HIPAA Security Rules
The flexibility and scalability of the standards
make it possible for any CE regardless of size, to comply with the Rule.
HIPAA consists of 5 titles
Privacy Security Transaction code sets Unique National Provider identifiers Enforcement
Technical Safeguards 5 pg.282
1.Access Control 2.Audit Controls 3.Integrity 4.Person or Entity Authentication 5.Transmission Security
To assist CEs and BAs implementing security rule
1.Asses current security, risks, and gaps 2.Develop an implementation plan 3.Implement solutions 4.Document decisions 5.Reasses periodically
Organizational requirements 2 standards pg.282
1.Business associate contracts or other arrangements 2.Group Health Plans
Physical Safeguards there are 4 pg.281
1.Facility Access Controls 2.Workstation Use 3.Workstation Security 4.Device and Media Controls
Policies, Procedure, and Documentation 2 standards pg 283
1.Policies and procedure 2.Documentation
Administrative Safeguard pg.279
1.Security Management process 2.Assigned security responsibility 3.Workforce security 4.Information access management 5.Security Awareness training 6.Security Incident Reporting 7.Contigency plan 8.Evaluation 9.Business Associate Contracts & other arrangements
Purpose of the HIPAA Security Rules
1.To implement appropriate security safeguards to protect electronic health information that may be at risk. 2.To protect an individual's health information while permuting appropriate access and use of that information.
Covered healthcare providers or covered entities CEs
Any provider of medical or other healthcare services or supplies that transmits any health information in electronic form in connection with a transition for which HHS has adopted a standard.
Integrity
Data of information that has not been altered or destroyed in an unauthorized manner
Security Officer or Chief Security Officer
Is an individual in the organization responsible for overseeing privacy policies and procedures.
Healthcare clearinghouses
Public or Private entities that process another entity's healthcare transaction form a standard format to another standard format, vice-versa
The security Rule comprises 5 general rules and nº of standard
a. general requirements b.flexibility of approach c.standards related to administrative, physical, and technical safeguard d.implementation specification e.maintenance of security measures
The HIPAA Security rules requires
covered entities (CEs) to ensure the integrity and confidentiality of information, to protect against any reasonable anticipated threats or risks to the security and integrity of info, and to protect against unauthorized uses or disclosure of info.
Confidentiality
data or information that is not made available or disclosed to unauthorized person or processes
Security is
not one-time project but an outgoing process that requires constant analysis as the business practice of the CE and BA change, technologies advanced, and new system are implemented
Ultimately the security rules seeks
to ensure that CEs implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission, while at the same time ensuring data or information is accessible and usable on demand by authorized individuals
The scope of Security Rule is
to protect individually identifiable health information that is transmuted by or maintained in any form of electronic media.