Patient health data referred to as Protected Health Information (PHI) under US law is the prime responsibility of healthcare providers. Under the HIPAA (Health Insurance Portability and Accountability Act), the healthcare providers are legally bound to protect the patient data in a way that meets the guidelines set by HIPAA Privacy and Security Rules. All the covered entities (CEs) or their business associates (BAs) are bound by this and are subject to HIPAA audits conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), and can be penalized if found violating any rule.
There are 4 main rules that you need to implement in order to protect the privacy and security of PHI under HIPAA law. These include:
While you need to follow the HIPAA Privacy and the Security Rule in order to comply with HIPAA, but Breach Notification Rule sets the guidelines you need to follow to provide notification following a breach of PHI. HIPAA Privacy Rules and the Security Rules would be where most of your time would be spent.
Whereas the HIPAA Privacy Rule (PR) deals with Protected Health Information (PHI), the HIPAA Security Rule (SR) consists of a set of standards that require healthcare organizations and physicians to protect the Electronic Protected Health Information (ePHI) of an individual. In simple words, this rule establishes national standards for protecting patient data that is stored or transferred electronically.
Security Rule is a subset of Privacy Rule. While PR applies to all forms of PHI, whether electronic, written, or oral, the SR covers only PHI that is in electronic form. This means that PHI in the form of a paper document would not fall under SR.
The Privacy Rule protects all “individually identifiable health information” (e.g., name, address, birth date, Social Security Number) held or transmitted by a covered entity or its business associate. This information can be in any form or media, including paper, oral or electronic. This individually identifiable data or PHI is information, including demographic data that relates to:
On the other hand, the Security Rule protects all the above mentioned information that is being stored, handled or transmitted electronically. The SR standards avoid any reasonably anticipated threats, such as a computer virus, a malware, cyber breach (for example, when someone tries to steal confidential patient information being sent over an e-mail) or any inappropriate use of information.
In order to protect the security, integrity and confidentiality of ePHI, the security rule contains the administrative, physical and technical safeguards that covered entities and their business associates must put in place. All the 3 safeguards include implementation specifications that are classified under “required” and “addressable.” Whereas required specifications must be implemented, addressable specifications must be implemented if it is appropriate or reasonable to do so. The main objective of both the specs is to help healthcare providers eliminate some of the common security gaps that could lead to cyber attacks and data loss.
Administrative safeguards address the implementation of administrative actions, policies, and procedures to detect, prevent, and correct security violations to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information. When implementing a HIPAA compliance program, the administrative components are really important. Covered entities must perform a security risk assessment annually that identifies and analyzes risks to ePHI, implement employee training, review policies and procedures, and then implement security measures to reduce the identified risks.
Administrative safeguards mainly cover 9 policies and procedures to protect ePHI, these include:
View our HIPAA Administrative Safeguards: Policies & Procedures to Protect ePHI to get more details on HIPAA Administrative Safeguards Policies and Procedures
Physical safeguards are a set of rules and guidelines that relate to limiting access to the physical area (e.g., a business office) where electronic information systems (e.g., computers) containing PHI are housed. The standards prevent ePHI to go into the wrong hands, while ensuring that authorized access is allowed.
Physical safeguards mainly cover 3 policies and procedures to protect ePHI from physical threats, these include:
View our HIPAA Physical Safeguards: Policies and Procedures to Protect from Physical Threats to get more details on HIPAA Physical Safeguards Policies and Procedures
Technical safeguards are the policy and procedures that protect ePHI and control access to it. It takes care of authentication; transmission and other issues that may arise when authorized person access ePHI via an electronic device such as computer. It governs all the technical aspects of accessing ePHI within computer systems by authorized persons (e.g., computer passwords and encryption software).
Technical safeguards mainly cover 3 policies and procedures to protect ePHI, these include:
View our HIPAA Technical Safeguards: Technologies, and Policies to Protect ePHI to get more details on HIPAA technical Safeguards Policies and Procedures.
Although security rules are very technical in nature but luckily, organizations are not required to implement these with specific technologies. HIPAA security rules addresses everything around PHI security – starting with internal periodic auditing, maintain set of effective policies and procedures and to implement safeguards and control needed under HIPAA to maintain privacy, integrity and availability of the data.