_


HIPAA Security Rule


The HIPAA Security Rule identifies standards and implementation specifications that organizations must meet in order to become compliant. All organizations, except small health plans, that access, store, maintain or transmit patient-identifiable information are required by law to meet the HIPAA Security Standards by April 21, 2005. Small health plans have until 2006. Failing to comply can result in severe civil and criminal penalties.

The general requirements of the HIPAA Security Rule establish that covered entities must do the following:
  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
  4. Ensure compliance by the workforce.
Covered entities have been provided flexibility of approach. This implies:
  1. Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications.
  2. In deciding which security measures to use, a covered entity must take into account the following factors:
    1. The size, complexity, and capabilities of the covered entity.
    2. The covered entity’s technical infrastructure, hardware, and software security capabilities.
    3. The costs of security measures.
    4. The probability and criticality of potential risks to electronic protected health information.

Privacy Rule and the HIPAA Security Rule

The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. It is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:
  • the individual’s past, present or future physical or mental health or condition or
  • the provision of health care to the individual or
  • the past, present, or future payment for the provision of health care to the individual
The Privacy Rule’s basic mandate is that organizations may only release PHI as explicitly permitted by the Privacy Rule or with the prior written consent of the individual who is the subject of the records. The Privacy Rule also contains a number of notification requirements and administrative requirements designed to ensure proper records are maintained and that individuals are aware of their rights under HIPAA.

The Security Rule covers the security of electronic protected health information (ePHI). It prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes a number of required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies and Procedures
The key to compliance with the Security Rule lies in the language of the law: implementing “reasonable and appropriate” measures. You should carefully evaluate each of the items your risk assessment identifies as possible security actions against this principle. If you (and your attorney) feel that the measure isn’t reasonable and appropriate when viewed in light of the type of data in question, the size of the business, the potential risk and other circumstances, it’s only necessary to document that rationale.

It’s certainly true that HIPAA has caused database professionals a number of headaches while striving to come into compliance with the law. You should, however, view this as an opportunity to focus on the security of your databases. The procedural requirements of HIPAA only apply to specific PHI/ePHI data, but they’re reliable best practices for all of your data. When you’re working through the implementation exercises, ask yourself how much added effort would be required to apply the HIPAA standards to other, non-healthcare aspects of your organization.

Article source: http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html
Article source: http://databases.about.com/od/security/a/hipaa.htm