

the privacy of individually identifiable health information, called protected health information (PHI).

Organizational Requirements:

Covered Entity Responsibilities. Business Associate Contracts

Physical Safeguards:

Facility Access and Control. Workstation and Device Security.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is :

responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.

A major goal of the Security Rule is:

to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

The Security Rule does not apply to PHI:

transmitted orally or in writing.

The Privacy Rule allows covered providers and health plans to disclose protected health information to:

"business associates

The Security Standards for the Protection of Electronic Protected Health Information:

(the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.

A "business associate":

is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not involved

"Contrary":

means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.33

Information Access Management.:

Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).

Security Rule is flexible and scalable:

Security Rule allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity's business, as well as the covered entity's size and resources.

risk analysis as part of:

Security management processes

Compliance:

The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI.

The Security Rule specifies a series of:

administrative, technical, and physical security procedures for covered entities to use HIPAA Security Rule.

Security Personnel:

A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

Audit Controls:

A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25

Integrity Controls

A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed.

Workstation and Device Security:

A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Access Control:

A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24

Transmission Security:

A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Facility Access and Control:

A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

Evaluation:

A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule

Updates:

A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).

Workforce Training and Management:

A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures,and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

Preemption: فاق سبق في الأهمية

In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply

A risk analysis process includes, but is not limited to, the following activities:

a. Evaluate the likelihood and impact of potential risks to e-PHI;8 b. Implement appropriate security measures to address the risks identified in the risk analysis;9 c. Document the chosen security measures and, where required, the rationale for adopting those measures;10 and d. Maintain continuous, reasonable, and appropriate security protections

When covered entity apply HIPAA Security Rule must consider:

a. Its size, complexity, and capabilities, b. Its technical, hardware, and software infrastructure, c. The costs of security measures, and d. The likelihood and possible impact of potential risks to e-PHI.

The security rule specifies a series of:

administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.

The Security Rule protects:

all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. calls this information "electronic protected health information" (e-PHI).3 The Security Rule does not apply to PHI transmitted orally or in writing.

By law, the HIPAA Privacy Rule applies only to: .

covered entities - health plans, health care clearinghouses, and certain health care providers

The Security Rule, like all of the Administrative Simplification rules, applies to:

health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.

Covered entities may disclose protected health information to an entity in its role as a business associate:

only to help the covered entity carry out its health care functions - not for the business associate's independent use or purposes, except as needed for the proper management and administration of the business associate.

Under the Security Rule," Availability" means:

that e-PHI is accessible and usable on demand by an authorized person.

Under the Security Rule, "integrity" means:

that e-PHI is not altered or destroyed in an unauthorized manner.

HHS published:

the HIPAA Privacy Rule and the HIPAA Security Rule

The Security Rule defines "confidentiality":

to mean that e-PHI is not available or disclosed to unauthorized persons.

A covered entity must maintain:

until six years after the later of the date of their creation or last effective date,


Ensembles d'études connexes

US Geography - Quiz 1-2 "The Midwest and the Mississippi River"

View Set

Forensic Science Lesson 6 Forensic Biometrics

View Set

Ch. 19: : Male Genital Tract Quiz

View Set

Entschuldigung, wo ist...? Wegbeschreibung

View Set

Chapter 20: Nursing Management of the Pregnancy at Risk: Selected Health Conditions and Vulnerable Populations

View Set

Government and Economics Unit 5 Lesson 4 The Christian and Public Opinion

View Set