Show Recommended textbook solutions
The Human Body in Health and Disease7th EditionGary A. Thibodeau, Kevin T. Patton 1,505 solutions
Body Structures and Functions11th EditionAnn Senisi Scott, Elizabeth Fong 773 solutions Pharmacology: An Introduction8th EditionBarbara T Nagle, Hannah Ariel, Henry Hitner, Michele B. Kaufman, Yael Peimani-Lalehzarzadeh 1,355 solutions
Exercise Physiology: Theory and Application to Fitness and Performance11th EditionEdward Howley, John Quindry, Scott Powers 593 solutions The Health Insurance Portability and Accountability Act (HIPAA) Security Rule established a minimum standard for security of electronic Protected Health Information (ePHI). The Security Rule requires that basic safeguards be implemented to protect ePHI from unauthorized access, alteration, deletion or transmission.Most Covered Entities were required to comply with the Security Rule by April 20, 2005, although small health plans had an additional year to comply. The Security Rule was updated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), effective in 2010.
This Legislative Brief provides an overview of the HIPAA Security Rule’s standards and implementation specifications. What entities are regulated by the HIPAA Security Rule?The HIPAA Security Rule directly regulates the following Covered Entities:
The Security Rule indirectly regulates plan sponsors. Third parties that receive ePHI and qualify as Business Associates must comply with many provisions of the Security Rule. Covered Entities and Business Associates must also enter into agreements requiring them to comply with the restrictions contained within the Security Rule. What information is governed by the HIPAA Security Rule?The HIPAA Security Rule governs ePHI. PHI is:
Electronic PHI is PHI that is in an electronic format. For example, this includes PHI that is stored on a CD, sent via email or stored on a computer.PHI that is transmitted via paper-to-paper fax, person-to-person telephone calls, video teleconferencing or voicemail message is not considered to be in an electronic form and, therefore, is not governed by the HIPAA Security Rule. However, telephone voice response systems are governed by the HIPAA Security Rule because they are used as input and output devices for computers. What is required by the HIPAA Security Rule?The HIPAA Security Rule requires that Covered Entities do the following:
The security standards are divided into the following three categories:
A complete list of the administrative, physical and technical safeguards is included below. Are Covered Entities required to implement all of the safeguards set forth in the HIPAA Security Rule?The Security Rule allows Covered Entities some flexibility in determining how to implement the standards and implementation specifications, including choosing which technology it will employ to achieve the required security standards. In deciding how to implement security measures, a Covered Entity is permitted to take into account:
However, the Department of Health and Human Services (HHS) has stated that cost alone is not a justification for failing to implement a procedure.In an effort to provide Covered Entities with additional flexibility with respect to complying with the Security Rule, the regulations set forth two categories of implementation specifications: “required” and “addressable.” What are “required” implementation specifications?When an implementation specification within the Security Rule is “required,” the Covered Entity must meet the implementation specifications. The following are examples of “required” implementation specifications:
What are “addressable” implementation specifications?“Addressable” implementation specifications are not optional. Rather, a Covered Entity is provided more flexibility in determining how it will comply with an “addressable” implementation specification. If an implementation specification is “addressable,” a Covered Entity is required to do one of the following:
In all cases, a Covered Entity should document the reasons for each of its decisions and the procedures implemented to comply with the Security Rule. Are Covered Entities required to implement policies and procedures?Yes. Covered Entities are required to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule’s standards and implementation specifications. These policies and procedures must be documented in written form, which may be electronic.A Covered Entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI.Documentation supporting its security policies must be retained for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later. What are business associates required to do?Organizations that use or disclose ePHI when performing services for a Covered Entity (business associates) must also comply with the provisions of the Security Rule. They are also required to sign a business associate agreement that includes an obligation to comply with the HIPAA Security Rule. As with the HIPAA Privacy Rule, a business associate should also modify its organization’s policies to comply with the HIPAA Security Rule. Each business associate’s compliance procedures will be unique, since its implementation of the security standards will depend upon how it uses and discloses ePHI. Where should I start?Whether you are a Covered Entity or a business associate, the first step to compliance with the HIPAA Security Rule should begin with an assessment of how your organization uses and discloses ePHI. For example, “Where is ePHI stored?”, “When is it transmitted?”, and “Who has access?”Your next step should be to involve your IT department. While many may see HIPAA Security as a “health plan” issue, it will take the cooperation of your IT department to successfully implement a HIPAA Security compliance program. In addition, some organizations will likely need to seek outside assistance from an attorney or IT consultant in order to establish policies and procedures as required by the HIPAA Security Rule.Covered Entities should periodically review their HIPAA Security compliance program and make any necessary updates to reflect, for example, the use of new technology or changes in how ePHI is used and disclosed. Where can I get more information?More information on federal health information privacy, including compliance with the HIPAA Security Rule, is available from HHS at: www.hhs.gov/ocr/privacy/hipaa/understanding/index.html.
Edited 9/4/2013 Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your needs. What are the 3 aspects of the security rule?The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical. Please visit the OCR for a full overview of security standards and required protections for e-PHI under the HIPAA Security Rule.
What is the main focus of the security rule?The purpose of the Security Rule is to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
What are the key elements of the Hipaa security Rule?General Rules
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and.
What should be the first step in the security Rule implementation process?The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.
|